From dad1b4623cb5f02d6a608557cfab2ae5d96365f5 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Thu, 4 Dec 2025 04:14:55 +0000 Subject: [PATCH] chore: Update manifests after change --- clusters/cl01tl/manifests/actual/actual.yaml | 227 - .../argo-workflows/argo-workflows.yaml | 4999 -- clusters/cl01tl/manifests/argocd/argocd.yaml | 29366 ------ .../audiobookshelf/audiobookshelf.yaml | 471 - .../cl01tl/manifests/authentik/authentik.yaml | 1500 - .../cl01tl/manifests/backrest/backrest.yaml | 289 - clusters/cl01tl/manifests/bazarr/bazarr.yaml | 278 - clusters/cl01tl/manifests/blocky/blocky.yaml | 448 - .../cl01tl/manifests/booklore/booklore.yaml | 946 - .../manifests/cert-manager/cert-manager.yaml | 13844 --- clusters/cl01tl/manifests/cilium/cilium.yaml | 2499 - .../cloudnative-pg/cloudnative-pg.yaml | 20151 ----- .../manifests/code-server/code-server.yaml | 251 - .../cl01tl/manifests/coredns/coredns.yaml | 300 - .../democratic-csi-synology-iscsi.yaml | 720 - .../manifests/descheduler/descheduler.yaml | 247 - .../cl01tl/manifests/directus/directus.yaml | 1136 - .../elastic-operator/elastic-operator.yaml | 11594 --- .../manifests/element-web/element-web.yaml | 258 - .../cl01tl/manifests/ephemera/ephemera.yaml | 360 - clusters/cl01tl/manifests/eraser/eraser.yaml | 608 - .../manifests/external-dns/external-dns.yaml | 518 - .../external-secrets/external-secrets.yaml | 29357 ------ .../cl01tl/manifests/freshrss/freshrss.yaml | 1085 - clusters/cl01tl/manifests/garage/garage.yaml | 430 - clusters/cl01tl/manifests/gatus/gatus.yaml | 1527 - .../generic-device-plugin.yaml | 163 - clusters/cl01tl/manifests/gitea/gitea.yaml | 2446 - .../grafana-operator/grafana-operator.yaml | 10862 --- clusters/cl01tl/manifests/harbor/harbor.yaml | 2660 - .../cl01tl/manifests/headlamp/headlamp.yaml | 308 - .../home-assistant/home-assistant.yaml | 283 - .../manifests/homepage-dev/homepage-dev.yaml | 307 - .../cl01tl/manifests/homepage/homepage.yaml | 1132 - .../cl01tl/manifests/huntarr/huntarr.yaml | 129 - clusters/cl01tl/manifests/immich/immich.yaml | 1025 - .../intel-device-plugin.yaml | 2557 - .../cl01tl/manifests/jellyfin/jellyfin.yaml | 326 - .../cl01tl/manifests/jellystat/jellystat.yaml | 861 - .../cl01tl/manifests/karakeep/karakeep.yaml | 712 - clusters/cl01tl/manifests/kiwix/kiwix.yaml | 157 - clusters/cl01tl/manifests/komodo/komodo.yaml | 945 - clusters/cl01tl/manifests/kronic/kronic.yaml | 228 - .../kube-prometheus-stack.yaml | 5728 -- .../kubelet-serving-cert-approver.yaml | 254 - .../kubernetes-cloudflare-ddns.yaml | 96 - .../cl01tl/manifests/libation/libation.yaml | 129 - clusters/cl01tl/manifests/lidarr/lidarr.yaml | 928 - .../cl01tl/manifests/lidatube/lidatube.yaml | 221 - .../cl01tl/manifests/listenarr/listenarr.yaml | 180 - .../local-path-provisioner.yaml | 270 - clusters/cl01tl/manifests/loki/loki.yaml | 1535 - .../mariadb-operator/mariadb-operator.yaml | 16053 ---- .../matrix-synapse/matrix-synapse.yaml | 1996 - .../metrics-server/metrics-server.yaml | 285 - clusters/cl01tl/manifests/n8n/n8n.yaml | 1192 - clusters/cl01tl/manifests/nfs/nfs.yaml | 211 - .../node-feature-discovery.yaml | 1592 - clusters/cl01tl/manifests/ntfy/ntfy.yaml | 195 - clusters/cl01tl/manifests/ollama/ollama.yaml | 1260 - .../manifests/omni-tools/omni-tools.yaml | 100 - .../cl01tl/manifests/outline/outline.yaml | 988 - .../cl01tl/manifests/overseerr/overseerr.yaml | 215 - .../cl01tl/manifests/pgadmin/pgadmin.yaml | 309 - .../cl01tl/manifests/photoview/photoview.yaml | 773 - clusters/cl01tl/manifests/plex/plex.yaml | 190 - clusters/cl01tl/manifests/postiz/postiz.yaml | 1180 - .../prometheus-operator-crds.yaml | 73876 ---------------- .../cl01tl/manifests/prowlarr/prowlarr.yaml | 235 - .../manifests/qbittorrent/qbittorrent.yaml | 1009 - .../cl01tl/manifests/radarr-4k/radarr-4k.yaml | 930 - .../manifests/radarr-anime/radarr-anime.yaml | 928 - .../radarr-standup/radarr-standup.yaml | 928 - clusters/cl01tl/manifests/radarr/radarr.yaml | 930 - .../redis-operator/redis-operator.yaml | 24288 ----- .../cl01tl/manifests/reloader/reloader.yaml | 303 - .../cl01tl/manifests/rook-ceph/rook-ceph.yaml | 50315 ----------- .../cl01tl/manifests/roundcube/roundcube.yaml | 1005 - .../manifests/s3-exporter/s3-exporter.yaml | 559 - .../cl01tl/manifests/searxng/searxng.yaml | 435 - .../manifests/shelly-plug/shelly-plug.yaml | 185 - .../site-documentation.yaml | 153 - .../manifests/site-profile/site-profile.yaml | 153 - clusters/cl01tl/manifests/slskd/slskd.yaml | 396 - .../snapshot-controller.yaml | 2478 - .../cl01tl/manifests/sonarr-4k/sonarr-4k.yaml | 928 - .../manifests/sonarr-anime/sonarr-anime.yaml | 928 - clusters/cl01tl/manifests/sonarr/sonarr.yaml | 928 - .../speedtest-exporter.yaml | 103 - clusters/cl01tl/manifests/stack/stack.yaml | 284 - .../cl01tl/manifests/stalwart/stalwart.yaml | 937 - .../tailscale-operator.yaml | 5414 -- clusters/cl01tl/manifests/talos/talos.yaml | 476 - .../cl01tl/manifests/tautulli/tautulli.yaml | 331 - clusters/cl01tl/manifests/tdarr/tdarr.yaml | 658 - .../cl01tl/manifests/traefik/traefik.yaml | 19092 ---- clusters/cl01tl/manifests/trivy/trivy.yaml | 5222 -- .../tubearchivist/tubearchivist.yaml | 441 - .../cl01tl/manifests/unpackerr/unpackerr.yaml | 209 - .../cl01tl/manifests/unpoller/unpoller.yaml | 151 - clusters/cl01tl/manifests/vault/vault.yaml | 1222 - .../manifests/vaultwarden/vaultwarden.yaml | 846 - .../cl01tl/manifests/volsync/volsync.yaml | 10971 --- clusters/cl01tl/manifests/whodb/whodb.yaml | 105 - .../cl01tl/manifests/yamtrack/yamtrack.yaml | 816 - 105 files changed, 393558 deletions(-) delete mode 100644 clusters/cl01tl/manifests/actual/actual.yaml delete mode 100644 clusters/cl01tl/manifests/argo-workflows/argo-workflows.yaml delete mode 100644 clusters/cl01tl/manifests/argocd/argocd.yaml delete mode 100644 clusters/cl01tl/manifests/audiobookshelf/audiobookshelf.yaml delete mode 100644 clusters/cl01tl/manifests/authentik/authentik.yaml delete mode 100644 clusters/cl01tl/manifests/backrest/backrest.yaml delete mode 100644 clusters/cl01tl/manifests/bazarr/bazarr.yaml delete mode 100644 clusters/cl01tl/manifests/blocky/blocky.yaml delete mode 100644 clusters/cl01tl/manifests/booklore/booklore.yaml delete mode 100644 clusters/cl01tl/manifests/cert-manager/cert-manager.yaml delete mode 100644 clusters/cl01tl/manifests/cilium/cilium.yaml delete mode 100644 clusters/cl01tl/manifests/cloudnative-pg/cloudnative-pg.yaml delete mode 100644 clusters/cl01tl/manifests/code-server/code-server.yaml delete mode 100644 clusters/cl01tl/manifests/coredns/coredns.yaml delete mode 100644 clusters/cl01tl/manifests/democratic-csi-synology-iscsi/democratic-csi-synology-iscsi.yaml delete mode 100644 clusters/cl01tl/manifests/descheduler/descheduler.yaml delete mode 100644 clusters/cl01tl/manifests/directus/directus.yaml delete mode 100644 clusters/cl01tl/manifests/elastic-operator/elastic-operator.yaml delete mode 100644 clusters/cl01tl/manifests/element-web/element-web.yaml delete mode 100644 clusters/cl01tl/manifests/ephemera/ephemera.yaml delete mode 100644 clusters/cl01tl/manifests/eraser/eraser.yaml delete mode 100644 clusters/cl01tl/manifests/external-dns/external-dns.yaml delete mode 100644 clusters/cl01tl/manifests/external-secrets/external-secrets.yaml delete mode 100644 clusters/cl01tl/manifests/freshrss/freshrss.yaml delete mode 100644 clusters/cl01tl/manifests/garage/garage.yaml delete mode 100644 clusters/cl01tl/manifests/gatus/gatus.yaml delete mode 100644 clusters/cl01tl/manifests/generic-device-plugin/generic-device-plugin.yaml delete mode 100644 clusters/cl01tl/manifests/gitea/gitea.yaml delete mode 100644 clusters/cl01tl/manifests/grafana-operator/grafana-operator.yaml delete mode 100644 clusters/cl01tl/manifests/harbor/harbor.yaml delete mode 100644 clusters/cl01tl/manifests/headlamp/headlamp.yaml delete mode 100644 clusters/cl01tl/manifests/home-assistant/home-assistant.yaml delete mode 100644 clusters/cl01tl/manifests/homepage-dev/homepage-dev.yaml delete mode 100644 clusters/cl01tl/manifests/homepage/homepage.yaml delete mode 100644 clusters/cl01tl/manifests/huntarr/huntarr.yaml delete mode 100644 clusters/cl01tl/manifests/immich/immich.yaml delete mode 100644 clusters/cl01tl/manifests/intel-device-plugin/intel-device-plugin.yaml delete mode 100644 clusters/cl01tl/manifests/jellyfin/jellyfin.yaml delete mode 100644 clusters/cl01tl/manifests/jellystat/jellystat.yaml delete mode 100644 clusters/cl01tl/manifests/karakeep/karakeep.yaml delete mode 100644 clusters/cl01tl/manifests/kiwix/kiwix.yaml delete mode 100644 clusters/cl01tl/manifests/komodo/komodo.yaml delete mode 100644 clusters/cl01tl/manifests/kronic/kronic.yaml delete mode 100644 clusters/cl01tl/manifests/kube-prometheus-stack/kube-prometheus-stack.yaml delete mode 100644 clusters/cl01tl/manifests/kubelet-serving-cert-approver/kubelet-serving-cert-approver.yaml delete mode 100644 clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/kubernetes-cloudflare-ddns.yaml delete mode 100644 clusters/cl01tl/manifests/libation/libation.yaml delete mode 100644 clusters/cl01tl/manifests/lidarr/lidarr.yaml delete mode 100644 clusters/cl01tl/manifests/lidatube/lidatube.yaml delete mode 100644 clusters/cl01tl/manifests/listenarr/listenarr.yaml delete mode 100644 clusters/cl01tl/manifests/local-path-provisioner/local-path-provisioner.yaml delete mode 100644 clusters/cl01tl/manifests/loki/loki.yaml delete mode 100644 clusters/cl01tl/manifests/mariadb-operator/mariadb-operator.yaml delete mode 100644 clusters/cl01tl/manifests/matrix-synapse/matrix-synapse.yaml delete mode 100644 clusters/cl01tl/manifests/metrics-server/metrics-server.yaml delete mode 100644 clusters/cl01tl/manifests/n8n/n8n.yaml delete mode 100644 clusters/cl01tl/manifests/nfs/nfs.yaml delete mode 100644 clusters/cl01tl/manifests/node-feature-discovery/node-feature-discovery.yaml delete mode 100644 clusters/cl01tl/manifests/ntfy/ntfy.yaml delete mode 100644 clusters/cl01tl/manifests/ollama/ollama.yaml delete mode 100644 clusters/cl01tl/manifests/omni-tools/omni-tools.yaml delete mode 100644 clusters/cl01tl/manifests/outline/outline.yaml delete mode 100644 clusters/cl01tl/manifests/overseerr/overseerr.yaml delete mode 100644 clusters/cl01tl/manifests/pgadmin/pgadmin.yaml delete mode 100644 clusters/cl01tl/manifests/photoview/photoview.yaml delete mode 100644 clusters/cl01tl/manifests/plex/plex.yaml delete mode 100644 clusters/cl01tl/manifests/postiz/postiz.yaml delete mode 100644 clusters/cl01tl/manifests/prometheus-operator-crds/prometheus-operator-crds.yaml delete mode 100644 clusters/cl01tl/manifests/prowlarr/prowlarr.yaml delete mode 100644 clusters/cl01tl/manifests/qbittorrent/qbittorrent.yaml delete mode 100644 clusters/cl01tl/manifests/radarr-4k/radarr-4k.yaml delete mode 100644 clusters/cl01tl/manifests/radarr-anime/radarr-anime.yaml delete mode 100644 clusters/cl01tl/manifests/radarr-standup/radarr-standup.yaml delete mode 100644 clusters/cl01tl/manifests/radarr/radarr.yaml delete mode 100644 clusters/cl01tl/manifests/redis-operator/redis-operator.yaml delete mode 100644 clusters/cl01tl/manifests/reloader/reloader.yaml delete mode 100644 clusters/cl01tl/manifests/rook-ceph/rook-ceph.yaml delete mode 100644 clusters/cl01tl/manifests/roundcube/roundcube.yaml delete mode 100644 clusters/cl01tl/manifests/s3-exporter/s3-exporter.yaml delete mode 100644 clusters/cl01tl/manifests/searxng/searxng.yaml delete mode 100644 clusters/cl01tl/manifests/shelly-plug/shelly-plug.yaml delete mode 100644 clusters/cl01tl/manifests/site-documentation/site-documentation.yaml delete mode 100644 clusters/cl01tl/manifests/site-profile/site-profile.yaml delete mode 100644 clusters/cl01tl/manifests/slskd/slskd.yaml delete mode 100644 clusters/cl01tl/manifests/snapshot-controller/snapshot-controller.yaml delete mode 100644 clusters/cl01tl/manifests/sonarr-4k/sonarr-4k.yaml delete mode 100644 clusters/cl01tl/manifests/sonarr-anime/sonarr-anime.yaml delete mode 100644 clusters/cl01tl/manifests/sonarr/sonarr.yaml delete mode 100644 clusters/cl01tl/manifests/speedtest-exporter/speedtest-exporter.yaml delete mode 100644 clusters/cl01tl/manifests/stack/stack.yaml delete mode 100644 clusters/cl01tl/manifests/stalwart/stalwart.yaml delete mode 100644 clusters/cl01tl/manifests/tailscale-operator/tailscale-operator.yaml delete mode 100644 clusters/cl01tl/manifests/talos/talos.yaml delete mode 100644 clusters/cl01tl/manifests/tautulli/tautulli.yaml delete mode 100644 clusters/cl01tl/manifests/tdarr/tdarr.yaml delete mode 100644 clusters/cl01tl/manifests/traefik/traefik.yaml delete mode 100644 clusters/cl01tl/manifests/trivy/trivy.yaml delete mode 100644 clusters/cl01tl/manifests/tubearchivist/tubearchivist.yaml delete mode 100644 clusters/cl01tl/manifests/unpackerr/unpackerr.yaml delete mode 100644 clusters/cl01tl/manifests/unpoller/unpoller.yaml delete mode 100644 clusters/cl01tl/manifests/vault/vault.yaml delete mode 100644 clusters/cl01tl/manifests/vaultwarden/vaultwarden.yaml delete mode 100644 clusters/cl01tl/manifests/volsync/volsync.yaml delete mode 100644 clusters/cl01tl/manifests/whodb/whodb.yaml delete mode 100644 clusters/cl01tl/manifests/yamtrack/yamtrack.yaml diff --git a/clusters/cl01tl/manifests/actual/actual.yaml b/clusters/cl01tl/manifests/actual/actual.yaml deleted file mode 100644 index 1473c83ea..000000000 --- a/clusters/cl01tl/manifests/actual/actual.yaml +++ /dev/null @@ -1,227 +0,0 @@ ---- -# Source: actual/charts/actual/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: actual-data - labels: - app.kubernetes.io/instance: actual - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: actual - helm.sh/chart: actual-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: actual -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "2Gi" - storageClassName: "ceph-block" ---- -# Source: actual/charts/actual/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: actual - labels: - app.kubernetes.io/instance: actual - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: actual - app.kubernetes.io/service: actual - helm.sh/chart: actual-4.4.0 - namespace: actual -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 5006 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: actual - app.kubernetes.io/name: actual ---- -# Source: actual/charts/actual/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: actual - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: actual - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: actual - helm.sh/chart: actual-4.4.0 - namespace: actual -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: actual - app.kubernetes.io/instance: actual - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: actual - app.kubernetes.io/name: actual - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - image: ghcr.io/actualbudget/actual:25.12.0 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /usr/bin/env - - bash - - -c - - node src/scripts/health-check.js - failureThreshold: 5 - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: actual-data ---- -# Source: actual/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: actual-data-backup-secret - namespace: actual - labels: - app.kubernetes.io/name: actual-data-backup-secret - app.kubernetes.io/instance: actual - app.kubernetes.io/part-of: actual -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/actual/actual-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: actual/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-actual - namespace: actual - labels: - app.kubernetes.io/name: http-route-actual - app.kubernetes.io/instance: actual - app.kubernetes.io/part-of: actual -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - actual.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: actual - port: 80 - weight: 100 ---- -# Source: actual/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: actual-data-backup-source - namespace: actual - labels: - app.kubernetes.io/name: actual-data-backup-source - app.kubernetes.io/instance: actual - app.kubernetes.io/part-of: actual -spec: - sourcePVC: actual-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: actual-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/manifests/argo-workflows/argo-workflows.yaml b/clusters/cl01tl/manifests/argo-workflows/argo-workflows.yaml deleted file mode 100644 index 2dab811e5..000000000 --- a/clusters/cl01tl/manifests/argo-workflows/argo-workflows.yaml +++ /dev/null @@ -1,4999 +0,0 @@ ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argo-workflows-argo-events-controller-manager - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: controller-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-webhook/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argo-workflows-argo-events-events-webhook - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-events-webhook - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: events-webhook - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argo-workflows-workflow-controller - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows ---- -# Source: argo-workflows/charts/argo-workflows/templates/server/server-sa.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argo-workflows-server - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-controller/config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argo-workflows-argo-events-controller-manager - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events -data: - controller-config.yaml: | - eventBus: - nats: - versions: - - version: latest - natsStreamingImage: nats-streaming:latest - metricsExporterImage: natsio/prometheus-nats-exporter:latest - - version: 0.22.1 - natsStreamingImage: nats-streaming:0.22.1 - metricsExporterImage: natsio/prometheus-nats-exporter:0.8.0 - jetstream: - # Default JetStream settings, could be overridden by EventBus JetStream specs - settings: | - # https://docs.nats.io/running-a-nats-service/configuration#jetstream - # Only configure "max_memory_store" or "max_file_store", do not set "store_dir" as it has been hardcoded. - max_memory_store: -1 - max_file_store: -1 - # The default properties of the streams to be created in this JetStream service - streamConfig: | - maxMsgs: 1e+06 - maxAge: 72h - maxBytes: 1GB - replicas: 3 - duplicates: 300s - retention: 0 - discard: 0 - versions: - - version: latest - natsImage: nats:2.10.10 - metricsExporterImage: natsio/prometheus-nats-exporter:0.14.0 - configReloaderImage: natsio/nats-server-config-reloader:0.14.0 - startCommand: /nats-server - - version: 2.8.1 - natsImage: nats:2.8.1 - metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 - configReloaderImage: natsio/nats-server-config-reloader:0.7.0 - startCommand: /nats-server - - version: 2.8.1-alpine - natsImage: nats:2.8.1-alpine - metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 - configReloaderImage: natsio/nats-server-config-reloader:0.7.0 - startCommand: nats-server - - version: 2.8.2 - natsImage: nats:2.8.2 - metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 - configReloaderImage: natsio/nats-server-config-reloader:0.7.0 - startCommand: /nats-server - - version: 2.8.2-alpine - natsImage: nats:2.8.2-alpine - metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 - configReloaderImage: natsio/nats-server-config-reloader:0.7.0 - startCommand: nats-server - - version: 2.9.1 - natsImage: nats:2.9.1 - metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 - configReloaderImage: natsio/nats-server-config-reloader:0.7.0 - startCommand: /nats-server - - version: 2.9.12 - natsImage: nats:2.9.12 - metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 - configReloaderImage: natsio/nats-server-config-reloader:0.7.0 - startCommand: /nats-server - - version: 2.9.16 - natsImage: nats:2.9.16 - metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 - configReloaderImage: natsio/nats-server-config-reloader:0.7.0 - startCommand: /nats-server - - version: 2.10.10 - natsImage: nats:2.10.10 - metricsExporterImage: natsio/prometheus-nats-exporter:0.14.0 - configReloaderImage: natsio/nats-server-config-reloader:0.14.0 - startCommand: /nats-server ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argo-workflows-workflow-controller-configmap - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-cm - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -data: - config: | - metricsConfig: - enabled: true - path: /metrics - port: 9090 - ignoreErrors: false - secure: false - persistence: - archive: true - connectionPool: - maxIdleConns: 100 - maxOpenConns: 0 - nodeStatusOffLoad: true - postgresql: - database: app - host: argo-workflows-postgresql-17-cluster-rw - passwordSecret: - key: password - name: argo-workflows-postgresql-17-cluster-app - port: 5432 - ssl: false - sslMode: disable - tableName: app - userNameSecret: - key: username - name: argo-workflows-postgresql-17-cluster-app - sso: - issuer: https://authentik.alexlebens.net/application/o/argo-workflows/ - clientId: - name: argo-workflows-oidc-secret - key: client - clientSecret: - name: argo-workflows-oidc-secret - key: secret - redirectUrl: "https://argo-workflows.alexlebens.net/oauth2/callback" - rbac: - enabled: false - scopes: - - openid - - email - - profile - nodeEvents: - enabled: true - workflowEvents: - enabled: true ---- -# Source: argo-workflows/charts/argo-events/templates/crds/eventbus-crd.yml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: eventbus.argoproj.io - annotations: - "helm.sh/resource-policy": keep -spec: - group: argoproj.io - names: - kind: EventBus - listKind: EventBusList - plural: eventbus - shortNames: - - eb - singular: eventbus - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: argo-workflows/charts/argo-events/templates/crds/eventsource-crd.yml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: eventsources.argoproj.io - annotations: - "helm.sh/resource-policy": keep -spec: - group: argoproj.io - names: - kind: EventSource - listKind: EventSourceList - plural: eventsources - shortNames: - - es - singular: eventsource - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: argo-workflows/charts/argo-events/templates/crds/sensor-crd.yml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: sensors.argoproj.io - annotations: - "helm.sh/resource-policy": keep -spec: - group: argoproj.io - names: - kind: Sensor - listKind: SensorList - plural: sensors - shortNames: - - sn - singular: sensor - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: argo-workflows/charts/argo-workflows/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterworkflowtemplates.argoproj.io - annotations: - helm.sh/resource-policy: keep -spec: - group: argoproj.io - names: - kind: ClusterWorkflowTemplate - listKind: ClusterWorkflowTemplateList - plural: clusterworkflowtemplates - shortNames: - - clusterwftmpl - - cwft - singular: clusterworkflowtemplate - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: argo-workflows/charts/argo-workflows/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: cronworkflows.argoproj.io - annotations: - helm.sh/resource-policy: keep -spec: - group: argoproj.io - names: - kind: CronWorkflow - listKind: CronWorkflowList - plural: cronworkflows - shortNames: - - cwf - - cronwf - singular: cronworkflow - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: argo-workflows/charts/argo-workflows/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: workflowartifactgctasks.argoproj.io - annotations: - helm.sh/resource-policy: keep -spec: - group: argoproj.io - names: - kind: WorkflowArtifactGCTask - listKind: WorkflowArtifactGCTaskList - plural: workflowartifactgctasks - shortNames: - - wfat - singular: workflowartifactgctask - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - artifactsByNode: - additionalProperties: - properties: - archiveLocation: - properties: - archiveLogs: - type: boolean - artifactory: - properties: - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - url: - type: string - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - url - type: object - azure: - properties: - accountKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - blob: - type: string - container: - type: string - endpoint: - type: string - useSDKCreds: - type: boolean - required: - - blob - - container - - endpoint - type: object - gcs: - properties: - bucket: - type: string - key: - type: string - serviceAccountKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - key - type: object - git: - properties: - branch: - type: string - depth: - format: int64 - type: integer - disableSubmodules: - type: boolean - fetch: - items: - type: string - type: array - insecureIgnoreHostKey: - type: boolean - insecureSkipTLS: - type: boolean - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - repo: - type: string - revision: - type: string - singleBranch: - type: boolean - sshPrivateKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - repo - type: object - hdfs: - properties: - addresses: - items: - type: string - type: array - dataTransferProtection: - type: string - force: - type: boolean - hdfsUser: - type: string - krbCCacheSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbConfigConfigMap: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbKeytabSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbRealm: - type: string - krbServicePrincipalName: - type: string - krbUsername: - type: string - path: - type: string - required: - - path - type: object - http: - properties: - auth: - properties: - basicAuth: - properties: - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientCert: - properties: - clientCertSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - clientKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - oauth2: - properties: - clientIDSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - clientSecretSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - items: - properties: - key: - type: string - value: - type: string - required: - - key - type: object - type: array - scopes: - items: - type: string - type: array - tokenURLSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: object - headers: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - url: - type: string - required: - - url - type: object - oss: - properties: - accessKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - type: string - createBucketIfNotPresent: - type: boolean - endpoint: - type: string - key: - type: string - lifecycleRule: - properties: - markDeletionAfterDays: - format: int32 - type: integer - markInfrequentAccessAfterDays: - format: int32 - type: integer - type: object - secretKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - securityToken: - type: string - useSDKCreds: - type: boolean - required: - - key - type: object - raw: - properties: - data: - type: string - required: - - data - type: object - s3: - properties: - accessKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - type: string - caSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - createBucketIfNotPresent: - properties: - objectLocking: - type: boolean - type: object - encryptionOptions: - properties: - enableEncryption: - type: boolean - kmsEncryptionContext: - type: string - kmsKeyId: - type: string - serverSideCustomerKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - endpoint: - type: string - insecure: - type: boolean - key: - type: string - region: - type: string - roleARN: - type: string - secretKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - sessionTokenSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useSDKCreds: - type: boolean - type: object - type: object - artifacts: - additionalProperties: - properties: - archive: - properties: - none: - type: object - tar: - properties: - compressionLevel: - format: int32 - type: integer - type: object - zip: - type: object - type: object - archiveLogs: - type: boolean - artifactGC: - properties: - podMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - serviceAccountName: - type: string - strategy: - enum: - - "" - - OnWorkflowCompletion - - OnWorkflowDeletion - - Never - type: string - type: object - artifactory: - properties: - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - url: - type: string - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - url - type: object - azure: - properties: - accountKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - blob: - type: string - container: - type: string - endpoint: - type: string - useSDKCreds: - type: boolean - required: - - blob - - container - - endpoint - type: object - deleted: - type: boolean - from: - type: string - fromExpression: - type: string - gcs: - properties: - bucket: - type: string - key: - type: string - serviceAccountKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - key - type: object - git: - properties: - branch: - type: string - depth: - format: int64 - type: integer - disableSubmodules: - type: boolean - fetch: - items: - type: string - type: array - insecureIgnoreHostKey: - type: boolean - insecureSkipTLS: - type: boolean - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - repo: - type: string - revision: - type: string - singleBranch: - type: boolean - sshPrivateKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - repo - type: object - globalName: - type: string - hdfs: - properties: - addresses: - items: - type: string - type: array - dataTransferProtection: - type: string - force: - type: boolean - hdfsUser: - type: string - krbCCacheSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbConfigConfigMap: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbKeytabSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbRealm: - type: string - krbServicePrincipalName: - type: string - krbUsername: - type: string - path: - type: string - required: - - path - type: object - http: - properties: - auth: - properties: - basicAuth: - properties: - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientCert: - properties: - clientCertSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - clientKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - oauth2: - properties: - clientIDSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - clientSecretSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - items: - properties: - key: - type: string - value: - type: string - required: - - key - type: object - type: array - scopes: - items: - type: string - type: array - tokenURLSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: object - headers: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - url: - type: string - required: - - url - type: object - mode: - format: int32 - type: integer - name: - type: string - optional: - type: boolean - oss: - properties: - accessKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - type: string - createBucketIfNotPresent: - type: boolean - endpoint: - type: string - key: - type: string - lifecycleRule: - properties: - markDeletionAfterDays: - format: int32 - type: integer - markInfrequentAccessAfterDays: - format: int32 - type: integer - type: object - secretKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - securityToken: - type: string - useSDKCreds: - type: boolean - required: - - key - type: object - path: - type: string - raw: - properties: - data: - type: string - required: - - data - type: object - recurseMode: - type: boolean - s3: - properties: - accessKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - type: string - caSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - createBucketIfNotPresent: - properties: - objectLocking: - type: boolean - type: object - encryptionOptions: - properties: - enableEncryption: - type: boolean - kmsEncryptionContext: - type: string - kmsKeyId: - type: string - serverSideCustomerKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - endpoint: - type: string - insecure: - type: boolean - key: - type: string - region: - type: string - roleARN: - type: string - secretKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - sessionTokenSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useSDKCreds: - type: boolean - type: object - subPath: - type: string - required: - - name - type: object - type: object - type: object - type: object - type: object - status: - properties: - artifactResultsByNode: - additionalProperties: - properties: - artifactResults: - additionalProperties: - properties: - error: - type: string - name: - type: string - success: - type: boolean - required: - - name - type: object - type: object - type: object - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: argo-workflows/charts/argo-workflows/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: workfloweventbindings.argoproj.io - annotations: - helm.sh/resource-policy: keep -spec: - group: argoproj.io - names: - kind: WorkflowEventBinding - listKind: WorkflowEventBindingList - plural: workfloweventbindings - shortNames: - - wfeb - singular: workfloweventbinding - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - event: - properties: - selector: - type: string - required: - - selector - type: object - submit: - properties: - arguments: - properties: - artifacts: - items: - properties: - archive: - properties: - none: - type: object - tar: - properties: - compressionLevel: - format: int32 - type: integer - type: object - zip: - type: object - type: object - archiveLogs: - type: boolean - artifactGC: - properties: - podMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - serviceAccountName: - type: string - strategy: - enum: - - "" - - OnWorkflowCompletion - - OnWorkflowDeletion - - Never - type: string - type: object - artifactory: - properties: - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - url: - type: string - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - url - type: object - azure: - properties: - accountKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - blob: - type: string - container: - type: string - endpoint: - type: string - useSDKCreds: - type: boolean - required: - - blob - - container - - endpoint - type: object - deleted: - type: boolean - from: - type: string - fromExpression: - type: string - gcs: - properties: - bucket: - type: string - key: - type: string - serviceAccountKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - key - type: object - git: - properties: - branch: - type: string - depth: - format: int64 - type: integer - disableSubmodules: - type: boolean - fetch: - items: - type: string - type: array - insecureIgnoreHostKey: - type: boolean - insecureSkipTLS: - type: boolean - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - repo: - type: string - revision: - type: string - singleBranch: - type: boolean - sshPrivateKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - repo - type: object - globalName: - type: string - hdfs: - properties: - addresses: - items: - type: string - type: array - dataTransferProtection: - type: string - force: - type: boolean - hdfsUser: - type: string - krbCCacheSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbConfigConfigMap: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbKeytabSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbRealm: - type: string - krbServicePrincipalName: - type: string - krbUsername: - type: string - path: - type: string - required: - - path - type: object - http: - properties: - auth: - properties: - basicAuth: - properties: - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientCert: - properties: - clientCertSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - clientKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - oauth2: - properties: - clientIDSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - clientSecretSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - items: - properties: - key: - type: string - value: - type: string - required: - - key - type: object - type: array - scopes: - items: - type: string - type: array - tokenURLSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: object - headers: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - url: - type: string - required: - - url - type: object - mode: - format: int32 - type: integer - name: - type: string - optional: - type: boolean - oss: - properties: - accessKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - type: string - createBucketIfNotPresent: - type: boolean - endpoint: - type: string - key: - type: string - lifecycleRule: - properties: - markDeletionAfterDays: - format: int32 - type: integer - markInfrequentAccessAfterDays: - format: int32 - type: integer - type: object - secretKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - securityToken: - type: string - useSDKCreds: - type: boolean - required: - - key - type: object - path: - type: string - raw: - properties: - data: - type: string - required: - - data - type: object - recurseMode: - type: boolean - s3: - properties: - accessKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - type: string - caSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - createBucketIfNotPresent: - properties: - objectLocking: - type: boolean - type: object - encryptionOptions: - properties: - enableEncryption: - type: boolean - kmsEncryptionContext: - type: string - kmsKeyId: - type: string - serverSideCustomerKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - endpoint: - type: string - insecure: - type: boolean - key: - type: string - region: - type: string - roleARN: - type: string - secretKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - sessionTokenSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useSDKCreds: - type: boolean - type: object - subPath: - type: string - required: - - name - type: object - type: array - parameters: - items: - properties: - default: - type: string - description: - type: string - enum: - items: - type: string - type: array - globalName: - type: string - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - default: - type: string - event: - type: string - expression: - type: string - jqFilter: - type: string - jsonPath: - type: string - parameter: - type: string - path: - type: string - supplied: - type: object - type: object - required: - - name - type: object - type: array - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - generateName: - type: string - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - workflowTemplateRef: - properties: - clusterScope: - type: boolean - name: - type: string - type: object - required: - - workflowTemplateRef - type: object - required: - - event - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: argo-workflows/charts/argo-workflows/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: workflows.argoproj.io - annotations: - helm.sh/resource-policy: keep -spec: - group: argoproj.io - names: - kind: Workflow - listKind: WorkflowList - plural: workflows - shortNames: - - wf - singular: workflow - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Status of the workflow - jsonPath: .status.phase - name: Status - type: string - - description: When the workflow was started - format: date-time - jsonPath: .status.startedAt - name: Age - type: date - - description: Human readable message indicating details about why the workflow - is in this condition. - jsonPath: .status.message - name: Message - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: {} ---- -# Source: argo-workflows/charts/argo-workflows/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: workflowtaskresults.argoproj.io - annotations: - helm.sh/resource-policy: keep -spec: - group: argoproj.io - names: - kind: WorkflowTaskResult - listKind: WorkflowTaskResultList - plural: workflowtaskresults - singular: workflowtaskresult - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - message: - type: string - metadata: - type: object - outputs: - properties: - artifacts: - items: - properties: - archive: - properties: - none: - type: object - tar: - properties: - compressionLevel: - format: int32 - type: integer - type: object - zip: - type: object - type: object - archiveLogs: - type: boolean - artifactGC: - properties: - podMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - serviceAccountName: - type: string - strategy: - enum: - - "" - - OnWorkflowCompletion - - OnWorkflowDeletion - - Never - type: string - type: object - artifactory: - properties: - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - url: - type: string - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - url - type: object - azure: - properties: - accountKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - blob: - type: string - container: - type: string - endpoint: - type: string - useSDKCreds: - type: boolean - required: - - blob - - container - - endpoint - type: object - deleted: - type: boolean - from: - type: string - fromExpression: - type: string - gcs: - properties: - bucket: - type: string - key: - type: string - serviceAccountKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - key - type: object - git: - properties: - branch: - type: string - depth: - format: int64 - type: integer - disableSubmodules: - type: boolean - fetch: - items: - type: string - type: array - insecureIgnoreHostKey: - type: boolean - insecureSkipTLS: - type: boolean - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - repo: - type: string - revision: - type: string - singleBranch: - type: boolean - sshPrivateKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - repo - type: object - globalName: - type: string - hdfs: - properties: - addresses: - items: - type: string - type: array - dataTransferProtection: - type: string - force: - type: boolean - hdfsUser: - type: string - krbCCacheSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbConfigConfigMap: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbKeytabSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - krbRealm: - type: string - krbServicePrincipalName: - type: string - krbUsername: - type: string - path: - type: string - required: - - path - type: object - http: - properties: - auth: - properties: - basicAuth: - properties: - passwordSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - usernameSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientCert: - properties: - clientCertSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - clientKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - oauth2: - properties: - clientIDSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - clientSecretSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - items: - properties: - key: - type: string - value: - type: string - required: - - key - type: object - type: array - scopes: - items: - type: string - type: array - tokenURLSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: object - headers: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - url: - type: string - required: - - url - type: object - mode: - format: int32 - type: integer - name: - type: string - optional: - type: boolean - oss: - properties: - accessKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - type: string - createBucketIfNotPresent: - type: boolean - endpoint: - type: string - key: - type: string - lifecycleRule: - properties: - markDeletionAfterDays: - format: int32 - type: integer - markInfrequentAccessAfterDays: - format: int32 - type: integer - type: object - secretKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - securityToken: - type: string - useSDKCreds: - type: boolean - required: - - key - type: object - path: - type: string - raw: - properties: - data: - type: string - required: - - data - type: object - recurseMode: - type: boolean - s3: - properties: - accessKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - type: string - caSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - createBucketIfNotPresent: - properties: - objectLocking: - type: boolean - type: object - encryptionOptions: - properties: - enableEncryption: - type: boolean - kmsEncryptionContext: - type: string - kmsKeyId: - type: string - serverSideCustomerKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - endpoint: - type: string - insecure: - type: boolean - key: - type: string - region: - type: string - roleARN: - type: string - secretKeySecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - sessionTokenSecret: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useSDKCreds: - type: boolean - type: object - subPath: - type: string - required: - - name - type: object - type: array - exitCode: - type: string - parameters: - items: - properties: - default: - type: string - description: - type: string - enum: - items: - type: string - type: array - globalName: - type: string - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - default: - type: string - event: - type: string - expression: - type: string - jqFilter: - type: string - jsonPath: - type: string - parameter: - type: string - path: - type: string - supplied: - type: object - type: object - required: - - name - type: object - type: array - result: - type: string - type: object - phase: - type: string - progress: - type: string - required: - - metadata - type: object - served: true - storage: true ---- -# Source: argo-workflows/charts/argo-workflows/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: workflowtasksets.argoproj.io - annotations: - helm.sh/resource-policy: keep -spec: - group: argoproj.io - names: - kind: WorkflowTaskSet - listKind: WorkflowTaskSetList - plural: workflowtasksets - shortNames: - - wfts - singular: workflowtaskset - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: argo-workflows/charts/argo-workflows/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: workflowtemplates.argoproj.io - annotations: - helm.sh/resource-policy: keep -spec: - group: argoproj.io - names: - kind: WorkflowTemplate - listKind: WorkflowTemplateList - plural: workflowtemplates - shortNames: - - wftmpl - singular: workflowtemplate - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-controller/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-workflows-argo-events-controller-manager - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: controller-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - argoproj.io - resources: - - sensors - - sensors/finalizers - - sensors/status - - eventsources - - eventsources/finalizers - - eventsources/status - - eventbus - - eventbus/finalizers - - eventbus/status - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods - - pods/exec - - configmaps - - services - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments - - statefulsets - verbs: - - create - - get - - list - - watch - - update - - patch - - delete ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-webhook/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-events-webhook - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-events-webhook - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - create - - update - - delete - - patch - - watch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - create - - update - - delete - - patch - - watch -- apiGroups: - - argoproj.io - resources: - - eventbus - - eventsources - - sensors - verbs: - - get - - list - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - get - - list ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-workflows-view - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: -- apiGroups: - - argoproj.io - resources: - - workflows - - workflows/finalizers - - workfloweventbindings - - workfloweventbindings/finalizers - - workflowtemplates - - workflowtemplates/finalizers - - cronworkflows - - cronworkflows/finalizers - - clusterworkflowtemplates - - clusterworkflowtemplates/finalizers - - workflowtasksets - - workflowtasksets/finalizers - - workflowtaskresults - - workflowtaskresults/finalizers - - workflowartifactgctasks - - workflowartifactgctasks/finalizers - verbs: - - get - - list - - watch ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-workflows-edit - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - rbac.authorization.k8s.io/aggregate-to-edit: "true" -rules: -- apiGroups: - - argoproj.io - resources: - - workflows - - workflows/finalizers - - workfloweventbindings - - workfloweventbindings/finalizers - - workflowtemplates - - workflowtemplates/finalizers - - cronworkflows - - cronworkflows/finalizers - - clusterworkflowtemplates - - clusterworkflowtemplates/finalizers - - workflowtasksets - - workflowtasksets/finalizers - - workflowtaskresults - - workflowtaskresults/finalizers - - workflowartifactgctasks - - workflowartifactgctasks/finalizers - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-workflows-admin - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: -- apiGroups: - - argoproj.io - resources: - - workflows - - workflows/finalizers - - workfloweventbindings - - workfloweventbindings/finalizers - - workflowtemplates - - workflowtemplates/finalizers - - cronworkflows - - cronworkflows/finalizers - - clusterworkflowtemplates - - clusterworkflowtemplates/finalizers - - workflowtasksets - - workflowtasksets/finalizers - - workflowtaskresults - - workflowtaskresults/finalizers - - workflowartifactgctasks - - workflowartifactgctasks/finalizers - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-workflows-workflow-controller - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create -- apiGroups: - - "" - resources: - - configmaps - - namespaces - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - persistentvolumeclaims - - persistentvolumeclaims/finalizers - verbs: - - create - - update - - delete - - get -- apiGroups: - - argoproj.io - resources: - - workflows - - workflows/finalizers - - workflowtasksets - - workflowtasksets/finalizers - - workflowtasksets/status - - workflowartifactgctasks - verbs: - - get - - list - - watch - - update - - patch - - delete - - create -- apiGroups: - - argoproj.io - resources: - - workflowtemplates - - workflowtemplates/finalizers - verbs: - - get - - list - - watch -- apiGroups: - - argoproj.io - resources: - - workflowtaskresults - - workflowtaskresults/finalizers - verbs: - - list - - watch - - deletecollection -- apiGroups: - - argoproj.io - resources: - - cronworkflows - - cronworkflows/finalizers - verbs: - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list -- apiGroups: - - "policy" - resources: - - poddisruptionbudgets - verbs: - - create - - get - - delete -- apiGroups: - - "" - resources: - - secrets - resourceNames: - - argo-workflows-postgresql-17-cluster-app - - argo-workflows-postgresql-17-cluster-app - verbs: - - get -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - workflow-controller - - workflow-controller-lease - verbs: - - get - - watch - - update - - patch - - delete -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - resourceNames: - - argo-workflows-agent-ca-certificates ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-workflows-workflow-controller-cluster-template - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -rules: -- apiGroups: - - argoproj.io - resources: - - clusterworkflowtemplates - - clusterworkflowtemplates/finalizers - verbs: - - get - - list - - watch ---- -# Source: argo-workflows/charts/argo-workflows/templates/server/server-cluster-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-workflows-server - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -rules: -- apiGroups: - - "" - resources: - - configmaps - - events - verbs: - - get - - watch - - list -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list -- apiGroups: - - "" - resources: - - secrets - resourceNames: - - sso - verbs: - - get -- apiGroups: - - "" - resources: - - secrets - verbs: - - create -- apiGroups: - - "" - resources: - - secrets - verbs: - - get -- apiGroups: - - "" - resources: - - events - verbs: - - watch - - create - - patch -- apiGroups: - - "" - resources: - - secrets - resourceNames: - - argo-workflows-postgresql-17-cluster-app - - argo-workflows-postgresql-17-cluster-app - verbs: - - get -- apiGroups: - - argoproj.io - resources: - - eventsources - - sensors - - workflows - - workfloweventbindings - - workflowtemplates - - cronworkflows - verbs: - - create - - get - - list - - watch - - update - - patch - - delete ---- -# Source: argo-workflows/charts/argo-workflows/templates/server/server-cluster-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argo-workflows-server-cluster-template - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -rules: -- apiGroups: - - argoproj.io - resources: - - clusterworkflowtemplates - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-controller/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argo-workflows-argo-events-controller-manager - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: controller-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-workflows-argo-events-controller-manager -subjects: -- kind: ServiceAccount - name: argo-workflows-argo-events-controller-manager - namespace: "argo-workflows" ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-webhook/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argo-workflows-argo-events-events-webhook - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-events-webhook - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-events-webhook -subjects: -- kind: ServiceAccount - name: argo-workflows-argo-events-events-webhook - namespace: "argo-workflows" ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argo-workflows-workflow-controller - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-workflows-workflow-controller -subjects: - - kind: ServiceAccount - name: argo-workflows-workflow-controller - namespace: "argo-workflows" ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argo-workflows-workflow-controller-cluster-template - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-workflows-workflow-controller-cluster-template -subjects: - - kind: ServiceAccount - name: argo-workflows-workflow-controller - namespace: "argo-workflows" ---- -# Source: argo-workflows/charts/argo-workflows/templates/server/server-crb.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argo-workflows-server - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-workflows-server -subjects: -- kind: ServiceAccount - name: argo-workflows-server - namespace: "argo-workflows" ---- -# Source: argo-workflows/charts/argo-workflows/templates/server/server-crb.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argo-workflows-server-cluster-template - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-workflows-server-cluster-template -subjects: -- kind: ServiceAccount - name: argo-workflows-server - namespace: "argo-workflows" ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argo-workflows-workflow - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - namespace: argocd -rules: - - apiGroups: - - argoproj.io - resources: - - workflowtaskresults - verbs: - - create - - patch ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argo-workflows-workflow - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - namespace: argo-workflows -rules: - - apiGroups: - - argoproj.io - resources: - - workflowtaskresults - verbs: - - create - - patch ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-rb.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argo-workflows-workflow - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - namespace: argocd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argo-workflows-workflow -subjects: - - kind: ServiceAccount - name: argo-workflow - namespace: argocd ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-rb.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argo-workflows-workflow - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - namespace: argo-workflows -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argo-workflows-workflow -subjects: - - kind: ServiceAccount - name: argo-workflow - namespace: argo-workflows ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-controller/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argo-workflows-argo-events-controller-manager-metrics - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-controller-manager-metrics - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: controller-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events -spec: - ports: - - name: metrics - protocol: TCP - port: 8082 - targetPort: metrics - selector: - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-webhook/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: events-webhook - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-events-webhook - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events -spec: - ports: - - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/name: argo-events-events-webhook - app.kubernetes.io/instance: argo-workflows ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argo-workflows-workflow-controller - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "v3.7.4" -spec: - ports: - - name: metrics - port: 8080 - protocol: TCP - targetPort: 9090 - selector: - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - sessionAffinity: None - type: ClusterIP ---- -# Source: argo-workflows/charts/argo-workflows/templates/server/server-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argo-workflows-server - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "v3.7.4" -spec: - ports: - - port: 2746 - targetPort: 2746 - selector: - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - sessionAffinity: None - type: ClusterIP ---- -# Source: argo-workflows/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: garage-ps10rp - namespace: argo-workflows - labels: - app.kubernetes.io/name: garage-ps10rp - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows - annotations: - tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-controller/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argo-workflows-argo-events-controller-manager - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: controller-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events - app.kubernetes.io/version: "v1.9.9" -spec: - selector: - matchLabels: - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows - revisionHistoryLimit: 5 - replicas: 1 - template: - metadata: - annotations: - checksum/config: a98b80a2ffaf4c020ec162c5614927614c17e0ea3fea1999358dd37203b01d58 - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: controller-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events - app.kubernetes.io/version: "v1.9.9" - spec: - containers: - - name: controller-manager - image: quay.io/argoproj/argo-events:v1.9.9 - imagePullPolicy: IfNotPresent - args: - - controller - env: - - name: ARGO_EVENTS_IMAGE - value: quay.io/argoproj/argo-events:v1.9.9 - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: config - mountPath: /etc/argo-events - ports: - - name: metrics - containerPort: 7777 - protocol: TCP - - name: probe - containerPort: 8081 - protocol: TCP - livenessProbe: - httpGet: - port: probe - path: /healthz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - port: probe - path: /readyz - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - resources: - requests: - cpu: 10m - memory: 128Mi - serviceAccountName: argo-workflows-argo-events-controller-manager - volumes: - - name: config - configMap: - name: argo-workflows-argo-events-controller-manager ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-webhook/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: events-webhook - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-events-webhook - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: events-webhook - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events - app.kubernetes.io/version: "v1.9.9" -spec: - selector: - matchLabels: - app.kubernetes.io/name: argo-events-events-webhook - app.kubernetes.io/instance: argo-workflows - revisionHistoryLimit: 5 - replicas: 1 - template: - metadata: - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-events-webhook - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: events-webhook - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events - app.kubernetes.io/version: "v1.9.9" - spec: - containers: - - name: events-webhook - image: quay.io/argoproj/argo-events:v1.9.9 - imagePullPolicy: IfNotPresent - args: - - webhook-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: PORT - value: "443" - ports: - - name: webhook - containerPort: 443 - protocol: TCP - livenessProbe: - tcpSocket: - port: webhook - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - tcpSocket: - port: webhook - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - resources: - requests: - cpu: 10m - memory: 128Mi - serviceAccountName: argo-workflows-argo-events-events-webhook ---- -# Source: argo-workflows/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argo-workflows-workflow-controller - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "v3.7.4" -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - template: - metadata: - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-workflow-controller - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: workflow-controller - app: workflow-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "v3.7.4" - spec: - serviceAccountName: argo-workflows-workflow-controller - containers: - - name: controller - image: "quay.io/argoproj/workflow-controller:v3.7.4" - imagePullPolicy: Always - command: [ "workflow-controller" ] - args: - - "--configmap" - - "argo-workflows-workflow-controller-configmap" - - "--executor-image" - - "quay.io/argoproj/argoexec:v3.7.4" - - "--loglevel" - - "info" - - "--gloglevel" - - "0" - - "--log-format" - - "text" - - "--workflow-workers" - - "2" - - "--workflow-ttl-workers" - - "1" - - "--pod-cleanup-workers" - - "1" - - "--cron-workflow-workers" - - "1" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - env: - - name: ARGO_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: LEADER_ELECTION_IDENTITY - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: LEADER_ELECTION_DISABLE - value: "true" - resources: - requests: - cpu: 10m - memory: 128Mi - ports: - - name: metrics - containerPort: 9090 - - containerPort: 6060 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 6060 - initialDelaySeconds: 90 - periodSeconds: 60 - timeoutSeconds: 30 - nodeSelector: - kubernetes.io/os: linux ---- -# Source: argo-workflows/charts/argo-workflows/templates/server/server-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argo-workflows-server - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "v3.7.4" -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - template: - metadata: - labels: - helm.sh/chart: argo-workflows-0.46.1 - app.kubernetes.io/name: argo-workflows-server - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: server - app: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "v3.7.4" - annotations: - checksum/cm: cc375ecbc512206075425a11c6aad6ceca79e2421592ea3a95f0b3e59267b398 - spec: - serviceAccountName: argo-workflows-server - containers: - - name: argo-server - image: "quay.io/argoproj/argocli:v3.7.4" - imagePullPolicy: Always - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - args: - - server - - --configmap=argo-workflows-workflow-controller-configmap - - "--auth-mode=sso" - - "--secure=false" - - "--loglevel" - - "info" - - "--gloglevel" - - "0" - - "--log-format" - - "text" - ports: - - name: web - containerPort: 2746 - readinessProbe: - httpGet: - path: / - port: 2746 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 20 - env: - - name: IN_CLUSTER - value: "true" - - name: ARGO_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: ARGO_BASE_HREF - value: "/" - resources: - {} - volumeMounts: - - name: tmp - mountPath: /tmp - terminationGracePeriodSeconds: 30 - volumes: - - name: tmp - emptyDir: {} - nodeSelector: - kubernetes.io/os: linux ---- -# Source: argo-workflows/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: argo-workflows-postgresql-17-cluster - namespace: argo-workflows - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: argo-workflows-postgresql-17 - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "argo-workflows-postgresql-17-external-backup" - serverName: "argo-workflows-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "argo-workflows-postgresql-17-garage-local-backup" - serverName: "argo-workflows-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "argo-workflows-postgresql-17-recovery" - serverName: argo-workflows-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: argo-workflows-postgresql-17-backup-1 - - externalClusters: - - name: argo-workflows-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "argo-workflows-postgresql-17-recovery" - serverName: argo-workflows-postgresql-17-backup-1 ---- -# Source: argo-workflows/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argo-workflows-oidc-secret - namespace: argo-workflows - labels: - app.kubernetes.io/name: argo-workflows-oidc-secret - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/argo-workflows - metadataPolicy: None - property: secret - - secretKey: client - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/argo-workflows - metadataPolicy: None - property: client ---- -# Source: argo-workflows/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argo-workflows-postgresql-17-cluster-backup-secret - namespace: argo-workflows - labels: - app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: argo-workflows/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argo-workflows-postgresql-17-cluster-backup-secret-garage - namespace: argo-workflows - labels: - app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: argo-workflows/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-argo-workflows - namespace: argo-workflows - labels: - app.kubernetes.io/name: http-route-argo-workflows - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - argo-workflows.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: argo-workflows-server - port: 2746 - weight: 100 ---- -# Source: argo-workflows/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "argo-workflows-postgresql-17-external-backup" - namespace: argo-workflows - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: argo-workflows-postgresql-17 - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: argo-workflows-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: argo-workflows-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: argo-workflows/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "argo-workflows-postgresql-17-garage-local-backup" - namespace: argo-workflows - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: argo-workflows-postgresql-17 - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: argo-workflows-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: argo-workflows-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: argo-workflows-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: argo-workflows/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "argo-workflows-postgresql-17-recovery" - namespace: argo-workflows - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: argo-workflows-postgresql-17 - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: argo-workflows-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: argo-workflows-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: argo-workflows/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: argo-workflows-postgresql-17-alert-rules - namespace: argo-workflows - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: argo-workflows-postgresql-17 - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/argo-workflows-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="argo-workflows"} - cnpg_pg_replication_is_wal_receiver_up{namespace="argo-workflows"}) < 1 - for: 5m - labels: - severity: critical - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="argo-workflows"} - cnpg_pg_replication_is_wal_receiver_up{namespace="argo-workflows"}) < 2 - for: 5m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "argo-workflows/argo-workflows-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="argo-workflows", pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="argo-workflows", pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "argo-workflows/argo-workflows-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="argo-workflows", pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="argo-workflows", pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "argo-workflows/argo-workflows-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="argo-workflows",pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "argo-workflows/argo-workflows-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="argo-workflows", pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "argo-workflows/argo-workflows-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "argo-workflows/argo-workflows-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="argo-workflows", persistentvolumeclaim=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "argo-workflows/argo-workflows-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="argo-workflows",pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "argo-workflows/argo-workflows-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="argo-workflows", pod=~"argo-workflows-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: argo-workflows - cnpg_cluster: argo-workflows-postgresql-17-cluster ---- -# Source: argo-workflows/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "argo-workflows-postgresql-17-daily-backup-scheduled-backup" - namespace: argo-workflows - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: argo-workflows-postgresql-17 - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: argo-workflows-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "argo-workflows-postgresql-17-external-backup" ---- -# Source: argo-workflows/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "argo-workflows-postgresql-17-live-backup-scheduled-backup" - namespace: argo-workflows - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: argo-workflows-postgresql-17 - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/part-of: argo-workflows - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: argo-workflows-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "argo-workflows-postgresql-17-garage-local-backup" ---- -# Source: argo-workflows/charts/argo-events/templates/argo-events-controller/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: argo-workflows-argo-events-controller-manager - namespace: "argo-workflows" - labels: - helm.sh/chart: argo-events-2.4.18 - app.kubernetes.io/name: argo-events-controller-manager - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: controller-manager - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argo-events -spec: - endpoints: - - port: metrics - interval: 30s - path: /metrics - namespaceSelector: - matchNames: - - "argo-workflows" - selector: - matchLabels: - app.kubernetes.io/name: argo-events-controller-manager-metrics - app.kubernetes.io/instance: argo-workflows - app.kubernetes.io/component: controller-manager diff --git a/clusters/cl01tl/manifests/argocd/argocd.yaml b/clusters/cl01tl/manifests/argocd/argocd.yaml deleted file mode 100644 index 570a65845..000000000 --- a/clusters/cl01tl/manifests/argocd/argocd.yaml +++ /dev/null @@ -1,29366 +0,0 @@ ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argocd-redis-ha - namespace: "argocd" - labels: - heritage: Helm - release: argocd - chart: redis-ha-4.34.11 - app: argocd-redis-ha ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argocd-redis-ha-haproxy - namespace: "argocd" - labels: - heritage: Helm - release: argocd - chart: redis-ha-4.34.11 - app: argocd-redis-ha ---- -# Source: argocd/charts/argo-cd/templates/argocd-application-controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argocd-application-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: application-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/argocd-applicationset/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argocd-applicationset-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: applicationset-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/argocd-notifications/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argocd-notifications-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argocd-repo-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: repo-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/argocd-server/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argocd-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/dex/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argocd-dex-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: dex-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: argocd-secret - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-secret - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -type: Opaque ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-redis-ha-configmap - namespace: "argocd" - labels: - heritage: Helm - release: argocd - chart: redis-ha-4.34.11 - app: argocd-redis-ha -data: - redis.conf: | - dir "/data" - port 6379 - rename-command FLUSHDB "" - rename-command FLUSHALL "" - maxmemory 0 - maxmemory-policy volatile-lru - min-replicas-max-lag 5 - min-replicas-to-write 1 - rdbchecksum yes - rdbcompression yes - repl-diskless-sync yes - save "" - - sentinel.conf: | - dir "/data" - port 26379 - sentinel down-after-milliseconds argocd 10000 - sentinel failover-timeout argocd 180000 - maxclients 10000 - sentinel parallel-syncs argocd 5 - - init.sh: | - echo "$(date) Start..." - HOSTNAME="$(hostname)" - INDEX="${HOSTNAME##*-}" - SENTINEL_PORT=26379 - ANNOUNCE_IP='' - MASTER='' - MASTER_GROUP="argocd" - QUORUM="2" - REDIS_CONF=/data/conf/redis.conf - REDIS_PORT=6379 - REDIS_TLS_PORT= - SENTINEL_CONF=/data/conf/sentinel.conf - SENTINEL_TLS_PORT= - SERVICE=argocd-redis-ha - SENTINEL_TLS_REPLICATION_ENABLED=false - REDIS_TLS_REPLICATION_ENABLED=false - - set -eu - sentinel_get_master() { - set +e - if [ "$SENTINEL_PORT" -eq 0 ]; then - redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ - grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' - else - redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ - grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' - fi - set -e - } - - sentinel_get_master_retry() { - master='' - retry=${1} - sleep=3 - for i in $(seq 1 "${retry}"); do - master=$(sentinel_get_master) - if [ -n "${master}" ]; then - break - fi - sleep $((sleep + i)) - done - echo "${master}" - } - - identify_master() { - echo "Identifying redis master (get-master-addr-by-name).." - echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)" - MASTER="$(sentinel_get_master_retry 3)" - if [ -n "${MASTER}" ]; then - echo " $(date) Found redis master (${MASTER})" - else - echo " $(date) Did not find redis master (${MASTER})" - fi - } - - sentinel_update() { - echo "Updating sentinel config.." - echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})" - eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}" - echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})" - sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}" - if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then - echo " redis master (${1}:${REDIS_TLS_PORT})" - sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" - else - echo " redis master (${1}:${REDIS_PORT})" - sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" - fi - echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF} - if [ "$SENTINEL_PORT" -eq 0 ]; then - echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})" - echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF} - else - echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})" - echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF} - fi - } - - redis_update() { - echo "Updating redis config.." - if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then - echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})" - echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}" - echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF} - else - echo " we are slave of redis master (${1}:${REDIS_PORT})" - echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}" - echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF} - fi - echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF} - } - - copy_config() { - echo "Copying default redis config.." - echo " to '${REDIS_CONF}'" - cp /readonly-config/redis.conf "${REDIS_CONF}" - echo "Copying default sentinel config.." - echo " to '${SENTINEL_CONF}'" - cp /readonly-config/sentinel.conf "${SENTINEL_CONF}" - } - - setup_defaults() { - echo "Setting up defaults.." - echo " using statefulset index (${INDEX})" - if [ "${INDEX}" = "0" ]; then - echo "Setting this pod as master for redis and sentinel.." - echo " using announce (${ANNOUNCE_IP})" - redis_update "${ANNOUNCE_IP}" - sentinel_update "${ANNOUNCE_IP}" - echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)" - sed -i "s/^.*slaveof.*//" "${REDIS_CONF}" - else - echo "Getting redis master ip.." - echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master" - DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')" - if [ -z "${DEFAULT_MASTER}" ]; then - echo "Error: Unable to resolve redis master (getent hosts)." - exit 1 - fi - echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})" - echo "Setting default slave config for redis and sentinel.." - echo " using master ip (${DEFAULT_MASTER})" - redis_update "${DEFAULT_MASTER}" - sentinel_update "${DEFAULT_MASTER}" - fi - } - - redis_ping() { - set +e - if [ "$REDIS_PORT" -eq 0 ]; then - redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping - else - redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping - fi - set -e - } - - redis_ping_retry() { - ping='' - retry=${1} - sleep=3 - for i in $(seq 1 "${retry}"); do - if [ "$(redis_ping)" = "PONG" ]; then - ping='PONG' - break - fi - sleep $((sleep + i)) - MASTER=$(sentinel_get_master) - done - echo "${ping}" - } - - find_master() { - echo "Verifying redis master.." - if [ "$REDIS_PORT" -eq 0 ]; then - echo " ping (${MASTER}:${REDIS_TLS_PORT})" - else - echo " ping (${MASTER}:${REDIS_PORT})" - fi - if [ "$(redis_ping_retry 3)" != "PONG" ]; then - echo " $(date) Can't ping redis master (${MASTER})" - echo "Attempting to force failover (sentinel failover).." - - if [ "$SENTINEL_PORT" -eq 0 ]; then - echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" - if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then - echo " $(date) Failover returned with 'NOGOODSLAVE'" - echo "Setting defaults for this pod.." - setup_defaults - return 0 - fi - else - echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" - if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then - echo " $(date) Failover returned with 'NOGOODSLAVE'" - echo "Setting defaults for this pod.." - setup_defaults - return 0 - fi - fi - - echo "Hold on for 10sec" - sleep 10 - echo "We should get redis master's ip now. Asking (get-master-addr-by-name).." - if [ "$SENTINEL_PORT" -eq 0 ]; then - echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" - else - echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" - fi - MASTER="$(sentinel_get_master)" - if [ "${MASTER}" ]; then - echo " $(date) Found redis master (${MASTER})" - echo "Updating redis and sentinel config.." - sentinel_update "${MASTER}" - redis_update "${MASTER}" - else - echo "$(date) Error: Could not failover, exiting..." - exit 1 - fi - else - echo " $(date) Found reachable redis master (${MASTER})" - echo "Updating redis and sentinel config.." - sentinel_update "${MASTER}" - redis_update "${MASTER}" - fi - } - - redis_ro_update() { - echo "Updating read-only redis config.." - echo " redis.conf set 'replica-priority 0'" - echo "replica-priority 0" >> ${REDIS_CONF} - } - - getent_hosts() { - index=${1:-${INDEX}} - service="${SERVICE}-announce-${index}" - host=$(getent hosts "${service}") - echo "${host}" - } - - identify_announce_ip() { - echo "Identify announce ip for this pod.." - echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})" - ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }') - echo " identified announce (${ANNOUNCE_IP})" - } - - mkdir -p /data/conf/ - - echo "Initializing config.." - copy_config - - # where is redis master - identify_master - - identify_announce_ip - - if [ -z "${ANNOUNCE_IP}" ]; then - "Error: Could not resolve the announce ip for this pod" - exit 1 - elif [ "${MASTER}" ]; then - find_master - else - setup_defaults - fi - - if [ "${AUTH:-}" ]; then - echo "Setting redis auth values.." - ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g'); - sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}" - fi - - if [ "${SENTINELAUTH:-}" ]; then - echo "Setting sentinel auth values" - ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g'); - sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF" - fi - - echo "$(date) Ready..." - - fix-split-brain.sh: | - HOSTNAME="$(hostname)" - INDEX="${HOSTNAME##*-}" - SENTINEL_PORT=26379 - ANNOUNCE_IP='' - MASTER='' - MASTER_GROUP="argocd" - QUORUM="2" - REDIS_CONF=/data/conf/redis.conf - REDIS_PORT=6379 - REDIS_TLS_PORT= - SENTINEL_CONF=/data/conf/sentinel.conf - SENTINEL_TLS_PORT= - SERVICE=argocd-redis-ha - SENTINEL_TLS_REPLICATION_ENABLED=false - REDIS_TLS_REPLICATION_ENABLED=false - - ROLE='' - REDIS_MASTER='' - - set -eu - sentinel_get_master() { - set +e - if [ "$SENTINEL_PORT" -eq 0 ]; then - redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ - grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' - else - redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\ - grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))' - fi - set -e - } - - sentinel_get_master_retry() { - master='' - retry=${1} - sleep=3 - for i in $(seq 1 "${retry}"); do - master=$(sentinel_get_master) - if [ -n "${master}" ]; then - break - fi - sleep $((sleep + i)) - done - echo "${master}" - } - - identify_master() { - echo "Identifying redis master (get-master-addr-by-name).." - echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)" - MASTER="$(sentinel_get_master_retry 3)" - if [ -n "${MASTER}" ]; then - echo " $(date) Found redis master (${MASTER})" - else - echo " $(date) Did not find redis master (${MASTER})" - fi - } - - sentinel_update() { - echo "Updating sentinel config.." - echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})" - eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}" - echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})" - sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}" - if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then - echo " redis master (${1}:${REDIS_TLS_PORT})" - sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" - else - echo " redis master (${1}:${REDIS_PORT})" - sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}" - fi - echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF} - if [ "$SENTINEL_PORT" -eq 0 ]; then - echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})" - echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF} - else - echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})" - echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF} - fi - } - - redis_update() { - echo "Updating redis config.." - if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then - echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})" - echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}" - echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF} - else - echo " we are slave of redis master (${1}:${REDIS_PORT})" - echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}" - echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF} - fi - echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF} - } - - copy_config() { - echo "Copying default redis config.." - echo " to '${REDIS_CONF}'" - cp /readonly-config/redis.conf "${REDIS_CONF}" - echo "Copying default sentinel config.." - echo " to '${SENTINEL_CONF}'" - cp /readonly-config/sentinel.conf "${SENTINEL_CONF}" - } - - setup_defaults() { - echo "Setting up defaults.." - echo " using statefulset index (${INDEX})" - if [ "${INDEX}" = "0" ]; then - echo "Setting this pod as master for redis and sentinel.." - echo " using announce (${ANNOUNCE_IP})" - redis_update "${ANNOUNCE_IP}" - sentinel_update "${ANNOUNCE_IP}" - echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)" - sed -i "s/^.*slaveof.*//" "${REDIS_CONF}" - else - echo "Getting redis master ip.." - echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master" - DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')" - if [ -z "${DEFAULT_MASTER}" ]; then - echo "Error: Unable to resolve redis master (getent hosts)." - exit 1 - fi - echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})" - echo "Setting default slave config for redis and sentinel.." - echo " using master ip (${DEFAULT_MASTER})" - redis_update "${DEFAULT_MASTER}" - sentinel_update "${DEFAULT_MASTER}" - fi - } - - redis_ping() { - set +e - if [ "$REDIS_PORT" -eq 0 ]; then - redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping - else - redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping - fi - set -e - } - - redis_ping_retry() { - ping='' - retry=${1} - sleep=3 - for i in $(seq 1 "${retry}"); do - if [ "$(redis_ping)" = "PONG" ]; then - ping='PONG' - break - fi - sleep $((sleep + i)) - MASTER=$(sentinel_get_master) - done - echo "${ping}" - } - - find_master() { - echo "Verifying redis master.." - if [ "$REDIS_PORT" -eq 0 ]; then - echo " ping (${MASTER}:${REDIS_TLS_PORT})" - else - echo " ping (${MASTER}:${REDIS_PORT})" - fi - if [ "$(redis_ping_retry 3)" != "PONG" ]; then - echo " $(date) Can't ping redis master (${MASTER})" - echo "Attempting to force failover (sentinel failover).." - - if [ "$SENTINEL_PORT" -eq 0 ]; then - echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" - if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then - echo " $(date) Failover returned with 'NOGOODSLAVE'" - echo "Setting defaults for this pod.." - setup_defaults - return 0 - fi - else - echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" - if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then - echo " $(date) Failover returned with 'NOGOODSLAVE'" - echo "Setting defaults for this pod.." - setup_defaults - return 0 - fi - fi - - echo "Hold on for 10sec" - sleep 10 - echo "We should get redis master's ip now. Asking (get-master-addr-by-name).." - if [ "$SENTINEL_PORT" -eq 0 ]; then - echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})" - else - echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})" - fi - MASTER="$(sentinel_get_master)" - if [ "${MASTER}" ]; then - echo " $(date) Found redis master (${MASTER})" - echo "Updating redis and sentinel config.." - sentinel_update "${MASTER}" - redis_update "${MASTER}" - else - echo "$(date) Error: Could not failover, exiting..." - exit 1 - fi - else - echo " $(date) Found reachable redis master (${MASTER})" - echo "Updating redis and sentinel config.." - sentinel_update "${MASTER}" - redis_update "${MASTER}" - fi - } - - redis_ro_update() { - echo "Updating read-only redis config.." - echo " redis.conf set 'replica-priority 0'" - echo "replica-priority 0" >> ${REDIS_CONF} - } - - getent_hosts() { - index=${1:-${INDEX}} - service="${SERVICE}-announce-${index}" - host=$(getent hosts "${service}") - echo "${host}" - } - - identify_announce_ip() { - echo "Identify announce ip for this pod.." - echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})" - ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }') - echo " identified announce (${ANNOUNCE_IP})" - } - - redis_role() { - set +e - if [ "$REDIS_PORT" -eq 0 ]; then - ROLE=$(redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//') - else - ROLE=$(redis-cli -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//') - fi - set -e - } - - identify_redis_master() { - set +e - if [ "$REDIS_PORT" -eq 0 ]; then - REDIS_MASTER=$(redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//') - else - REDIS_MASTER=$(redis-cli -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//') - fi - set -e - } - - reinit() { - set +e - sh /readonly-config/init.sh - - if [ "$REDIS_PORT" -eq 0 ]; then - echo "shutdown" | redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key - else - echo "shutdown" | redis-cli -p "${REDIS_PORT}" - fi - set -e - } - - identify_announce_ip - - while [ -z "${ANNOUNCE_IP}" ]; do - echo "Error: Could not resolve the announce ip for this pod." - sleep 30 - identify_announce_ip - done - - trap "exit 0" TERM - while true; do - sleep 60 - - # where is redis master - identify_master - - if [ "$MASTER" = "$ANNOUNCE_IP" ]; then - redis_role - if [ "$ROLE" != "master" ]; then - echo "waiting for redis to become master" - sleep 10 - identify_master - redis_role - echo "Redis role is $ROLE, expected role is master. No need to reinitialize." - if [ "$ROLE" != "master" ]; then - echo "Redis role is $ROLE, expected role is master, reinitializing" - reinit - fi - fi - elif [ "${MASTER}" ]; then - identify_redis_master - if [ "$REDIS_MASTER" != "$MASTER" ]; then - echo "Redis master and local master are not the same. waiting." - sleep 10 - identify_master - identify_redis_master - echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}. No need to reinitialize." - if [ "${REDIS_MASTER}" != "${MASTER}" ]; then - echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}, reinitializing" - reinit - fi - fi - fi - done - - - haproxy.cfg: | - defaults REDIS - mode tcp - timeout connect 4s - timeout server 330s - timeout client 330s - timeout check 2s - - listen health_check_http_url - bind [::]:8888 v4v6 - mode http - monitor-uri /healthz - option dontlognull - # Check Sentinel and whether they are nominated master - backend check_if_redis_is_master_0 - mode tcp - option tcp-check - tcp-check connect - tcp-check send PING\r\n - tcp-check expect string +PONG - tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n - tcp-check expect string REPLACE_ANNOUNCE0 - tcp-check send QUIT\r\n - server R0 argocd-redis-ha-announce-0:26379 check inter 1s - server R1 argocd-redis-ha-announce-1:26379 check inter 1s - server R2 argocd-redis-ha-announce-2:26379 check inter 1s - # Check Sentinel and whether they are nominated master - backend check_if_redis_is_master_1 - mode tcp - option tcp-check - tcp-check connect - tcp-check send PING\r\n - tcp-check expect string +PONG - tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n - tcp-check expect string REPLACE_ANNOUNCE1 - tcp-check send QUIT\r\n - server R0 argocd-redis-ha-announce-0:26379 check inter 1s - server R1 argocd-redis-ha-announce-1:26379 check inter 1s - server R2 argocd-redis-ha-announce-2:26379 check inter 1s - # Check Sentinel and whether they are nominated master - backend check_if_redis_is_master_2 - mode tcp - option tcp-check - tcp-check connect - tcp-check send PING\r\n - tcp-check expect string +PONG - tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n - tcp-check expect string REPLACE_ANNOUNCE2 - tcp-check send QUIT\r\n - server R0 argocd-redis-ha-announce-0:26379 check inter 1s - server R1 argocd-redis-ha-announce-1:26379 check inter 1s - server R2 argocd-redis-ha-announce-2:26379 check inter 1s - - # decide redis backend to use - #master - frontend ft_redis_master - bind [::]:6379 v4v6 - use_backend bk_redis_master - # Check all redis servers to see if they think they are master - backend bk_redis_master - mode tcp - option tcp-check - tcp-check connect - tcp-check send PING\r\n - tcp-check expect string +PONG - tcp-check send info\ replication\r\n - tcp-check expect string role:master - tcp-check send QUIT\r\n - tcp-check expect string +OK - use-server R0 if { srv_is_up(R0) } { nbsrv(check_if_redis_is_master_0) ge 2 } - server R0 argocd-redis-ha-announce-0:6379 check inter 1s fall 1 rise 1 - use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1) ge 2 } - server R1 argocd-redis-ha-announce-1:6379 check inter 1s fall 1 rise 1 - use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge 2 } - server R2 argocd-redis-ha-announce-2:6379 check inter 1s fall 1 rise 1 - frontend stats - mode http - bind [::]:9101 v4v6 - http-request use-service prometheus-exporter if { path /metrics } - stats enable - stats uri /stats - stats refresh 10s - haproxy_init.sh: | - HAPROXY_CONF=/data/haproxy.cfg - cp /readonly/haproxy.cfg "$HAPROXY_CONF" - for loop in $(seq 1 10); do - getent hosts argocd-redis-ha-announce-0 && break - echo "Waiting for service argocd-redis-ha-announce-0 to be ready ($loop) ..." && sleep 1 - done - ANNOUNCE_IP0=$(getent hosts "argocd-redis-ha-announce-0" | awk '{ print $1 }') - if [ -z "$ANNOUNCE_IP0" ]; then - echo "Could not resolve the announce ip for argocd-redis-ha-announce-0" - exit 1 - fi - sed -i "s/REPLACE_ANNOUNCE0/$ANNOUNCE_IP0/" "$HAPROXY_CONF" - for loop in $(seq 1 10); do - getent hosts argocd-redis-ha-announce-1 && break - echo "Waiting for service argocd-redis-ha-announce-1 to be ready ($loop) ..." && sleep 1 - done - ANNOUNCE_IP1=$(getent hosts "argocd-redis-ha-announce-1" | awk '{ print $1 }') - if [ -z "$ANNOUNCE_IP1" ]; then - echo "Could not resolve the announce ip for argocd-redis-ha-announce-1" - exit 1 - fi - sed -i "s/REPLACE_ANNOUNCE1/$ANNOUNCE_IP1/" "$HAPROXY_CONF" - for loop in $(seq 1 10); do - getent hosts argocd-redis-ha-announce-2 && break - echo "Waiting for service argocd-redis-ha-announce-2 to be ready ($loop) ..." && sleep 1 - done - ANNOUNCE_IP2=$(getent hosts "argocd-redis-ha-announce-2" | awk '{ print $1 }') - if [ -z "$ANNOUNCE_IP2" ]; then - echo "Could not resolve the announce ip for argocd-redis-ha-announce-2" - exit 1 - fi - sed -i "s/REPLACE_ANNOUNCE2/$ANNOUNCE_IP2/" "$HAPROXY_CONF" - trigger-failover-if-master.sh: | - get_redis_role() { - is_master=$( - redis-cli \ - -h localhost \ - -p 6379 \ - info | grep -c 'role:master' || true - ) - } - get_redis_role - if [[ "$is_master" -eq 1 ]]; then - echo "This node is currently master, we trigger a failover." - response=$( - redis-cli \ - -h localhost \ - -p 26379 \ - SENTINEL failover argocd - ) - if [[ "$response" != "OK" ]] ; then - echo "$response" - exit 1 - fi - timeout=30 - while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do - sleep 1 - get_redis_role - timeout=$((timeout - 1)) - done - echo "Failover successful" - fi ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-health-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-redis-ha-health-configmap - namespace: "argocd" - labels: - heritage: Helm - release: argocd - chart: redis-ha-4.34.11 - app: argocd-redis-ha -data: - redis_liveness.sh: | - response=$( - redis-cli \ - -h localhost \ - -p 6379 \ - ping - ) - echo "response=$response" - case $response in - PONG|LOADING*) ;; - *) exit 1 ;; - esac - exit 0 - redis_readiness.sh: | - response=$( - redis-cli \ - -h localhost \ - -p 6379 \ - ping - ) - if [ "$response" != "PONG" ] ; then - echo "ping=$response" - exit 1 - fi - - response=$( - redis-cli \ - -h localhost \ - -p 6379 \ - role - ) - role=$( echo "$response" | sed "1!d" ) - if [ "$role" = "master" ]; then - echo "role=$role" - exit 0 - elif [ "$role" = "slave" ]; then - repl=$( echo "$response" | sed "4!d" ) - echo "role=$role; repl=$repl" - if [ "$repl" = "connected" ]; then - exit 0 - else - exit 1 - fi - else - echo "role=$role" - exit 1 - fi - sentinel_liveness.sh: | - response=$( - redis-cli \ - -h localhost \ - -p 26379 \ - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - echo "response=$response" ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-cm - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-cm - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -data: - admin.enabled: "true" - application.instanceLabelKey: argocd.argoproj.io/instance - application.sync.impersonation.enabled: "false" - dex.config: | - connectors: - - config: - issuer: https://authentik.alexlebens.net/application/o/argocd/ - clientID: $argocd-oidc-secret:client - clientSecret: $argocd-oidc-secret:secret - insecureEnableGroups: true - scopes: - - openid - - profile - - email - name: authentik - type: oidc - id: authentik - exec.enabled: "false" - resource.customizations.ignoreResourceUpdates.ConfigMap: | - jqPathExpressions: - # Ignore the cluster-autoscaler status - - '.metadata.annotations."cluster-autoscaler.kubernetes.io/last-updated"' - # Ignore the annotation of the legacy Leases election - - '.metadata.annotations."control-plane.alpha.kubernetes.io/leader"' - resource.customizations.ignoreResourceUpdates.Endpoints: | - jsonPointers: - - /metadata - - /subsets - resource.customizations.ignoreResourceUpdates.all: | - jsonPointers: - - /status - resource.customizations.ignoreResourceUpdates.apps_ReplicaSet: | - jqPathExpressions: - - '.metadata.annotations."deployment.kubernetes.io/desired-replicas"' - - '.metadata.annotations."deployment.kubernetes.io/max-replicas"' - - '.metadata.annotations."rollout.argoproj.io/desired-replicas"' - resource.customizations.ignoreResourceUpdates.argoproj.io_Application: | - jqPathExpressions: - - '.metadata.annotations."notified.notifications.argoproj.io"' - - '.metadata.annotations."argocd.argoproj.io/refresh"' - - '.metadata.annotations."argocd.argoproj.io/hydrate"' - - '.operation' - resource.customizations.ignoreResourceUpdates.argoproj.io_Rollout: | - jqPathExpressions: - - '.metadata.annotations."notified.notifications.argoproj.io"' - resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: | - jqPathExpressions: - - '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"' - - '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"' - - '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"' - - '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"' - resource.customizations.ignoreResourceUpdates.discovery.k8s.io_EndpointSlice: | - jsonPointers: - - /metadata - - /endpoints - - /ports - resource.exclusions: | - ### Network resources created by the Kubernetes control plane and excluded to reduce the number of watched events and UI clutter - - apiGroups: - - '' - - discovery.k8s.io - kinds: - - Endpoints - - EndpointSlice - ### Internal Kubernetes resources excluded reduce the number of watched events - - apiGroups: - - coordination.k8s.io - kinds: - - Lease - ### Internal Kubernetes Authz/Authn resources excluded reduce the number of watched events - - apiGroups: - - authentication.k8s.io - - authorization.k8s.io - kinds: - - SelfSubjectReview - - TokenReview - - LocalSubjectAccessReview - - SelfSubjectAccessReview - - SelfSubjectRulesReview - - SubjectAccessReview - ### Intermediate Certificate Request excluded reduce the number of watched events - - apiGroups: - - certificates.k8s.io - kinds: - - CertificateSigningRequest - - apiGroups: - - cert-manager.io - kinds: - - CertificateRequest - ### Cilium internal resources excluded reduce the number of watched events and UI Clutter - - apiGroups: - - cilium.io - kinds: - - CiliumIdentity - - CiliumEndpoint - - CiliumEndpointSlice - ### Kyverno intermediate and reporting resources excluded reduce the number of watched events and improve performance - - apiGroups: - - kyverno.io - - reports.kyverno.io - - wgpolicyk8s.io - kinds: - - PolicyReport - - ClusterPolicyReport - - EphemeralReport - - ClusterEphemeralReport - - AdmissionReport - - ClusterAdmissionReport - - BackgroundScanReport - - ClusterBackgroundScanReport - - UpdateRequest - statusbadge.enabled: "true" - statusbadge.url: https://argocd.alexlebens.net/ - timeout.hard.reconciliation: 0s - timeout.reconciliation: 100s - timeout.reconciliation.jitter: 60s - url: https://argocd.alexlebens.net ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-cmd-params-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-cmd-params-cm - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-cmd-params-cm - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -data: - applicationsetcontroller.enable.leader.election: "true" - applicationsetcontroller.log.format: text - applicationsetcontroller.log.level: info - commitserver.log.format: text - commitserver.log.level: info - controller.log.format: text - controller.log.level: info - dexserver.log.format: text - dexserver.log.level: info - notificationscontroller.log.format: text - notificationscontroller.log.level: info - redis.server: argocd-redis-ha-haproxy:6379 - repo.server: argocd-repo-server:8081 - reposerver.log.format: text - reposerver.log.level: info - server.dex.server: https://argocd-dex-server:5556 - server.dex.server.strict.tls: "false" - server.insecure: "true" - server.log.format: text - server.log.level: info - server.repo.server.strict.tls: "false" ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-cmp-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-cmp-cm - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-cmp-cm - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: repo-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -data: - cdk8s.yaml: | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: cdk8s - spec: - discover: - fileName: '*.go' - generate: - args: - - --stdout - command: - - cdk8s - - synth - init: - args: - - import - command: - - cdk8s ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-gpg-keys-cm - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-gpg-keys-cm - app.kubernetes.io/instance: argocd - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-notifications-cm - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -data: - context: | - argocdUrl: https://argocd.example.com - argocdUrl: https://argocd.alexlebens.net - service.webhook.ntfy: | - url: http://ntfy.ntfy/ - headers: - - name: Authorization - value: Bearer $ntfy-token - subscriptions: | - - recipients: - - ntfy - triggers: - - on-created - - on-deleted - - on-deployed - - on-health-degraded - - on-sync-failed - - on-sync-running - - on-sync-status-unknown - - on-sync-succeeded - template.app-created: | - webhook: - ntfy: - method: POST - body: | - { - "topic": "argocd", - "message": "{{.app.metadata.name}} has been created.", - "title": "Created: {{.app.metadata.name}}", - "tags": ["building_construction"], - "priority": 4, - "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}" - } - template.app-deleted: | - webhook: - ntfy: - method: POST - body: | - { - "topic": "argocd", - "message": "{{.app.metadata.name}} has been deleted", - "title": "Deleted: {{.app.metadata.name}}", - "tags": ["warning"], - "priority": 4, - "click": "{{.context.argocdUrl}}" - } - template.app-deployed: | - webhook: - ntfy: - method: POST - body: | - { - "topic": "argocd", - "message": "{{.app.metadata.name}} is now running new version of deployments manifests", - "title": "Deployed: {{.app.metadata.name}}", - "tags": ["+1"], - "priority": 3, - "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}" - } - template.app-health-degraded: | - webhook: - ntfy: - method: POST - body: | - { - "topic": "argocd", - "message": "{{.app.metadata.name}} health has degraded", - "title": "Degraded: {{.app.metadata.name}}", - "tags": ["rotating_light"], - "priority": 4, - "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}" - } - template.app-sync-failed: | - webhook: - ntfy: - method: POST - body: | - { - "topic": "argocd", - "message": "{{.app.metadata.name}} sync has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}", - "title": "Sync Failed: {{.app.metadata.name}}", - "tags": ["rotating_light"], - "priority": 4, - "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true" - } - template.app-sync-running: | - webhook: - ntfy: - method: POST - body: | - { - "topic": "argocd", - "message": "{{.app.metadata.name}} sync has started at {{.app.status.operationState.startedAt}}", - "title": "Sync Running: {{.app.metadata.name}}", - "tags": ["runner"], - "priority": 3, - "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true" - } - template.app-sync-status-unknown: | - webhook: - ntfy: - method: POST - body: | - { - "topic": "argocd", - "message": "{{.app.metadata.name}} sync status is unknown", - "title": "Sync Unknown: {{.app.metadata.name}}", - "tags": ["question"], - "priority": 3, - "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}" - } - template.app-sync-succeeded: | - webhook: - ntfy: - method: POST - body: | - { - "topic": "argocd", - "message": "{{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}", - "title": "Sync Succeeded: {{.app.metadata.name}}", - "tags": ["+1"], - "priority": 3, - "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true" - } - trigger.on-created: | - - description: Application {{.app.metadata.name}} has been created. - oncePer: app.metadata.name - send: - - app-created - when: "true" - trigger.on-deleted: | - - description: Application {{.app.metadata.name}} has been deleted. - oncePer: app.metadata.name - send: - - app-deleted - when: app.metadata.deletionTimestamp != nil - trigger.on-deployed: | - - description: Application is synced and healthy. Triggered once per commit. - oncePer: app.status.operationState.syncResult.revision - send: - - app-deployed - when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy' - trigger.on-health-degraded: | - - description: Application has degraded - send: - - app-health-degraded - when: app.status.health.status == 'Degraded' and time.Now().Sub(time.Parse(app.status.health.lastTransitionTime).Minutes() >= 15 - trigger.on-sync-failed: | - - description: Application syncing has failed - send: - - app-sync-failed - when: app.status.operationState.phase in ['Error', 'Failed'] - trigger.on-sync-running: | - - description: Application is being synced - send: - - app-sync-running - when: app.status.operationState.phase in ['Running'] - trigger.on-sync-status-unknown: | - - description: Application status is 'Unknown' - send: - - app-sync-status-unknown - when: app.status.sync.status == 'Unknown' - trigger.on-sync-succeeded: | - - description: Application syncing has succeeded - send: - - app-sync-succeeded - when: app.status.operationState.phase in ['Succeeded'] ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-rbac-cm - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-rbac-cm - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -data: - policy.csv: | - g, ArgoCD Admins, role:admin - policy.default: "" - policy.matchMode: glob - scopes: '[groups]' ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-ssh-known-hosts-cm - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-ssh-known-hosts-cm - app.kubernetes.io/instance: argocd - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -data: - ssh_known_hosts: | - [ssh.github.com]:443 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - [ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - [ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= - bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE= - bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO - bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M= - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= - gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= - gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 - ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H ---- -# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-tls-certs-cm - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-tls-certs-cm - app.kubernetes.io/instance: argocd - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/crds/crd-application.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app.kubernetes.io/name: applications.argoproj.io - app.kubernetes.io/part-of: argocd - name: applications.argoproj.io -spec: - group: argoproj.io - names: - kind: Application - listKind: ApplicationList - plural: applications - shortNames: - - app - - apps - singular: application - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.sync.status - name: Sync Status - type: string - - jsonPath: .status.health.status - name: Health Status - type: string - - jsonPath: .status.sync.revision - name: Revision - priority: 10 - type: string - - jsonPath: .spec.project - name: Project - priority: 10 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Application is a definition of Application resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - operation: - description: Operation contains information about a requested or running - operation - properties: - info: - description: Info is a list of informational items for this operation - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was initiated - automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who started - operation - type: string - type: object - retry: - description: Retry controls the strategy to apply if a sync fails - properties: - backoff: - description: Backoff controls how to backoff on subsequent retries - of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default unit - is seconds, but could also be a duration (e.g. "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time allowed - for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for retrying - a failed sync. If set to 0, no retries will be performed. - format: int64 - type: integer - refresh: - description: 'Refresh indicates if the latest revision should - be used on retry instead of the initial one (default: false)' - type: boolean - type: object - sync: - description: Sync contains parameters for the operation - properties: - autoHealAttemptsCount: - description: SelfHealAttemptsCount contains the number of auto-heal - attempts - format: int64 - type: integer - dryRun: - description: DryRun specifies to perform a `kubectl apply --dry-run` - without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides sync - source with a local directory for development - items: - type: string - type: array - prune: - description: Prune specifies to delete resources from the cluster - that are no longer tracked in git - type: boolean - resources: - description: Resources describes which resources shall be part - of the sync - items: - description: SyncOperationResource contains resources to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: |- - Revision is the revision (Git) or chart version (Helm) which to sync the application to - If omitted, will use the revision specified in app spec. - type: string - revisions: - description: |- - Revisions is the list of revision (Git) or chart version (Helm) which to sync each source in sources field for the application to - If omitted, will use the revision specified in app spec. - items: - type: string - type: array - source: - description: |- - Source overrides the source definition set in the application. - This is typically set in a Rollback operation and is nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable to - be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to - be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by - not appending them to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace to template - with. If left empty, defaults to the app's destination - namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest - generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema validation - (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block. ValuesObject - takes precedence over Values, so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values to be - passed to helm template, defined as a map. This takes - precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies whether - to apply env variables substitution for annotation values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources for - Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally by - not appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether to - apply common labels to resource templates or not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether to - apply common labels to resource selectors or not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is displayed - in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type - parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: |- - Sources overrides the source definition set in the application. - This is typically set in a Rollback operation and is nil during a Sync operation - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally - by not appending them to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace to template - with. If left empty, defaults to the app's destination - namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to - use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema - validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block. ValuesObject - takes precedence over Values, so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values to be - passed to helm template, defined as a map. This takes - precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies whether - to apply env variables substitution for annotation - values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally - by not appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether - to apply common labels to resource templates or not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether - to apply common labels to resource selectors or not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is displayed - in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncOptions: - description: SyncOptions provide per-sync sync-options, e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the sync - properties: - apply: - description: Apply will perform a `kubectl apply` to perform - the sync. - properties: - force: - description: |- - Force indicates whether or not to supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, when PATCH encounters conflict and has - retried for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources to - perform the sync. This is the default strategy - properties: - force: - description: |- - Force indicates whether or not to supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, when PATCH encounters conflict and has - retried for 5 times. - type: boolean - type: object - type: object - type: object - type: object - spec: - description: ApplicationSpec represents desired application state. Contains - link to repository with application definition and additional parameters - link definition revision. - properties: - destination: - description: Destination is a reference to the target Kubernetes server - and namespace - properties: - name: - description: Name is an alternate way of specifying the target - cluster by its symbolic name. This must be set if Server is - not set. - type: string - namespace: - description: |- - Namespace specifies the target namespace for the application's resources. - The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster's - Kubernetes control plane API. This must be set if Name is not - set. - type: string - type: object - ignoreDifferences: - description: IgnoreDifferences is a list of resources and their fields - which should be ignored during comparison - items: - description: ResourceIgnoreDifferences contains resource filter - and list of json paths which should be ignored during comparison - with live state. - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - description: |- - ManagedFieldsManagers is a list of trusted managers. Fields mutated by those managers will take precedence over the - desired state defined in the SCM and won't be displayed in diffs - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - description: Info contains a list of information (URLs, email addresses, - and plain text) that relates to the application - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - description: |- - Project is a reference to the project this application belongs to. - The empty string means that application belongs to the 'default' project. - type: string - revisionHistoryLimit: - description: |- - RevisionHistoryLimit limits the number of items kept in the application's revision history, which is used for informational purposes as well as for rollbacks to previous versions. - This should only be changed in exceptional circumstances. - Setting to zero will store no history. This will reduce storage used. - Increasing will increase the space used to store the history, so we do not recommend increasing it. - Default is 10. - format: int64 - type: integer - source: - description: Source is a reference to the location of the application's - manifests or chart - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match paths - against that should be explicitly excluded from being used - during manifest generation - type: string - include: - description: Include contains a glob pattern to match paths - against that should be explicitly included during manifest - generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by not - appending them to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace to template - with. If left empty, defaults to the app's destination namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition installation - step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema validation - (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation step - (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files to - use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed to - helm template, typically defined as a block. ValuesObject - takes precedence over Values, so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values to be passed - to helm template, defined as a map. This takes precedence - over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional annotations - to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies whether to - apply env variables substitution for annotation values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels to - add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize components - to add to the kustomization before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether to force - applying common annotations to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize from - failing when components do not exist locally by not appending - them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether to apply - common labels to resource templates or not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether to apply - common labels to resource selectors or not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize adds - to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas override - specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize to - use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is displayed - in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or Helm) - that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sourceHydrator: - description: SourceHydrator provides a way to push hydrated manifests - back to git before syncing them to the cluster. - properties: - drySource: - description: DrySource specifies where the dry "don't repeat yourself" - manifest source lives. - properties: - path: - description: Path is a directory path within the Git repository - where the manifests are located - type: string - repoURL: - description: RepoURL is the URL to the git repository that - contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to hydrate - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - description: |- - HydrateTo specifies an optional "staging" location to push hydrated manifests to. An external system would then - have to move manifests to the SyncSource, e.g. by pull request. - properties: - targetBranch: - description: TargetBranch is the branch to which hydrated - manifests should be committed - type: string - required: - - targetBranch - type: object - syncSource: - description: SyncSource specifies where to sync hydrated manifests - from. - properties: - path: - description: |- - Path is a directory path within the git repository where hydrated manifests should be committed to and synced - from. The Path should never point to the root of the repo. If hydrateTo is set, this is just the path from which - hydrated manifests will be synced. - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - description: |- - TargetBranch is the branch from which hydrated manifests will be synced. - If HydrateTo is not set, this is also the branch to which hydrated manifests are committed. - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - description: Sources is a reference to the location of the application's - manifests or chart - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match paths - against that should be explicitly excluded from being - used during manifest generation - type: string - include: - description: Include contains a glob pattern to match paths - against that should be explicitly included during manifest - generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by not - appending them to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace to template - with. If left empty, defaults to the app's destination - namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest - generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition installation - step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema validation - (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files to - use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed to - helm template, typically defined as a block. ValuesObject - takes precedence over Values, so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values to be passed - to helm template, defined as a map. This takes precedence - over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional annotations - to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies whether - to apply env variables substitution for annotation values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize components - to add to the kustomization before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether to - force applying common annotations to resources for Kustomize - apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally by not - appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether to - apply common labels to resource templates or not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether to apply - common labels to resource selectors or not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas override - specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is displayed - in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string type - parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or Helm) - that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - description: SyncPolicy controls when and how a sync will be performed - properties: - automated: - description: Automated will keep an application synced to the - target revision - properties: - allowEmpty: - description: 'AllowEmpty allows apps have zero live resources - (default: false)' - type: boolean - enabled: - description: Enable allows apps to explicitly control automated - sync - type: boolean - prune: - description: 'Prune specifies whether to delete resources - from the cluster that are not found in the sources anymore - as part of automated sync (default: false)' - type: boolean - selfHeal: - description: 'SelfHeal specifies whether to revert resources - back to their desired state upon modification in the cluster - (default: false)' - type: boolean - type: object - managedNamespaceMetadata: - description: ManagedNamespaceMetadata controls metadata in the - given namespace (if CreateNamespace=true) - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - description: Retry controls failed sync retry behavior - properties: - backoff: - description: Backoff controls how to backoff on subsequent - retries of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time - allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for retrying - a failed sync. If set to 0, no retries will be performed. - format: int64 - type: integer - refresh: - description: 'Refresh indicates if the latest revision should - be used on retry instead of the initial one (default: false)' - type: boolean - type: object - syncOptions: - description: Options allow you to specify whole app sync-options - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - status: - description: ApplicationStatus contains status information for the application - properties: - conditions: - description: Conditions is a list of currently observed application - conditions - items: - description: ApplicationCondition contains details about an application - condition, which is usually an error or warning - properties: - lastTransitionTime: - description: LastTransitionTime is the time the condition was - last observed - format: date-time - type: string - message: - description: Message contains human-readable message indicating - details about condition - type: string - type: - description: Type is an application condition type - type: string - required: - - message - - type - type: object - type: array - controllerNamespace: - description: ControllerNamespace indicates the namespace in which - the application controller is located - type: string - health: - description: Health contains information about the application's current - health status - properties: - lastTransitionTime: - description: LastTransitionTime is the time the HealthStatus was - set or updated - format: date-time - type: string - message: - description: |- - Message is a human-readable informational message describing the health status - - Deprecated: this field is not used and will be removed in a future release. - type: string - status: - description: Status holds the status code of the application - type: string - type: object - history: - description: History contains information about the application's - sync history - items: - description: RevisionHistory contains history information about - a previous sync - properties: - deployStartedAt: - description: DeployStartedAt holds the time the sync operation - started - format: date-time - type: string - deployedAt: - description: DeployedAt holds the time the sync operation completed - format: date-time - type: string - id: - description: ID is an auto incrementing identifier of the RevisionHistory - format: int64 - type: integer - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was initiated - automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who started - operation - type: string - type: object - revision: - description: Revision holds the revision the sync was performed - against - type: string - revisions: - description: Revisions holds the revision of each source in - sources field the sync was performed against - items: - type: string - type: array - source: - description: Source is a reference to the application source - used for the sync operation - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally - by not appending them to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace to template - with. If left empty, defaults to the app's destination - namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to - use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema - validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block. ValuesObject - takes precedence over Values, so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values to be - passed to helm template, defined as a map. This takes - precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies whether - to apply env variables substitution for annotation - values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally - by not appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether - to apply common labels to resource templates or not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether - to apply common labels to resource selectors or not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is displayed - in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array type - parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type parameter. - type: object - name: - description: Name is the name identifying a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within sources - field. This field will not be used if used with a `source` - tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources is a reference to the application sources - used for the sync operation - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace to - template with. If left empty, defaults to the app's - destination namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema - validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block. - ValuesObject takes precedence over Values, so use - one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values to - be passed to helm template, defined as a map. This - takes precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies whether - to apply env variables substitution for annotation - values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally - by not appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether - to apply common labels to resource templates or - not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether - to apply common labels to resource selectors or - not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is - displayed in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - deployedAt - - id - type: object - type: array - observedAt: - description: |- - ObservedAt indicates when the application state was updated without querying latest git state - Deprecated: controller no longer updates ObservedAt field - format: date-time - type: string - operationState: - description: OperationState contains information about any ongoing - operations, such as a sync - properties: - finishedAt: - description: FinishedAt contains time of operation completion - format: date-time - type: string - message: - description: Message holds any pertinent messages when attempting - to perform operation (typically errors). - type: string - operation: - description: Operation is the original requested operation - properties: - info: - description: Info is a list of informational items for this - operation - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was - initiated automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who - started operation - type: string - type: object - retry: - description: Retry controls the strategy to apply if a sync - fails - properties: - backoff: - description: Backoff controls how to backoff on subsequent - retries of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base - duration after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of - time allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for - retrying a failed sync. If set to 0, no retries will - be performed. - format: int64 - type: integer - refresh: - description: 'Refresh indicates if the latest revision - should be used on retry instead of the initial one (default: - false)' - type: boolean - type: object - sync: - description: Sync contains parameters for the operation - properties: - autoHealAttemptsCount: - description: SelfHealAttemptsCount contains the number - of auto-heal attempts - format: int64 - type: integer - dryRun: - description: DryRun specifies to perform a `kubectl apply - --dry-run` without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides - sync source with a local directory for development - items: - type: string - type: array - prune: - description: Prune specifies to delete resources from - the cluster that are no longer tracked in git - type: boolean - resources: - description: Resources describes which resources shall - be part of the sync - items: - description: SyncOperationResource contains resources - to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: |- - Revision is the revision (Git) or chart version (Helm) which to sync the application to - If omitted, will use the revision specified in app spec. - type: string - revisions: - description: |- - Revisions is the list of revision (Git) or chart version (Helm) which to sync each source in sources field for the application to - If omitted, will use the revision specified in app spec. - items: - type: string - type: array - source: - description: |- - Source overrides the source definition set in the application. - This is typically set in a Rollback operation and is nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name, and must - be specified for applications sourced from a Helm - repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to - Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet - External Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan - a directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents - helm template from failing when valueFiles do - not exist locally by not appending them to helm - template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace - to template with. If left empty, defaults to - the app's destination namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and - numbers as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the - Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials - to all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema - validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block. ValuesObject takes precedence over - Values, so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values - to be passed to helm template, defined as a - map. This takes precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies - whether to apply env variables substitution - for annotation values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before - building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies - whether to force applying common annotations - to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources - for Kustomize apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents - kustomize from failing when components do not - exist locally by not appending them to kustomization - file - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether - to apply common labels to resource templates - or not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether - to apply common labels to resource selectors - or not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that - Kustomize adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of - Kustomize to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and - is displayed in the UI. It is used in multi-source - Applications. - type: string - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin - specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in - the application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository - (Git or Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: |- - Sources overrides the source definition set in the application. - This is typically set in a Rollback operation and is nil during a Sync operation - items: - description: ApplicationSource contains all required - information about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must - be specified for applications sourced from a Helm - repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern - to match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern - to match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific - to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet - External Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan - a directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents - helm template from failing when valueFiles - do not exist locally by not appending them - to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace - to template with. If left empty, defaults - to the app's destination namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter - that's passed to helm template during manifest - generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and - numbers as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the - Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials - to all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release - name to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource - definition installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON - schema validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to - be passed to helm template, typically defined - as a block. ValuesObject takes precedence - over Values, so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values - to be passed to helm template, defined as - a map. This takes precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to - use for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific - options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of - additional annotations to add to rendered - manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies - whether to apply env variables substitution - for annotation values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - components: - description: Components specifies a list of - kustomize components to add to the kustomization - before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies - whether to force applying common annotations - to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources - for Kustomize apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents - kustomize from failing when components do - not exist locally by not appending them to - kustomization file - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies - whether to apply common labels to resource - templates or not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies - whether to apply common labels to resource - selectors or not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that - Kustomize adds to all resources - type: string - patches: - description: Patches is a list of Kustomize - patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize - Replicas override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version - of Kustomize to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and - is displayed in the UI. It is used in multi-source - Applications. - type: string - path: - description: Path is a directory path within the - Git repository, and is only valid for applications - sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin - specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry - in the application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the - variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an - array type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map - type parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a - string type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source - within sources field. This field will not be used - if used with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository - (Git or Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - syncOptions: - description: SyncOptions provide per-sync sync-options, - e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the - sync - properties: - apply: - description: Apply will perform a `kubectl apply` - to perform the sync. - properties: - force: - description: |- - Force indicates whether or not to supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, when PATCH encounters conflict and has - retried for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources - to perform the sync. This is the default strategy - properties: - force: - description: |- - Force indicates whether or not to supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, when PATCH encounters conflict and has - retried for 5 times. - type: boolean - type: object - type: object - type: object - type: object - phase: - description: Phase is the current phase of the operation - type: string - retryCount: - description: RetryCount contains time of operation retries - format: int64 - type: integer - startedAt: - description: StartedAt contains time of operation start - format: date-time - type: string - syncResult: - description: SyncResult is the result of a Sync operation - properties: - managedNamespaceMetadata: - description: ManagedNamespaceMetadata contains the current - sync state of managed namespace metadata - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - resources: - description: Resources contains a list of sync result items - for each individual resource in a sync operation - items: - description: ResourceResult holds the operation result details - of a specific resource - properties: - group: - description: Group specifies the API group of the resource - type: string - hookPhase: - description: |- - HookPhase contains the state of any operation associated with this resource OR hook - This can also contain values for non-hook resources. - type: string - hookType: - description: HookType specifies the type of the hook. - Empty for non-hook resources - type: string - images: - description: Images contains the images related to the - ResourceResult - items: - type: string - type: array - kind: - description: Kind specifies the API kind of the resource - type: string - message: - description: Message contains an informational or error - message for the last sync OR operation - type: string - name: - description: Name specifies the name of the resource - type: string - namespace: - description: Namespace specifies the target namespace - of the resource - type: string - status: - description: Status holds the final result of the sync. - Will be empty if the resources is yet to be applied/pruned - and is always zero-value for hooks - type: string - syncPhase: - description: SyncPhase indicates the particular phase - of the sync that this result was acquired in - type: string - version: - description: Version specifies the API version of the - resource - type: string - required: - - group - - kind - - name - - namespace - - version - type: object - type: array - revision: - description: Revision holds the revision this sync operation - was performed to - type: string - revisions: - description: Revisions holds the revision this sync operation - was performed for respective indexed source in sources field - items: - type: string - type: array - source: - description: Source records the application source information - of the sync, used for comparing auto-sync - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace to - template with. If left empty, defaults to the app's - destination namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema - validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block. - ValuesObject takes precedence over Values, so use - one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values to - be passed to helm template, defined as a map. This - takes precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies whether - to apply env variables substitution for annotation - values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally - by not appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether - to apply common labels to resource templates or - not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether - to apply common labels to resource selectors or - not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is - displayed in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Source records the application source information - of the sync, used for comparing auto-sync - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be - specified for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a - directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template - --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace - to template with. If left empty, defaults to the - app's destination namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to - all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema - validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block. ValuesObject takes precedence over Values, - so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values - to be passed to helm template, defined as a map. - This takes precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies - whether to apply env variables substitution for - annotation values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before - building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources for - Kustomize apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally - by not appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether - to apply common labels to resource templates or - not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether - to apply common labels to resource selectors or - not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is - displayed in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - revision - type: object - required: - - operation - - phase - - startedAt - type: object - reconciledAt: - description: ReconciledAt indicates when the application state was - reconciled using the latest git version - format: date-time - type: string - resourceHealthSource: - description: 'ResourceHealthSource indicates where the resource health - status is stored: inline if not set or appTree' - type: string - resources: - description: Resources is a list of Kubernetes resources managed by - this application - items: - description: ResourceStatus holds the current synchronization and - health status of a Kubernetes resource. - properties: - group: - description: Group represents the API group of the resource - (e.g., "apps" for Deployments). - type: string - health: - description: Health indicates the health status of the resource - (e.g., Healthy, Degraded, Progressing). - properties: - lastTransitionTime: - description: |- - LastTransitionTime is the time the HealthStatus was set or updated - - Deprecated: this field is not used and will be removed in a future release. - format: date-time - type: string - message: - description: Message is a human-readable informational message - describing the health status - type: string - status: - description: Status holds the status code of the resource - type: string - type: object - hook: - description: Hook is true if the resource is used as a lifecycle - hook in an Argo CD application. - type: boolean - kind: - description: Kind specifies the type of the resource (e.g., - "Deployment", "Service"). - type: string - name: - description: Name is the unique name of the resource within - the namespace. - type: string - namespace: - description: Namespace defines the Kubernetes namespace where - the resource is located. - type: string - requiresDeletionConfirmation: - description: RequiresDeletionConfirmation is true if the resource - requires explicit user confirmation before deletion. - type: boolean - requiresPruning: - description: RequiresPruning is true if the resource needs to - be pruned (deleted) as part of synchronization. - type: boolean - status: - description: Status represents the synchronization state of - the resource (e.g., Synced, OutOfSync). - type: string - syncWave: - description: |- - SyncWave determines the order in which resources are applied during a sync operation. - Lower values are applied first. - format: int64 - type: integer - version: - description: Version indicates the API version of the resource - (e.g., "v1", "v1beta1"). - type: string - type: object - type: array - sourceHydrator: - description: SourceHydrator stores information about the current state - of source hydration - properties: - currentOperation: - description: CurrentOperation holds the status of the hydrate - operation - properties: - drySHA: - description: DrySHA holds the resolved revision (sha) of the - dry source as of the most recent reconciliation - type: string - finishedAt: - description: FinishedAt indicates when the hydrate operation - finished - format: date-time - type: string - hydratedSHA: - description: HydratedSHA holds the resolved revision (sha) - of the hydrated source as of the most recent reconciliation - type: string - message: - description: Message contains a message describing the current - status of the hydrate operation - type: string - phase: - description: Phase indicates the status of the hydrate operation - enum: - - Hydrating - - Failed - - Hydrated - type: string - sourceHydrator: - description: SourceHydrator holds the hydrator config used - for the hydrate operation - properties: - drySource: - description: DrySource specifies where the dry "don't - repeat yourself" manifest source lives. - properties: - path: - description: Path is a directory path within the Git - repository where the manifests are located - type: string - repoURL: - description: RepoURL is the URL to the git repository - that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to hydrate - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - description: |- - HydrateTo specifies an optional "staging" location to push hydrated manifests to. An external system would then - have to move manifests to the SyncSource, e.g. by pull request. - properties: - targetBranch: - description: TargetBranch is the branch to which hydrated - manifests should be committed - type: string - required: - - targetBranch - type: object - syncSource: - description: SyncSource specifies where to sync hydrated - manifests from. - properties: - path: - description: |- - Path is a directory path within the git repository where hydrated manifests should be committed to and synced - from. The Path should never point to the root of the repo. If hydrateTo is set, this is just the path from which - hydrated manifests will be synced. - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - description: |- - TargetBranch is the branch from which hydrated manifests will be synced. - If HydrateTo is not set, this is also the branch to which hydrated manifests are committed. - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - startedAt: - description: StartedAt indicates when the hydrate operation - started - format: date-time - type: string - required: - - message - - phase - type: object - lastSuccessfulOperation: - description: LastSuccessfulOperation holds info about the most - recent successful hydration - properties: - drySHA: - description: DrySHA holds the resolved revision (sha) of the - dry source as of the most recent reconciliation - type: string - hydratedSHA: - description: HydratedSHA holds the resolved revision (sha) - of the hydrated source as of the most recent reconciliation - type: string - sourceHydrator: - description: SourceHydrator holds the hydrator config used - for the hydrate operation - properties: - drySource: - description: DrySource specifies where the dry "don't - repeat yourself" manifest source lives. - properties: - path: - description: Path is a directory path within the Git - repository where the manifests are located - type: string - repoURL: - description: RepoURL is the URL to the git repository - that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to hydrate - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - description: |- - HydrateTo specifies an optional "staging" location to push hydrated manifests to. An external system would then - have to move manifests to the SyncSource, e.g. by pull request. - properties: - targetBranch: - description: TargetBranch is the branch to which hydrated - manifests should be committed - type: string - required: - - targetBranch - type: object - syncSource: - description: SyncSource specifies where to sync hydrated - manifests from. - properties: - path: - description: |- - Path is a directory path within the git repository where hydrated manifests should be committed to and synced - from. The Path should never point to the root of the repo. If hydrateTo is set, this is just the path from which - hydrated manifests will be synced. - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - description: |- - TargetBranch is the branch from which hydrated manifests will be synced. - If HydrateTo is not set, this is also the branch to which hydrated manifests are committed. - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - type: object - type: object - sourceType: - description: SourceType specifies the type of this application - type: string - sourceTypes: - description: SourceTypes specifies the type of the sources included - in the application - items: - description: ApplicationSourceType specifies the type of the application's - source - type: string - type: array - summary: - description: Summary contains a list of URLs and container images - used by this application - properties: - externalURLs: - description: ExternalURLs holds all external URLs of application - child resources. - items: - type: string - type: array - images: - description: Images holds all images of application child resources. - items: - type: string - type: array - type: object - sync: - description: Sync contains information about the application's current - sync status - properties: - comparedTo: - description: ComparedTo contains information about what has been - compared - properties: - destination: - description: Destination is a reference to the application's - destination used for comparison - properties: - name: - description: Name is an alternate way of specifying the - target cluster by its symbolic name. This must be set - if Server is not set. - type: string - namespace: - description: |- - Namespace specifies the target namespace for the application's resources. - The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster's - Kubernetes control plane API. This must be set if Name - is not set. - type: string - type: object - ignoreDifferences: - description: IgnoreDifferences is a reference to the application's - ignored differences used for comparison - items: - description: ResourceIgnoreDifferences contains resource - filter and list of json paths which should be ignored - during comparison with live state. - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - description: |- - ManagedFieldsManagers is a list of trusted managers. Fields mutated by those managers will take precedence over the - desired state defined in the SCM and won't be displayed in diffs - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - source: - description: Source is a reference to the application's source - used for comparison - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace to - template with. If left empty, defaults to the app's - destination namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema - validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block. - ValuesObject takes precedence over Values, so use - one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values to - be passed to helm template, defined as a map. This - takes precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies whether - to apply env variables substitution for annotation - values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally - by not appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether - to apply common labels to resource templates or - not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether - to apply common labels to resource selectors or - not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is - displayed in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying a - parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used with - a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - sources: - description: Sources is a reference to the application's multiple - sources used for comparison - items: - description: ApplicationSource contains all required information - about the source of an application - properties: - chart: - description: Chart is a Helm chart name, and must be - specified for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a - directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template - --values - type: boolean - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - namespace: - description: Namespace is an optional namespace - to template with. If left empty, defaults to the - app's destination namespace. - type: string - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to - all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - skipSchemaValidation: - description: SkipSchemaValidation skips JSON schema - validation (Helm's --skip-schema-validation) - type: boolean - skipTests: - description: SkipTests skips test manifest installation - step (Helm's --skip-tests). - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block. ValuesObject takes precedence over Values, - so use one or the other. - type: string - valuesObject: - description: ValuesObject specifies Helm values - to be passed to helm template, defined as a map. - This takes precedence over Values. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - apiVersions: - description: |- - APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default, - Argo CD uses the API versions of the target cluster. The format is [group/]version/kind. - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonAnnotationsEnvsubst: - description: CommonAnnotationsEnvsubst specifies - whether to apply env variables substitution for - annotation values - type: boolean - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - components: - description: Components specifies a list of kustomize - components to add to the kustomization before - building - items: - type: string - type: array - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources for - Kustomize apps - type: boolean - ignoreMissingComponents: - description: IgnoreMissingComponents prevents kustomize - from failing when components do not exist locally - by not appending them to kustomization file - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - kubeVersion: - description: |- - KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD - uses the Kubernetes version of the target cluster. - type: string - labelIncludeTemplates: - description: LabelIncludeTemplates specifies whether - to apply common labels to resource templates or - not - type: boolean - labelWithoutSelector: - description: LabelWithoutSelector specifies whether - to apply common labels to resource selectors or - not - type: boolean - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - namespace: - description: Namespace sets the namespace that Kustomize - adds to all resources - type: string - patches: - description: Patches is a list of Kustomize patches - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - description: Replicas is a list of Kustomize Replicas - override specifications - items: - properties: - count: - anyOf: - - type: integer - - type: string - description: Number of replicas - x-kubernetes-int-or-string: true - name: - description: Name of Deployment or StatefulSet - type: string - required: - - count - - name - type: object - type: array - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - name: - description: Name is used to refer to a source and is - displayed in the UI. It is used in multi-source Applications. - type: string - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: Plugin holds config management plugin specific - options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - description: Array is the value of an array - type parameter. - items: - type: string - type: array - map: - additionalProperties: - type: string - description: Map is the value of a map type - parameter. - type: object - name: - description: Name is the name identifying - a parameter. - type: string - string: - description: String_ is the value of a string - type parameter. - type: string - type: object - type: array - type: object - ref: - description: Ref is reference to another source within - sources field. This field will not be used if used - with a `source` tag. - type: string - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: |- - TargetRevision defines the revision of the source to sync the application to. - In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - type: array - required: - - destination - type: object - revision: - description: Revision contains information about the revision - the comparison has been performed to - type: string - revisions: - description: Revisions contains information about the revisions - of multiple sources the comparison has been performed to - items: - type: string - type: array - status: - description: Status is the sync state of the comparison - type: string - required: - - status - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: {} ---- -# Source: argocd/charts/argo-cd/templates/crds/crd-applicationset.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app.kubernetes.io/name: applicationsets.argoproj.io - app.kubernetes.io/part-of: argocd - name: applicationsets.argoproj.io -spec: - group: argoproj.io - names: - kind: ApplicationSet - listKind: ApplicationSetList - plural: applicationsets - shortNames: - - appset - - appsets - singular: applicationset - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - applyNestedSelectors: - type: boolean - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - flatList: - type: boolean - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - elementsYaml: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - matrix: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - flatList: - type: boolean - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - elementsYaml: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - matrix: - x-kubernetes-preserve-unknown-fields: true - merge: - x-kubernetes-preserve-unknown-fields: true - plugin: - properties: - configMapRef: - properties: - name: - type: string - required: - - name - type: object - input: - properties: - parameters: - additionalProperties: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - pullRequest: - properties: - azuredevops: - properties: - api: - type: string - labels: - items: - type: string - type: array - organization: - type: string - project: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - - project - - repo - type: object - bitbucket: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - owner: - type: string - repo: - type: string - required: - - owner - - repo - type: object - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - continueOnRepoNotFoundError: - type: boolean - filters: - items: - properties: - branchMatch: - type: string - targetBranchMatch: - type: string - titleMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - scmProvider: - properties: - awsCodeCommit: - properties: - allBranches: - type: boolean - region: - type: string - role: - type: string - tagFilters: - items: - properties: - key: - type: string - value: - type: string - required: - - key - type: object - type: array - type: object - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - group: - type: string - includeSharedProjects: - type: boolean - includeSubgroups: - type: boolean - insecure: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - topic: - type: string - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - generators - type: object - merge: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - flatList: - type: boolean - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - pathParamPrefix: - type: string - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - elementsYaml: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - type: object - matrix: - x-kubernetes-preserve-unknown-fields: true - merge: - x-kubernetes-preserve-unknown-fields: true - plugin: - properties: - configMapRef: - properties: - name: - type: string - required: - - name - type: object - input: - properties: - parameters: - additionalProperties: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - pullRequest: - properties: - azuredevops: - properties: - api: - type: string - labels: - items: - type: string - type: array - organization: - type: string - project: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - - project - - repo - type: object - bitbucket: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - owner: - type: string - repo: - type: string - required: - - owner - - repo - type: object - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - continueOnRepoNotFoundError: - type: boolean - filters: - items: - properties: - branchMatch: - type: string - targetBranchMatch: - type: string - titleMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - scmProvider: - properties: - awsCodeCommit: - properties: - allBranches: - type: boolean - region: - type: string - role: - type: string - tagFilters: - items: - properties: - key: - type: string - value: - type: string - required: - - key - type: object - type: array - type: object - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - group: - type: string - includeSharedProjects: - type: boolean - includeSubgroups: - type: boolean - insecure: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - topic: - type: string - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - mergeKeys: - items: - type: string - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - required: - - generators - - mergeKeys - type: object - plugin: - properties: - configMapRef: - properties: - name: - type: string - required: - - name - type: object - input: - properties: - parameters: - additionalProperties: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - pullRequest: - properties: - azuredevops: - properties: - api: - type: string - labels: - items: - type: string - type: array - organization: - type: string - project: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - - project - - repo - type: object - bitbucket: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - owner: - type: string - repo: - type: string - required: - - owner - - repo - type: object - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - continueOnRepoNotFoundError: - type: boolean - filters: - items: - properties: - branchMatch: - type: string - targetBranchMatch: - type: string - titleMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - appSecretName: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - gitlab: - properties: - api: - type: string - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - labels: - items: - type: string - type: array - project: - type: string - pullRequestState: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - project - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - scmProvider: - properties: - awsCodeCommit: - properties: - allBranches: - type: boolean - region: - type: string - role: - type: string - tagFilters: - items: - properties: - key: - type: string - value: - type: string - required: - - key - type: object - type: array - type: object - azureDevOps: - properties: - accessTokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - allBranches: - type: boolean - api: - type: string - organization: - type: string - teamProject: - type: string - required: - - accessTokenRef - - organization - - teamProject - type: object - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - bearerToken: - properties: - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - tokenRef - type: object - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - insecure: - type: boolean - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - appSecretName: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - caRef: - properties: - configMapName: - type: string - key: - type: string - required: - - configMapName - - key - type: object - group: - type: string - includeSharedProjects: - type: boolean - includeSubgroups: - type: boolean - insecure: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - topic: - type: string - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - goTemplate: - type: boolean - goTemplateOptions: - items: - type: string - type: array - ignoreApplicationDifferences: - items: - properties: - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - name: - type: string - type: object - type: array - preservedFields: - properties: - annotations: - items: - type: string - type: array - labels: - items: - type: string - type: array - type: object - strategy: - properties: - deletionOrder: - type: string - rollingSync: - properties: - steps: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - maxUpdate: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: array - type: object - type: - type: string - type: object - syncPolicy: - properties: - applicationsSync: - enum: - - create-only - - create-update - - create-delete - - sync - type: string - preserveResourcesOnDeletion: - type: boolean - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - sourceHydrator: - properties: - drySource: - properties: - path: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - path - - repoURL - - targetRevision - type: object - hydrateTo: - properties: - targetBranch: - type: string - required: - - targetBranch - type: object - syncSource: - properties: - path: - minLength: 1 - pattern: ^.{2,}|[^./]$ - type: string - targetBranch: - type: string - required: - - path - - targetBranch - type: object - required: - - drySource - - syncSource - type: object - sources: - items: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - apiVersions: - items: - type: string - type: array - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - kubeVersion: - type: string - namespace: - type: string - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - skipSchemaValidation: - type: boolean - skipTests: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - valuesObject: - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - type: object - kustomize: - properties: - apiVersions: - items: - type: string - type: array - commonAnnotations: - additionalProperties: - type: string - type: object - commonAnnotationsEnvsubst: - type: boolean - commonLabels: - additionalProperties: - type: string - type: object - components: - items: - type: string - type: array - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - ignoreMissingComponents: - type: boolean - images: - items: - type: string - type: array - kubeVersion: - type: string - labelIncludeTemplates: - type: boolean - labelWithoutSelector: - type: boolean - namePrefix: - type: string - nameSuffix: - type: string - namespace: - type: string - patches: - items: - properties: - options: - additionalProperties: - type: boolean - type: object - patch: - type: string - path: - type: string - target: - properties: - annotationSelector: - type: string - group: - type: string - kind: - type: string - labelSelector: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: object - type: array - replicas: - items: - properties: - count: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - name: - type: string - required: - - count - - name - type: object - type: array - version: - type: string - type: object - name: - type: string - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - parameters: - items: - properties: - array: - items: - type: string - type: array - map: - additionalProperties: - type: string - type: object - name: - type: string - string: - type: string - type: object - type: array - type: object - ref: - type: string - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - type: array - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - enabled: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - managedNamespaceMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - refresh: - type: boolean - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - type: object - required: - - metadata - - spec - type: object - templatePatch: - type: string - required: - - generators - - template - type: object - status: - properties: - applicationStatus: - items: - properties: - application: - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - status: - type: string - step: - type: string - targetRevisions: - items: - type: string - type: array - required: - - application - - message - - status - - step - - targetRevisions - type: object - type: array - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - message - - reason - - status - - type - type: object - type: array - resources: - items: - properties: - group: - type: string - health: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - status: - type: string - type: object - hook: - type: boolean - kind: - type: string - name: - type: string - namespace: - type: string - requiresDeletionConfirmation: - type: boolean - requiresPruning: - type: boolean - status: - type: string - syncWave: - format: int64 - type: integer - version: - type: string - type: object - type: array - resourcesCount: - format: int64 - type: integer - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: argocd/charts/argo-cd/templates/crds/crd-project.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app.kubernetes.io/name: appprojects.argoproj.io - app.kubernetes.io/part-of: argocd - name: appprojects.argoproj.io -spec: - group: argoproj.io - names: - kind: AppProject - listKind: AppProjectList - plural: appprojects - shortNames: - - appproj - - appprojs - singular: appproject - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - AppProject provides a logical grouping of applications, providing controls for: - * where the apps may deploy to (cluster whitelist) - * what may be deployed (repository whitelist, resource whitelist/blacklist) - * who can access these applications (roles, OIDC group claims bindings) - * and what they can do (RBAC policies) - * automation access to these roles (JWT tokens) - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AppProjectSpec is the specification of an AppProject - properties: - clusterResourceBlacklist: - description: ClusterResourceBlacklist contains list of blacklisted - cluster level resources - items: - description: |- - GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying - concepts during lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - clusterResourceWhitelist: - description: ClusterResourceWhitelist contains list of whitelisted - cluster level resources - items: - description: |- - GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying - concepts during lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - description: - description: Description contains optional project description - maxLength: 255 - type: string - destinationServiceAccounts: - description: DestinationServiceAccounts holds information about the - service accounts to be impersonated for the application sync operation - for each destination. - items: - description: ApplicationDestinationServiceAccount holds information - about the service account to be impersonated for the application - sync operation. - properties: - defaultServiceAccount: - description: DefaultServiceAccount to be used for impersonation - during the sync operation - type: string - namespace: - description: Namespace specifies the target namespace for the - application's resources. - type: string - server: - description: Server specifies the URL of the target cluster's - Kubernetes control plane API. - type: string - required: - - defaultServiceAccount - - server - type: object - type: array - destinations: - description: Destinations contains list of destinations available - for deployment - items: - description: ApplicationDestination holds information about the - application's destination - properties: - name: - description: Name is an alternate way of specifying the target - cluster by its symbolic name. This must be set if Server is - not set. - type: string - namespace: - description: |- - Namespace specifies the target namespace for the application's resources. - The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster's - Kubernetes control plane API. This must be set if Name is - not set. - type: string - type: object - type: array - namespaceResourceBlacklist: - description: NamespaceResourceBlacklist contains list of blacklisted - namespace level resources - items: - description: |- - GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying - concepts during lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - namespaceResourceWhitelist: - description: NamespaceResourceWhitelist contains list of whitelisted - namespace level resources - items: - description: |- - GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying - concepts during lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - orphanedResources: - description: OrphanedResources specifies if controller should monitor - orphaned resources of apps in this project - properties: - ignore: - description: Ignore contains a list of resources that are to be - excluded from orphaned resources monitoring - items: - description: OrphanedResourceKey is a reference to a resource - to be ignored from - properties: - group: - type: string - kind: - type: string - name: - type: string - type: object - type: array - warn: - description: Warn indicates if warning condition should be created - for apps which have orphaned resources - type: boolean - type: object - permitOnlyProjectScopedClusters: - description: PermitOnlyProjectScopedClusters determines whether destinations - can only reference clusters which are project-scoped - type: boolean - roles: - description: Roles are user defined RBAC roles associated with this - project - items: - description: ProjectRole represents a role that has access to a - project - properties: - description: - description: Description is a description of the role - type: string - groups: - description: Groups are a list of OIDC group claims bound to - this role - items: - type: string - type: array - jwtTokens: - description: JWTTokens are a list of generated JWT tokens bound - to this role - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - name: - description: Name is a name for this role - type: string - policies: - description: Policies Stores a list of casbin formatted strings - that define access policies for the role in the project - items: - type: string - type: array - required: - - name - type: object - type: array - signatureKeys: - description: SignatureKeys contains a list of PGP key IDs that commits - in Git must be signed with in order to be allowed for sync - items: - description: SignatureKey is the specification of a key required - to verify commit signatures with - properties: - keyID: - description: The ID of the key in hexadecimal notation - type: string - required: - - keyID - type: object - type: array - sourceNamespaces: - description: SourceNamespaces defines the namespaces application resources - are allowed to be created in - items: - type: string - type: array - sourceRepos: - description: SourceRepos contains list of repository URLs which can - be used for deployment - items: - type: string - type: array - syncWindows: - description: SyncWindows controls when syncs can be run for apps in - this project - items: - description: SyncWindow contains the kind, time, duration and attributes - that are used to assign the syncWindows to apps - properties: - andOperator: - description: UseAndOperator use AND operator for matching applications, - namespaces and clusters instead of the default OR operator - type: boolean - applications: - description: Applications contains a list of applications that - the window will apply to - items: - type: string - type: array - clusters: - description: Clusters contains a list of clusters that the window - will apply to - items: - type: string - type: array - description: - description: Description of the sync that will be applied to - the schedule, can be used to add any information such as a - ticket number for example - type: string - duration: - description: Duration is the amount of time the sync window - will be open - type: string - kind: - description: Kind defines if the window allows or blocks syncs - type: string - manualSync: - description: ManualSync enables manual syncs when they would - otherwise be blocked - type: boolean - namespaces: - description: Namespaces contains a list of namespaces that the - window will apply to - items: - type: string - type: array - schedule: - description: Schedule is the time the window will begin, specified - in cron format - type: string - timeZone: - description: TimeZone of the sync that will be applied to the - schedule - type: string - type: object - type: array - type: object - status: - description: AppProjectStatus contains status information for AppProject - CRs - properties: - jwtTokensByRole: - additionalProperties: - description: JWTTokens represents a list of JWT tokens - properties: - items: - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - type: object - description: JWTTokensByRole contains a list of JWT tokens issued - for a given role - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: argocd/charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argocd-application-controller - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: application-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' - - nonResourceURLs: - - '*' - verbs: - - '*' ---- -# Source: argocd/charts/argo-cd/templates/argocd-notifications/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argocd-notifications-controller - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: - - apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - get - - list - - watch - - update - - patch - - apiGroups: - - "" - resources: - - configmaps - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resourceNames: - - argocd-notifications-cm - resources: - - configmaps - verbs: - - get - - apiGroups: - - "" - resourceNames: - - argocd-notifications-secret - resources: - - secrets - verbs: - - get ---- -# Source: argocd/charts/argo-cd/templates/argocd-server/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argocd-server - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - delete # supports deletion a live object in UI - - get # supports viewing live object manifest in UI - - patch # supports `argocd app patch` - - apiGroups: - - "" - resources: - - events - verbs: - - list # supports listing events in UI - - create - - apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get # supports viewing pod logs from UI - - apiGroups: - - argoproj.io - resources: - - applications - - applicationsets - verbs: - - get - - list - - update - - watch - - apiGroups: - - batch - resources: - - - jobs - verbs: - - create - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - - create ---- -# Source: argocd/charts/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argocd-application-controller - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: application-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-application-controller -subjects: -- kind: ServiceAccount - name: argocd-application-controller - namespace: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argocd-notifications-controller - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-notifications-controller -subjects: -- kind: ServiceAccount - name: argocd-notifications-controller - namespace: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-server/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: argocd-server - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-server -subjects: -- kind: ServiceAccount - name: argocd-server - namespace: argocd ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-redis-ha - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 -rules: -- apiGroups: - - "" - resources: - - endpoints - verbs: - - get ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-redis-ha-haproxy - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - component: haproxy -rules: -- apiGroups: - - "" - resources: - - endpoints - verbs: - - get ---- -# Source: argocd/charts/argo-cd/templates/argocd-application-controller/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-application-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: application-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - argoproj.io - resources: - - applications - - applicationsets - - appprojects - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - list -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch ---- -# Source: argocd/charts/argo-cd/templates/argocd-applicationset/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-applicationset-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: applicationset-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: - - apiGroups: - - argoproj.io - resources: - - applications - - applicationsets - - applicationsets/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - argoproj.io - resources: - - applicationsets/status - verbs: - - get - - patch - - update - - apiGroups: - - argoproj.io - resources: - - appprojects - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - watch - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - update - - delete - - get - - list - - patch - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - apps - - extensions - resources: - - deployments - verbs: - - get - - list - - watch - # argocd-applicationset-controller leader election rules - # Create with resourceNames fails, so use a separate rule for the lease creation - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - # Defined in `cmd/argocd-applicationset-controller/commands/applicationset_controller.go` - - 58ac56fa.applicationsets.argoproj.io - verbs: - - get - - update - - create ---- -# Source: argocd/charts/argo-cd/templates/argocd-notifications/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-notifications-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - "" - resources: - - configmaps - - secrets - verbs: - - list - - watch -- apiGroups: - - "" - resourceNames: - - argocd-notifications-cm - resources: - - configmaps - verbs: - - get -- apiGroups: - - "" - resourceNames: - - argocd-notifications-secret - resources: - - secrets - verbs: - - get ---- -# Source: argocd/charts/argo-cd/templates/argocd-repo-server/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-repo-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: repo-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: ---- -# Source: argocd/charts/argo-cd/templates/argocd-server/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - argoproj.io - resources: - - applications - - applicationsets - - appprojects - verbs: - - create - - get - - list - - watch - - update - - delete - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - list ---- -# Source: argocd/charts/argo-cd/templates/dex/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-dex-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: dex-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - get - - list - - watch ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-redis-ha - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 -subjects: -- kind: ServiceAccount - name: argocd-redis-ha -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-redis-ha ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-redis-ha-haproxy - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - component: haproxy -subjects: -- kind: ServiceAccount - name: argocd-redis-ha-haproxy -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-redis-ha-haproxy ---- -# Source: argocd/charts/argo-cd/templates/argocd-application-controller/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-application-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: application-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-application-controller -subjects: - - kind: ServiceAccount - name: argocd-application-controller - namespace: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-applicationset/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-applicationset-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: applicationset-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-applicationset-controller -subjects: - - kind: ServiceAccount - name: argocd-applicationset-controller - namespace: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-notifications/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-notifications-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-notifications-controller -subjects: - - kind: ServiceAccount - name: argocd-notifications-controller - namespace: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-repo-server/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-repo-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: repo-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-repo-server -subjects: -- kind: ServiceAccount - name: argocd-repo-server - namespace: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-server/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-server -subjects: -- kind: ServiceAccount - name: argocd-server - namespace: argocd ---- -# Source: argocd/charts/argo-cd/templates/dex/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-dex-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: dex-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-dex-server -subjects: -- kind: ServiceAccount - name: argocd-dex-server - namespace: argocd ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-announce-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-redis-ha-announce-0 - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - annotations: -spec: - publishNotReadyAddresses: true - type: ClusterIP - ports: - - name: tcp-server - port: 6379 - protocol: TCP - targetPort: redis - - name: tcp-sentinel - port: 26379 - protocol: TCP - targetPort: sentinel - selector: - release: argocd - app: redis-ha - "statefulset.kubernetes.io/pod-name": argocd-redis-ha-server-0 ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-announce-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-redis-ha-announce-1 - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - annotations: -spec: - publishNotReadyAddresses: true - type: ClusterIP - ports: - - name: tcp-server - port: 6379 - protocol: TCP - targetPort: redis - - name: tcp-sentinel - port: 26379 - protocol: TCP - targetPort: sentinel - selector: - release: argocd - app: redis-ha - "statefulset.kubernetes.io/pod-name": argocd-redis-ha-server-1 ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-announce-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-redis-ha-announce-2 - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - annotations: -spec: - publishNotReadyAddresses: true - type: ClusterIP - ports: - - name: tcp-server - port: 6379 - protocol: TCP - targetPort: redis - - name: tcp-sentinel - port: 26379 - protocol: TCP - targetPort: sentinel - selector: - release: argocd - app: redis-ha - "statefulset.kubernetes.io/pod-name": argocd-redis-ha-server-2 ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-redis-ha - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - annotations: -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp-server - port: 6379 - protocol: TCP - targetPort: redis - - name: tcp-sentinel - port: 26379 - protocol: TCP - targetPort: sentinel - selector: - release: argocd - app: redis-ha ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-redis-ha-haproxy - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - component: haproxy - annotations: -spec: - type: ClusterIP - ports: - - name: tcp-haproxy - port: 6379 - protocol: TCP - targetPort: redis - - name: http-exporter-port - port: 9101 - protocol: TCP - targetPort: metrics-port - selector: - release: argocd - app: redis-ha-haproxy ---- -# Source: argocd/charts/argo-cd/templates/argocd-application-controller/metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-application-controller-metrics - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-metrics - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: application-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - type: ClusterIP - ports: - - name: http-metrics - protocol: TCP - port: 8082 - targetPort: metrics - selector: - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-applicationset/metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-applicationset-controller-metrics - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-metrics - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: applicationset-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - type: ClusterIP - ports: - - name: http-metrics - protocol: TCP - port: 8080 - targetPort: metrics - selector: - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-applicationset/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-applicationset-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: applicationset-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - type: ClusterIP - ports: - - name: http-webhook - port: 7000 - targetPort: webhook - selector: - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-notifications/metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-notifications-controller-metrics - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-metrics - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - ports: - - name: http-metrics - protocol: TCP - port: 9001 - targetPort: metrics ---- -# Source: argocd/charts/argo-cd/templates/argocd-repo-server/metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-repo-server-metrics - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-repo-server-metrics - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: repo-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - type: ClusterIP - ports: - - name: http-metrics - protocol: TCP - port: 8084 - targetPort: metrics - selector: - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-repo-server/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: repo-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - name: argocd-repo-server - namespace: argocd -spec: - ports: - - name: tcp-repo-server - protocol: TCP - port: 8081 - targetPort: repo-server - selector: - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-server/metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-server-metrics - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server-metrics - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - type: ClusterIP - ports: - - name: http-metrics - protocol: TCP - port: 8083 - targetPort: metrics - selector: - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd ---- -# Source: argocd/charts/argo-cd/templates/argocd-server/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - type: ClusterIP - sessionAffinity: None - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 8080 - - name: https - protocol: TCP - port: 443 - targetPort: 8080 - selector: - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd ---- -# Source: argocd/charts/argo-cd/templates/dex/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: argocd-dex-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: dex-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - ports: - - name: http - protocol: TCP - port: 5556 - targetPort: http - - name: grpc - protocol: TCP - port: 5557 - targetPort: grpc - - name: http-metrics - protocol: TCP - port: 5558 - targetPort: metrics - selector: - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/instance: argocd ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-deployment.yaml -kind: Deployment -apiVersion: apps/v1 -metadata: - name: argocd-redis-ha-haproxy - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - component: haproxy -spec: - strategy: - type: RollingUpdate - revisionHistoryLimit: 1 - replicas: 3 - selector: - matchLabels: - app: redis-ha-haproxy - release: argocd - component: haproxy - template: - metadata: - name: argocd-redis-ha-haproxy - labels: - app: redis-ha-haproxy - release: argocd - component: haproxy - app.kubernetes.io/name: argocd-redis-ha-haproxy - annotations: - prometheus.io/port: "9101" - prometheus.io/scrape: "true" - prometheus.io/path: "/metrics" - checksum/config: 41729c8b600983b574147eb778eb317992f0a620e163e58b070b159548c3f8e6 - spec: - # Needed when using unmodified rbac-setup.yml - - serviceAccountName: argocd-redis-ha-haproxy - securityContext: - fsGroup: 99 - runAsNonRoot: true - runAsUser: 99 - automountServiceAccountToken: true - nodeSelector: - {} - tolerations: - [] - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: redis-ha-haproxy - release: argocd - component: haproxy - topologyKey: kubernetes.io/hostname - initContainers: - - name: config-init - image: ecr-public.aws.com/docker/library/haproxy:3.0.8-alpine - imagePullPolicy: IfNotPresent - resources: - {} - command: - - sh - args: - - /readonly/haproxy_init.sh - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: config-volume - mountPath: /readonly - readOnly: true - - name: data - mountPath: /data - containers: - - name: haproxy - image: ecr-public.aws.com/docker/library/haproxy:3.0.8-alpine - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - livenessProbe: - httpGet: - path: /healthz - port: probe - initialDelaySeconds: 5 - periodSeconds: 3 - readinessProbe: - httpGet: - path: /healthz - port: probe - initialDelaySeconds: 5 - periodSeconds: 3 - ports: - - name: probe - containerPort: 8888 - - name: redis - containerPort: 6379 - - name: metrics-port - containerPort: 9101 - resources: - {} - volumeMounts: - - name: data - mountPath: /usr/local/etc/haproxy - - name: shared-socket - mountPath: /run/haproxy - lifecycle: - {} - volumes: - - name: config-volume - configMap: - name: argocd-redis-ha-configmap - - name: shared-socket - emptyDir: - {} - - name: data - emptyDir: - {} ---- -# Source: argocd/charts/argo-cd/templates/argocd-applicationset/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-applicationset-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: applicationset-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - replicas: 2 - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd - template: - metadata: - annotations: - checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1 - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: applicationset-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - spec: - terminationGracePeriodSeconds: 30 - serviceAccountName: argocd-applicationset-controller - automountServiceAccountToken: true - containers: - - name: applicationset-controller - image: quay.io/argoproj/argocd:v3.2.1 - imagePullPolicy: IfNotPresent - args: - - /usr/local/bin/argocd-applicationset-controller - - --metrics-addr=:8080 - - --probe-addr=:8081 - - --webhook-addr=:7000 - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.global.preserved.annotations - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.global.preserved.labels - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.enable.leader.election - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER - valueFrom: - configMapKeyRef: - key: repo.server - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.policy - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.enable.policy.override - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.debug - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.log.format - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.log.level - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_LOG_FORMAT_TIMESTAMP - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: log.format.timestamp - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.dryrun - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_GIT_MODULES_ENABLED - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.enable.git.submodule - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.enable.progressive.syncs - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.enable.tokenref.strict.mode - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.enable.new.git.file.globbing - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.repo.server.plaintext - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.repo.server.strict.tls - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.repo.server.timeout.seconds - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.concurrent.reconciliations.max - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.namespaces - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.scm.root.ca.path - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.allowed.scm.providers - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.enable.scm.providers - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.enable.github.api.metrics - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.webhook.parallelism.limit - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.requeue.after - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.status.max.resources.count - optional: true - ports: - - name: metrics - containerPort: 8080 - protocol: TCP - - name: probe - containerPort: 8081 - protocol: TCP - - name: webhook - containerPort: 7000 - protocol: TCP - livenessProbe: - tcpSocket: - port: probe - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - tcpSocket: - port: probe - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /app/config/ssh - name: ssh-known-hosts - - mountPath: /app/config/tls - name: tls-certs - - mountPath: /app/config/gpg/source - name: gpg-keys - - mountPath: /app/config/gpg/keys - name: gpg-keyring - - mountPath: /app/config/reposerver/tls - name: argocd-repo-server-tls - - mountPath: /home/argocd/params - name: argocd-cmd-params-cm - - mountPath: /tmp - name: tmp - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-applicationset-controller - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - volumes: - - name: ssh-known-hosts - configMap: - name: argocd-ssh-known-hosts-cm - - name: tls-certs - configMap: - name: argocd-tls-certs-cm - - name: gpg-keys - configMap: - name: argocd-gpg-keys-cm - - name: gpg-keyring - emptyDir: {} - - name: tmp - emptyDir: {} - - name: argocd-repo-server-tls - secret: - secretName: argocd-repo-server-tls - optional: true - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - - name: argocd-cmd-params-cm - configMap: - optional: true - name: argocd-cmd-params-cm - items: - - key: applicationsetcontroller.profile.enabled - path: profiler.enabled - dnsPolicy: ClusterFirst ---- -# Source: argocd/charts/argo-cd/templates/argocd-notifications/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-notifications-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - replicas: 1 - revisionHistoryLimit: 3 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - template: - metadata: - annotations: - checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1 - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-notifications-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: notifications-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - spec: - terminationGracePeriodSeconds: 30 - serviceAccountName: argocd-notifications-controller - automountServiceAccountToken: true - containers: - - name: notifications-controller - image: quay.io/argoproj/argocd:v3.2.1 - imagePullPolicy: IfNotPresent - args: - - /usr/local/bin/argocd-notifications - - --metrics-port=9001 - - --namespace=argocd - - --argocd-repo-server=argocd-repo-server:8081 - - --secret-name=argocd-notifications-secret - env: - - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL - valueFrom: - configMapKeyRef: - key: notificationscontroller.log.level - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT - valueFrom: - configMapKeyRef: - key: notificationscontroller.log.format - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_LOG_FORMAT_TIMESTAMP - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: log.format.timestamp - optional: true - - name: ARGOCD_APPLICATION_NAMESPACES - valueFrom: - configMapKeyRef: - key: application.namespaces - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED - valueFrom: - configMapKeyRef: - key: notificationscontroller.selfservice.enabled - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_NOTIFICATION_CONTROLLER_REPO_SERVER_PLAINTEXT - valueFrom: - configMapKeyRef: - key: notificationscontroller.repo.server.plaintext - name: argocd-cmd-params-cm - optional: true - ports: - - name: metrics - containerPort: 9001 - protocol: TCP - livenessProbe: - tcpSocket: - port: metrics - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - tcpSocket: - port: metrics - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - workingDir: /app - volumeMounts: - - name: tls-certs - mountPath: /app/config/tls - - name: argocd-repo-server-tls - mountPath: /app/config/reposerver/tls - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-notifications-controller - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - volumes: - - name: tls-certs - configMap: - name: argocd-tls-certs-cm - - name: argocd-repo-server-tls - secret: - secretName: argocd-repo-server-tls - optional: true - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - dnsPolicy: ClusterFirst ---- -# Source: argocd/charts/argo-cd/templates/argocd-repo-server/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-repo-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: repo-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - replicas: 2 - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd - template: - metadata: - annotations: - checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1 - checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b - checksum/cmp-cm: 889b23506729520737104bb8fb0d94e269ba3ec96a1a0e9ffe5c7bdf1025801c - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: repo-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - spec: - terminationGracePeriodSeconds: 30 - serviceAccountName: argocd-repo-server - automountServiceAccountToken: true - containers: - - name: repo-server - image: quay.io/argoproj/argocd:v3.2.1 - imagePullPolicy: IfNotPresent - args: - - /usr/local/bin/argocd-repo-server - - --port=8081 - - --metrics-port=8084 - env: - - name: ARGOCD_REPO_SERVER_NAME - value: argocd-repo-server - - name: ARGOCD_RECONCILIATION_TIMEOUT - valueFrom: - configMapKeyRef: - name: argocd-cm - key: timeout.reconciliation - optional: true - - name: ARGOCD_REPO_SERVER_LOGFORMAT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.log.format - optional: true - - name: ARGOCD_REPO_SERVER_LOGLEVEL - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.log.level - optional: true - - name: ARGOCD_LOG_FORMAT_TIMESTAMP - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: log.format.timestamp - optional: true - - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.parallelism.limit - optional: true - - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.listen.address - optional: true - - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.metrics.listen.address - optional: true - - name: ARGOCD_REPO_SERVER_DISABLE_TLS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.disable.tls - optional: true - - name: ARGOCD_TLS_MIN_VERSION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.tls.minversion - optional: true - - name: ARGOCD_TLS_MAX_VERSION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.tls.maxversion - optional: true - - name: ARGOCD_TLS_CIPHERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.tls.ciphers - optional: true - - name: ARGOCD_REPO_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.repo.cache.expiration - optional: true - - name: REDIS_SERVER - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.server - optional: true - - name: REDIS_COMPRESSION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.compression - optional: true - - name: REDISDB - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.db - optional: true - - name: REDIS_USERNAME - valueFrom: - secretKeyRef: - name: "argocd-redis" - key: redis-username - optional: true - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: "argocd-redis" # hard-coded in Job command and embedded Redis deployments (standalone and redis-ha) - key: auth - optional: false # Secret is not optional in this case ! - - name: REDIS_SENTINEL_USERNAME - valueFrom: - secretKeyRef: - name: argocd-redis-ha-haproxy - key: redis-sentinel-username - optional: true - - name: REDIS_SENTINEL_PASSWORD - valueFrom: - secretKeyRef: - name: argocd-redis-ha-haproxy - key: redis-sentinel-password - optional: true - - name: ARGOCD_DEFAULT_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.default.cache.expiration - optional: true - - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.address - optional: true - - name: ARGOCD_REPO_SERVER_OTLP_INSECURE - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.insecure - optional: true - - name: ARGOCD_REPO_SERVER_OTLP_HEADERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.headers - optional: true - - name: ARGOCD_REPO_SERVER_OTLP_ATTRS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.attrs - optional: true - - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.max.combined.directory.manifests.size - optional: true - - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.plugin.tar.exclusions - optional: true - - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS - valueFrom: - configMapKeyRef: - key: reposerver.plugin.use.manifest.generate.paths - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS - valueFrom: - configMapKeyRef: - key: reposerver.allow.oob.symlinks - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE - valueFrom: - configMapKeyRef: - key: reposerver.streamed.manifest.max.tar.size - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE - valueFrom: - configMapKeyRef: - key: reposerver.streamed.manifest.max.extracted.size - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE - valueFrom: - configMapKeyRef: - key: reposerver.helm.manifest.max.extracted.size - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.disable.helm.manifest.max.extracted.size - optional: true - - name: ARGOCD_GIT_MODULES_ENABLED - valueFrom: - configMapKeyRef: - key: reposerver.enable.git.submodule - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT - valueFrom: - configMapKeyRef: - key: reposerver.git.lsremote.parallelism.limit - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_GIT_REQUEST_TIMEOUT - valueFrom: - configMapKeyRef: - key: reposerver.git.request.timeout - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_OCI_MANIFEST_MAX_EXTRACTED_SIZE - valueFrom: - configMapKeyRef: - key: reposerver.oci.manifest.max.extracted.size - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_DISABLE_OCI_MANIFEST_MAX_EXTRACTED_SIZE - valueFrom: - configMapKeyRef: - key: reposerver.disable.oci.manifest.max.extracted.size - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_OCI_LAYER_MEDIA_TYPES - valueFrom: - configMapKeyRef: - key: reposerver.oci.layer.media.types - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT - valueFrom: - configMapKeyRef: - key: reposerver.revision.cache.lock.timeout - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_ENABLE_BUILTIN_GIT_CONFIG - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: reposerver.enable.builtin.git.config - optional: true - - name: ARGOCD_GRPC_MAX_SIZE_MB - valueFrom: - configMapKeyRef: - key: reposerver.grpc.max.size - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES - valueFrom: - configMapKeyRef: - key: reposerver.include.hidden.directories - name: argocd-cmd-params-cm - optional: true - - name: HELM_CACHE_HOME - value: /helm-working-dir - - name: HELM_CONFIG_HOME - value: /helm-working-dir - - name: HELM_DATA_HOME - value: /helm-working-dir - volumeMounts: - - mountPath: /app/config/ssh - name: ssh-known-hosts - - mountPath: /app/config/tls - name: tls-certs - - mountPath: /app/config/gpg/source - name: gpg-keys - - mountPath: /app/config/gpg/keys - name: gpg-keyring - - mountPath: /app/config/reposerver/tls - name: argocd-repo-server-tls - - mountPath: /helm-working-dir - name: helm-working-dir - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - - mountPath: /tmp - name: tmp - ports: - - name: repo-server - containerPort: 8081 - protocol: TCP - - name: metrics - containerPort: 8084 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz?full=true - port: metrics - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: metrics - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - - command: - - /var/run/argocd/argocd-cmp-server - image: ghcr.io/akuity/cdk8s-cmp-typescript:1.0 - name: cmp-cdk8s - securityContext: - runAsNonRoot: true - runAsUser: 999 - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - - mountPath: /home/argocd/cmp-server/config/plugin.yaml - name: argocd-cmp-cm - subPath: cdk8s.yaml - - mountPath: /tmp - name: cmp-tmp - initContainers: - - command: - - /bin/cp - - -n - - /usr/local/bin/argocd - - /var/run/argocd/argocd-cmp-server - image: quay.io/argoproj/argocd:v3.2.1 - imagePullPolicy: IfNotPresent - name: copyutil - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - volumes: - - configMap: - name: argocd-cmp-cm - name: argocd-cmp-cm - - emptyDir: {} - name: cmp-tmp - - name: helm-working-dir - emptyDir: {} - - name: plugins - emptyDir: {} - - name: var-files - emptyDir: {} - - name: tmp - emptyDir: {} - - name: ssh-known-hosts - configMap: - name: argocd-ssh-known-hosts-cm - - name: tls-certs - configMap: - name: argocd-tls-certs-cm - - name: gpg-keys - configMap: - name: argocd-gpg-keys-cm - - name: gpg-keyring - emptyDir: {} - - name: argocd-repo-server-tls - secret: - secretName: argocd-repo-server-tls - optional: true - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - dnsPolicy: ClusterFirst ---- -# Source: argocd/charts/argo-cd/templates/argocd-server/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - replicas: 2 - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - template: - metadata: - annotations: - checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1 - checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - spec: - terminationGracePeriodSeconds: 30 - serviceAccountName: argocd-server - automountServiceAccountToken: true - containers: - - name: server - image: quay.io/argoproj/argocd:v3.2.1 - imagePullPolicy: IfNotPresent - args: - - /usr/local/bin/argocd-server - - --port=8080 - - --metrics-port=8083 - env: - - name: ARGOCD_SERVER_NAME - value: argocd-server - - name: ARGOCD_SERVER_INSECURE - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.insecure - optional: true - - name: ARGOCD_SERVER_BASEHREF - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.basehref - optional: true - - name: ARGOCD_SERVER_ROOTPATH - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.rootpath - optional: true - - name: ARGOCD_SERVER_LOGFORMAT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.log.format - optional: true - - name: ARGOCD_SERVER_LOG_LEVEL - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.log.level - optional: true - - name: ARGOCD_SERVER_REPO_SERVER - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: repo.server - optional: true - - name: ARGOCD_SERVER_DEX_SERVER - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.dex.server - optional: true - - name: ARGOCD_SERVER_DISABLE_AUTH - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.disable.auth - optional: true - - name: ARGOCD_SERVER_ENABLE_GZIP - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.enable.gzip - optional: true - - name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.repo.server.timeout.seconds - optional: true - - name: ARGOCD_SERVER_X_FRAME_OPTIONS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.x.frame.options - optional: true - - name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.content.security.policy - optional: true - - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.repo.server.plaintext - optional: true - - name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.repo.server.strict.tls - optional: true - - name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.dex.server.plaintext - optional: true - - name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.dex.server.strict.tls - optional: true - - name: ARGOCD_TLS_MIN_VERSION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.tls.minversion - optional: true - - name: ARGOCD_TLS_MAX_VERSION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.tls.maxversion - optional: true - - name: ARGOCD_TLS_CIPHERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.tls.ciphers - optional: true - - name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.connection.status.cache.expiration - optional: true - - name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.oidc.cache.expiration - optional: true - - name: ARGOCD_SERVER_STATIC_ASSETS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.staticassets - optional: true - - name: ARGOCD_APP_STATE_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.app.state.cache.expiration - optional: true - - name: REDIS_SERVER - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.server - optional: true - - name: REDIS_COMPRESSION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.compression - optional: true - - name: REDISDB - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.db - optional: true - - name: REDIS_USERNAME - valueFrom: - secretKeyRef: - name: "argocd-redis" - key: redis-username - optional: true - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: "argocd-redis" # hard-coded in Job command and embedded Redis deployments (standalone and redis-ha) - key: auth - optional: false # Secret is not optional in this case ! - - name: REDIS_SENTINEL_USERNAME - valueFrom: - secretKeyRef: - name: argocd-redis-ha-haproxy - key: redis-sentinel-username - optional: true - - name: REDIS_SENTINEL_PASSWORD - valueFrom: - secretKeyRef: - name: argocd-redis-ha-haproxy - key: redis-sentinel-password - optional: true - - name: ARGOCD_DEFAULT_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.default.cache.expiration - optional: true - - name: ARGOCD_MAX_COOKIE_NUMBER - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.http.cookie.maxnumber - optional: true - - name: ARGOCD_SERVER_LISTEN_ADDRESS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.listen.address - optional: true - - name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.metrics.listen.address - optional: true - - name: ARGOCD_SERVER_OTLP_ADDRESS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.address - optional: true - - name: ARGOCD_SERVER_OTLP_INSECURE - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.insecure - optional: true - - name: ARGOCD_SERVER_OTLP_HEADERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.headers - optional: true - - name: ARGOCD_SERVER_OTLP_ATTRS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.attrs - optional: true - - name: ARGOCD_APPLICATION_NAMESPACES - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: application.namespaces - optional: true - - name: ARGOCD_SERVER_ENABLE_PROXY_EXTENSION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.enable.proxy.extension - optional: true - - name: ARGOCD_K8SCLIENT_RETRY_MAX - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.k8sclient.retry.max - optional: true - - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.k8sclient.retry.base.backoff - optional: true - - name: ARGOCD_API_CONTENT_TYPES - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.api.content.types - optional: true - - name: ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.webhook.parallelism.limit - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.enable.new.git.file.globbing - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH - valueFrom: - configMapKeyRef: - key: applicationsetcontroller.scm.root.ca.path - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.allowed.scm.providers - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.enable.scm.providers - optional: true - - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: applicationsetcontroller.enable.github.api.metrics - optional: true - - name: ARGOCD_HYDRATOR_ENABLED - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: hydrator.enabled - optional: true - - name: ARGOCD_SYNC_WITH_REPLACE_ALLOWED - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: server.sync.replace.allowed - optional: true - volumeMounts: - - mountPath: /app/config/ssh - name: ssh-known-hosts - - mountPath: /app/config/tls - name: tls-certs - - mountPath: /app/config/server/tls - name: argocd-repo-server-tls - - mountPath: /app/config/dex/tls - name: argocd-dex-server-tls - - mountPath: /home/argocd - name: plugins-home - - mountPath: /shared/app/custom - name: styles - - mountPath: /tmp - name: tmp - - name: argocd-cmd-params-cm - mountPath: /home/argocd/params - - mountPath: /tmp/extensions - name: extensions - ports: - - name: server - containerPort: 8080 - protocol: TCP - - name: metrics - containerPort: 8083 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz?full=true - port: server - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: server - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - initContainers: - - name: extension-trivy - image: quay.io/argoprojlabs/argocd-extension-installer:v0.0.8 - imagePullPolicy: IfNotPresent - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: extensions - mountPath: /tmp/extensions/ - - name: tmp - mountPath: /tmp - env: - - name: EXTENSION_URL - value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy.tar - - name: EXTENSION_CHECKSUM_URL - value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy_checksums.txt - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-server - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - volumes: - - name: extensions - emptyDir: {} - - name: plugins-home - emptyDir: {} - - name: tmp - emptyDir: {} - - name: ssh-known-hosts - configMap: - name: argocd-ssh-known-hosts-cm - - name: tls-certs - configMap: - name: argocd-tls-certs-cm - - name: styles - configMap: - name: argocd-styles-cm - optional: true - - name: argocd-repo-server-tls - secret: - secretName: argocd-repo-server-tls - optional: true - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - - name: argocd-dex-server-tls - secret: - secretName: argocd-dex-server-tls - optional: true - items: - - key: tls.crt - path: tls.crt - - key: ca.crt - path: ca.crt - - name: argocd-cmd-params-cm - configMap: - optional: true - name: argocd-cmd-params-cm - items: - - key: server.profile.enabled - path: profiler.enabled - dnsPolicy: ClusterFirst ---- -# Source: argocd/charts/argo-cd/templates/dex/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-dex-server - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: dex-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - replicas: 1 - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/instance: argocd - template: - metadata: - annotations: - checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1 - checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: dex-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - spec: - terminationGracePeriodSeconds: 30 - serviceAccountName: argocd-dex-server - automountServiceAccountToken: true - containers: - - name: dex-server - image: ghcr.io/dexidp/dex:v2.44.0 - imagePullPolicy: IfNotPresent - command: - - /shared/argocd-dex - args: - - rundex - env: - - name: ARGOCD_DEX_SERVER_LOGFORMAT - valueFrom: - configMapKeyRef: - key: dexserver.log.format - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_DEX_SERVER_LOGLEVEL - valueFrom: - configMapKeyRef: - key: dexserver.log.level - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_LOG_FORMAT_TIMESTAMP - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: log.format.timestamp - optional: true - - name: ARGOCD_DEX_SERVER_DISABLE_TLS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: dexserver.disable.tls - optional: true - ports: - - name: http - containerPort: 5556 - protocol: TCP - - name: grpc - containerPort: 5557 - protocol: TCP - - name: metrics - containerPort: 5558 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz/live - port: metrics - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz/ready - port: metrics - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: static-files - mountPath: /shared - - name: dexconfig - mountPath: /tmp - - name: argocd-dex-server-tls - mountPath: /tls - initContainers: - - name: copyutil - image: quay.io/argoproj/argocd:v3.2.1 - imagePullPolicy: IfNotPresent - command: - - /bin/cp - - -n - - /usr/local/bin/argocd - - /shared/argocd-dex - volumeMounts: - - mountPath: /shared - name: static-files - - mountPath: /tmp - name: dexconfig - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-dex-server - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - volumes: - - name: static-files - emptyDir: {} - - name: dexconfig - emptyDir: {} - - name: argocd-dex-server-tls - secret: - secretName: argocd-dex-server-tls - optional: true - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - dnsPolicy: ClusterFirst ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: argocd-redis-ha-server - namespace: "argocd" - labels: - argocd-redis-ha: replica - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - annotations: - {} -spec: - selector: - matchLabels: - release: argocd - app: redis-ha - serviceName: argocd-redis-ha - replicas: 3 - podManagementPolicy: OrderedReady - updateStrategy: - type: RollingUpdate - template: - metadata: - annotations: - checksum/init-config: ba53465a7f9221d17ea160133c99baec040e67b7b15fb4743adc8eca497cdf89 - labels: - release: argocd - app: redis-ha - argocd-redis-ha: replica - spec: - terminationGracePeriodSeconds: 60 - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: redis-ha - release: argocd - argocd-redis-ha: replica - topologyKey: kubernetes.io/hostname - securityContext: - fsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - serviceAccountName: argocd-redis-ha - automountServiceAccountToken: false - initContainers: - - name: config-init - image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine - imagePullPolicy: IfNotPresent - resources: - {} - command: - - sh - args: - - /readonly-config/init.sh - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - env: - - name: SENTINEL_ID_0 - value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 - - name: SENTINEL_ID_1 - value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4 - - name: SENTINEL_ID_2 - value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca - volumeMounts: - - name: config - mountPath: /readonly-config - readOnly: true - - name: data - mountPath: /data - - - - containers: - - name: redis - image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine - imagePullPolicy: IfNotPresent - command: - - redis-server - args: - - /data/conf/redis.conf - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - livenessProbe: - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/redis_liveness.sh - readinessProbe: - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/redis_readiness.sh - startupProbe: - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/redis_readiness.sh - resources: - {} - ports: - - name: redis - containerPort: 6379 - volumeMounts: - - name: config - mountPath: /readonly-config - readOnly: true - - mountPath: /data - name: data - - mountPath: /health - name: health - lifecycle: - preStop: - exec: - command: - - /bin/sh - - /readonly-config/trigger-failover-if-master.sh - - name: sentinel - image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine - imagePullPolicy: IfNotPresent - command: - - redis-sentinel - args: - - /data/conf/sentinel.conf - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - livenessProbe: - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/sentinel_liveness.sh - readinessProbe: - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 15 - successThreshold: 3 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/sentinel_liveness.sh - startupProbe: - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 3 - exec: - command: - - sh - - -c - - /health/sentinel_liveness.sh - resources: - {} - ports: - - name: sentinel - containerPort: 26379 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /health - name: health - lifecycle: - {} - - - name: split-brain-fix - image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine - imagePullPolicy: IfNotPresent - command: - - sh - args: - - /readonly-config/fix-split-brain.sh - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - env: - - name: SENTINEL_ID_0 - value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 - - name: SENTINEL_ID_1 - value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4 - - name: SENTINEL_ID_2 - value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca - resources: - {} - volumeMounts: - - name: config - mountPath: /readonly-config - readOnly: true - - mountPath: /data - name: data - volumes: - - name: config - configMap: - name: argocd-redis-ha-configmap - - name: health - configMap: - name: argocd-redis-ha-health-configmap - defaultMode: 0755 - - name: data - emptyDir: - {} ---- -# Source: argocd/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: argocd-application-controller - namespace: argocd - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: application-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - replicas: 1 - revisionHistoryLimit: 5 - serviceName: argocd-application-controller - selector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd - template: - metadata: - annotations: - checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1 - checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: application-controller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - spec: - terminationGracePeriodSeconds: 30 - serviceAccountName: argocd-application-controller - automountServiceAccountToken: true - containers: - - args: - - /usr/local/bin/argocd-application-controller - - --metrics-port=8082 - image: quay.io/argoproj/argocd:v3.2.1 - imagePullPolicy: IfNotPresent - name: application-controller - env: - - name: ARGOCD_CONTROLLER_REPLICAS - value: "1" - - name: ARGOCD_APPLICATION_CONTROLLER_NAME - value: argocd-application-controller - - name: ARGOCD_RECONCILIATION_TIMEOUT - valueFrom: - configMapKeyRef: - name: argocd-cm - key: timeout.reconciliation - optional: true - - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT - valueFrom: - configMapKeyRef: - name: argocd-cm - key: timeout.hard.reconciliation - optional: true - - name: ARGOCD_RECONCILIATION_JITTER - valueFrom: - configMapKeyRef: - key: timeout.reconciliation.jitter - name: argocd-cm - optional: true - - name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.repo.error.grace.period.seconds - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: repo.server - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.repo.server.timeout.seconds - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.status.processors - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.operation.processors - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.log.format - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.log.level - optional: true - - name: ARGOCD_LOG_FORMAT_TIMESTAMP - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: log.format.timestamp - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.metrics.cache.expiration - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.self.heal.timeout.seconds - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.self.heal.backoff.timeout.seconds - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.self.heal.backoff.factor - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.self.heal.backoff.cap.seconds - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_COOLDOWN_SECONDS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.self.heal.backoff.cooldown.seconds - optional: true - - name: ARGOCD_SYNC_WAVE_DELAY - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.sync.wave.delay.seconds - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.sync.timeout.seconds - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.repo.server.plaintext - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.repo.server.strict.tls - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.resource.health.persist - optional: true - - name: ARGOCD_APP_STATE_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.app.state.cache.expiration - optional: true - - name: REDIS_SERVER - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.server - optional: true - - name: REDIS_COMPRESSION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.compression - optional: true - - name: REDISDB - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: redis.db - optional: true - - name: REDIS_USERNAME - valueFrom: - secretKeyRef: - name: "argocd-redis" - key: redis-username - optional: true - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: "argocd-redis" # hard-coded in Job command and embedded Redis deployments (standalone and redis-ha) - key: auth - optional: false # Secret is not optional in this case ! - - name: REDIS_SENTINEL_USERNAME - valueFrom: - secretKeyRef: - name: argocd-redis-ha-haproxy - key: redis-sentinel-username - optional: true - - name: REDIS_SENTINEL_PASSWORD - valueFrom: - secretKeyRef: - name: argocd-redis-ha-haproxy - key: redis-sentinel-password - optional: true - - name: ARGOCD_DEFAULT_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.default.cache.expiration - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.address - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.insecure - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.headers - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ATTRS - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: otlp.attrs - optional: true - - name: ARGOCD_APPLICATION_NAMESPACES - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: application.namespaces - optional: true - - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.sharding.algorithm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.kubectl.parallelism.limit - optional: true - - name: ARGOCD_K8SCLIENT_RETRY_MAX - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.k8sclient.retry.max - optional: true - - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.k8sclient.retry.base.backoff - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.diff.server.side - optional: true - - name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.ignore.normalizer.jq.timeout - optional: true - - name: ARGOCD_HYDRATOR_ENABLED - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: hydrator.enabled - optional: true - - name: ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.cluster.cache.batch.events.processing - optional: true - - name: ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: controller.cluster.cache.events.processing.interval - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_COMMIT_SERVER - valueFrom: - configMapKeyRef: - name: argocd-cmd-params-cm - key: commit.server - optional: true - - name: KUBECACHEDIR - value: /tmp/kubecache - ports: - - name: metrics - containerPort: 8082 - protocol: TCP - readinessProbe: - httpGet: - path: /healthz - port: metrics - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - workingDir: /home/argocd - volumeMounts: - - mountPath: /app/config/controller/tls - name: argocd-repo-server-tls - - mountPath: /home/argocd - name: argocd-home - - name: argocd-cmd-params-cm - mountPath: /home/argocd/params - - name: argocd-application-controller-tmp - mountPath: /tmp - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - volumes: - - name: argocd-home - emptyDir: {} - - name: argocd-application-controller-tmp - emptyDir: {} - - name: argocd-repo-server-tls - secret: - secretName: argocd-repo-server-tls - optional: true - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - - name: argocd-cmd-params-cm - configMap: - optional: true - name: argocd-cmd-params-cm - items: - - key: controller.profile.enabled - path: profiler.enabled - dnsPolicy: ClusterFirst ---- -# Source: argocd/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argocd-oidc-secret - namespace: argocd - labels: - app.kubernetes.io/name: argocd-oidc-secret - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/argocd - metadataPolicy: None - property: secret - - secretKey: client - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/argocd - metadataPolicy: None - property: client ---- -# Source: argocd/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argocd-notifications-secret - namespace: argocd - labels: - app.kubernetes.io/name: argocd-notifications-secret - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ntfy-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /ntfy/user/cl01tl - metadataPolicy: None - property: token - -# --- -# apiVersion: external-secrets.io/v1 -# kind: ExternalSecret -# metadata: -# name: argocd-gitea-repo-infrastructure-secret -# namespace: argocd -# labels: -# app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret -# app.kubernetes.io/instance: argocd -# app.kubernetes.io/part-of: argocd -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: type -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/argocd/credentials/repo/infrastructure -# metadataPolicy: None -# property: type -# - secretKey: url -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/argocd/credentials/repo/infrastructure -# metadataPolicy: None -# property: url -# - secretKey: sshPrivateKey -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/argocd/credentials/repo/infrastructure -# metadataPolicy: None -# property: sshPrivateKey ---- -# Source: argocd/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-argocd - namespace: argocd - labels: - app.kubernetes.io/name: http-route-argocd - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - argocd.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: argocd-server - port: 80 - weight: 100 ---- -# Source: argocd/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: argocd-redis-secret-init - namespace: "argocd" - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-redis-secret-init - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: redis-secret-init - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" ---- -# Source: argocd/charts/argo-cd/templates/redis-secret-init/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-redis-secret-init - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: redis-secret-init - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - name: argocd-redis-secret-init - namespace: "argocd" -rules: - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - argocd-redis - verbs: - - get - - apiGroups: - - "" - resources: - - secrets - verbs: - - create ---- -# Source: argocd/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-redis-secret-init - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: redis-secret-init - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - name: argocd-redis-secret-init - namespace: "argocd" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-redis-secret-init -subjects: - - kind: ServiceAccount - name: argocd-redis-secret-init ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml -apiVersion: v1 -kind: Pod -metadata: - name: argocd-redis-ha-configmap-test - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - annotations: - "helm.sh/hook": test-success -spec: - nodeSelector: - {} - tolerations: - [] - containers: - - name: check-init - image: koalaman/shellcheck:v0.10.0 - args: - - --shell=sh - - /readonly-config/init.sh - volumeMounts: - - name: config - mountPath: /readonly-config - readOnly: true - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - restartPolicy: Never - volumes: - - name: config - configMap: - name: argocd-redis-ha-configmap ---- -# Source: argocd/charts/argo-cd/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml -apiVersion: v1 -kind: Pod -metadata: - name: argocd-redis-ha-service-test - namespace: "argocd" - labels: - app: redis-ha - heritage: "Helm" - release: "argocd" - chart: redis-ha-4.34.11 - annotations: - "helm.sh/hook": test-success -spec: - nodeSelector: - {} - tolerations: - [] - containers: - - name: "argocd-service-test" - image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine - command: - - sh - - -c - - redis-cli -h argocd-redis-ha-haproxy -p 6379 info server - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - restartPolicy: Never ---- -# Source: argocd/charts/argo-cd/templates/redis-secret-init/job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: argocd-redis-secret-init - namespace: "argocd" - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-redis-secret-init - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: redis-secret-init - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" -spec: - ttlSecondsAfterFinished: 60 - template: - metadata: - labels: - helm.sh/chart: argo-cd-9.1.5 - app.kubernetes.io/name: argocd-redis-secret-init - app.kubernetes.io/instance: argocd - app.kubernetes.io/component: redis-secret-init - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: argocd - app.kubernetes.io/version: "v3.2.1" - spec: - containers: - - command: - - argocd - - admin - - redis-initial-password - image: quay.io/argoproj/argocd:v3.2.1 - imagePullPolicy: IfNotPresent - name: secret-init - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - restartPolicy: OnFailure - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-redis-secret-init - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: argocd-redis-secret-init diff --git a/clusters/cl01tl/manifests/audiobookshelf/audiobookshelf.yaml b/clusters/cl01tl/manifests/audiobookshelf/audiobookshelf.yaml deleted file mode 100644 index 2c267bd72..000000000 --- a/clusters/cl01tl/manifests/audiobookshelf/audiobookshelf.yaml +++ /dev/null @@ -1,471 +0,0 @@ ---- -# Source: audiobookshelf/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: audiobookshelf-nfs-storage - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-nfs-storage - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: audiobookshelf/charts/audiobookshelf/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: audiobookshelf-config - labels: - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: audiobookshelf - helm.sh/chart: audiobookshelf-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: audiobookshelf -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "2Gi" - storageClassName: "ceph-block" ---- -# Source: audiobookshelf/charts/audiobookshelf/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: audiobookshelf-metadata - labels: - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: audiobookshelf - helm.sh/chart: audiobookshelf-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: audiobookshelf -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: audiobookshelf/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: audiobookshelf-nfs-storage-backup - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-nfs-storage-backup - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - volumeMode: Filesystem - storageClassName: nfs-client - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -# Source: audiobookshelf/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: audiobookshelf-nfs-storage - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-nfs-storage - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - volumeName: audiobookshelf-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: audiobookshelf/charts/audiobookshelf/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: audiobookshelf - labels: - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: audiobookshelf - app.kubernetes.io/service: audiobookshelf - helm.sh/chart: audiobookshelf-4.4.0 - namespace: audiobookshelf -spec: - type: ClusterIP - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: apprise - - port: 80 - targetPort: 80 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/name: audiobookshelf ---- -# Source: audiobookshelf/charts/audiobookshelf/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: audiobookshelf - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: audiobookshelf - helm.sh/chart: audiobookshelf-4.4.0 - namespace: audiobookshelf -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: audiobookshelf - app.kubernetes.io/instance: audiobookshelf - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/name: audiobookshelf - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PGID - value: "1000" - - name: PUID - value: "1000" - - name: APPRISE_STORAGE_MODE - value: memory - - name: APPRISE_STATEFUL_MODE - value: disabled - - name: APPRISE_WORKER_COUNT - value: "1" - - name: APPRISE_STATELESS_URLS - valueFrom: - secretKeyRef: - key: ntfy-url - name: audiobookshelf-apprise-config - image: caronc/apprise:1.2.6 - imagePullPolicy: IfNotPresent - name: apprise-api - resources: - requests: - cpu: 10m - memory: 128Mi - - env: - - name: TZ - value: US/Central - image: ghcr.io/advplyr/audiobookshelf:2.31.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /mnt/store/ - name: audiobooks - - mountPath: /metadata/backups - name: backup - - mountPath: /config - name: config - - mountPath: /metadata - name: metadata - volumes: - - name: audiobooks - persistentVolumeClaim: - claimName: audiobookshelf-nfs-storage - - name: backup - persistentVolumeClaim: - claimName: audiobookshelf-nfs-storage-backup - - name: config - persistentVolumeClaim: - claimName: audiobookshelf-config - - name: metadata - persistentVolumeClaim: - claimName: audiobookshelf-metadata ---- -# Source: audiobookshelf/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: audiobookshelf-apprise-config - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-apprise-config - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ntfy-url - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/audiobookshelf/apprise - metadataPolicy: None - property: ntfy-url ---- -# Source: audiobookshelf/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: audiobookshelf-config-backup-secret - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-config-backup-secret - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/audiobookshelf/audiobookshelf-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: audiobookshelf/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: audiobookshelf-metadata-backup-secret - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-metadata-backup-secret - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/audiobookshelf/audiobookshelf-metadata" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: audiobookshelf/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-audiobookshelf - namespace: audiobookshelf - labels: - app.kubernetes.io/name: http-route-audiobookshelf - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - audiobookshelf.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: audiobookshelf - port: 80 - weight: 100 ---- -# Source: audiobookshelf/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: audiobookshelf-config-backup-source - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-config-backup-source - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - sourcePVC: audiobookshelf-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: audiobookshelf-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: audiobookshelf/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: audiobookshelf-metadata-backup-source - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-metadata-backup-source - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - sourcePVC: audiobookshelf-metadata - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: audiobookshelf-metadata-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: audiobookshelf/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: audiobookshelf-apprise - namespace: audiobookshelf - labels: - app.kubernetes.io/name: audiobookshelf-apprise - app.kubernetes.io/instance: audiobookshelf - app.kubernetes.io/part-of: audiobookshelf -spec: - endpoints: - - port: apprise - interval: 30s - scrapeTimeout: 15s - path: /metrics - selector: - matchLabels: - app.kubernetes.io/name: audiobookshelf - app.kubernetes.io/instance: audiobookshelf diff --git a/clusters/cl01tl/manifests/authentik/authentik.yaml b/clusters/cl01tl/manifests/authentik/authentik.yaml deleted file mode 100644 index 01ea555db..000000000 --- a/clusters/cl01tl/manifests/authentik/authentik.yaml +++ /dev/null @@ -1,1500 +0,0 @@ ---- -# Source: authentik/charts/authentik/charts/serviceAccount/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: authentik - namespace: "authentik" - labels: - helm.sh/chart: "serviceAccount-2.1.0" - app.kubernetes.io/name: "serviceAccount" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2.1.0" ---- -# Source: authentik/charts/authentik/templates/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: authentik - namespace: "authentik" - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" -data: - AUTHENTIK_EMAIL__PORT: "NTg3" - AUTHENTIK_EMAIL__TIMEOUT: "MzA=" - AUTHENTIK_EMAIL__USE_SSL: "ZmFsc2U=" - AUTHENTIK_EMAIL__USE_TLS: "ZmFsc2U=" - AUTHENTIK_ENABLED: "dHJ1ZQ==" - AUTHENTIK_ERROR_REPORTING__ENABLED: "ZmFsc2U=" - AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: "azhz" - AUTHENTIK_ERROR_REPORTING__SEND_PII: "ZmFsc2U=" - AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__ASN: "L2dlb2lwL0dlb0xpdGUyLUFTTi5tbWRi" - AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__GEOIP: "L2dlb2lwL0dlb0xpdGUyLUNpdHkubW1kYg==" - AUTHENTIK_LOG_LEVEL: "aW5mbw==" - AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE: "Z2hjci5pby9nb2F1dGhlbnRpay8lKHR5cGUpczolKHZlcnNpb24pcw==" - AUTHENTIK_POSTGRESQL__HOST: "YXV0aGVudGlrLXBvc3RncmVzcWw=" - AUTHENTIK_POSTGRESQL__NAME: "YXV0aGVudGlr" - AUTHENTIK_POSTGRESQL__PORT: "NTQzMg==" - AUTHENTIK_POSTGRESQL__USER: "YXV0aGVudGlr" - AUTHENTIK_REDIS__HOST: "cmVkaXMtcmVwbGljYXRpb24tYXV0aGVudGlrLW1hc3Rlcg==" - AUTHENTIK_WEB__PATH: "Lw==" ---- -# Source: authentik/charts/authentik/charts/serviceAccount/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "authentik-authentik" - labels: - helm.sh/chart: "serviceAccount-2.1.0" - app.kubernetes.io/name: "serviceAccount" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2.1.0" -rules: - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list ---- -# Source: authentik/charts/authentik/charts/serviceAccount/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: "authentik-authentik" - labels: - helm.sh/chart: "serviceAccount-2.1.0" - app.kubernetes.io/name: "serviceAccount" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2.1.0" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "authentik-authentik" -subjects: - - kind: ServiceAccount - name: authentik - namespace: "authentik" ---- -# Source: authentik/charts/authentik/charts/serviceAccount/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: authentik - namespace: "authentik" - labels: - helm.sh/chart: "serviceAccount-2.1.0" - app.kubernetes.io/name: "serviceAccount" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2.1.0" -rules: - - apiGroups: - - "" - resources: - - secrets - - services - - configmaps - verbs: - - get - - create - - delete - - list - - patch - - apiGroups: - - extensions - - apps - resources: - - deployments - verbs: - - get - - create - - delete - - list - - patch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - create - - delete - - list - - patch - - apiGroups: - - traefik.containo.us - - traefik.io - resources: - - middlewares - verbs: - - get - - create - - delete - - list - - patch - - apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes - verbs: - - get - - create - - delete - - list - - patch - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - delete - - list - - patch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list ---- -# Source: authentik/charts/authentik/charts/serviceAccount/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: authentik - namespace: "authentik" - labels: - helm.sh/chart: "serviceAccount-2.1.0" - app.kubernetes.io/name: "serviceAccount" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2.1.0" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: authentik -subjects: - - kind: ServiceAccount - name: authentik - namespace: "authentik" ---- -# Source: authentik/charts/authentik/templates/server/metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: authentik-server-metrics - namespace: "authentik" - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server-metrics" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" -spec: - type: ClusterIP - ports: - - name: metrics - protocol: TCP - port: 9300 - targetPort: metrics - selector: - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server" ---- -# Source: authentik/charts/authentik/templates/server/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: authentik-server - namespace: "authentik" - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" -spec: - type: ClusterIP - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 9000 - - name: https - protocol: TCP - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server" ---- -# Source: authentik/charts/authentik/templates/server/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authentik-server - namespace: "authentik" - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" -spec: - replicas: 1 - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server" - template: - metadata: - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" - annotations: - checksum/secret: 4401a384e06edae0ac2d17733f15a6d40b1b11603c0ce881f1f93313e11b088b - spec: - terminationGracePeriodSeconds: 30 - containers: - - name: server - image: ghcr.io/goauthentik/server:2025.10.2 - imagePullPolicy: IfNotPresent - args: - - server - env: - - name: AUTHENTIK_SECRET_KEY - valueFrom: - secretKeyRef: - key: key - name: authentik-key-secret - - name: AUTHENTIK_POSTGRESQL__HOST - valueFrom: - secretKeyRef: - key: host - name: authentik-postgresql-17-cluster-app - - name: AUTHENTIK_POSTGRESQL__NAME - valueFrom: - secretKeyRef: - key: dbname - name: authentik-postgresql-17-cluster-app - - name: AUTHENTIK_POSTGRESQL__USER - valueFrom: - secretKeyRef: - key: user - name: authentik-postgresql-17-cluster-app - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - key: password - name: authentik-postgresql-17-cluster-app - - name: AUTHENTIK_LISTEN__HTTP - value: "0.0.0.0:9000" - - name: AUTHENTIK_LISTEN__HTTPS - value: "0.0.0.0:9443" - - name: AUTHENTIK_LISTEN__METRICS - value: "0.0.0.0:9300" - envFrom: - - secretRef: - name: authentik - ports: - - name: http - containerPort: 9000 - protocol: TCP - - name: https - containerPort: 9443 - protocol: TCP - - name: metrics - containerPort: 9300 - protocol: TCP - livenessProbe: - - failureThreshold: 3 - httpGet: - path: '/-/health/live/' - port: http - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 3 - readinessProbe: - - failureThreshold: 3 - httpGet: - path: '/-/health/ready/' - port: http - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 3 - startupProbe: - - failureThreshold: 60 - httpGet: - path: '/-/health/live/' - port: http - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 3 - resources: - {} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server" - topologyKey: kubernetes.io/hostname - enableServiceLinks: true ---- -# Source: authentik/charts/authentik/templates/worker/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authentik-worker - namespace: "authentik" - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "worker" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" -spec: - replicas: 1 - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "worker" - template: - metadata: - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "worker" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" - annotations: - checksum/secret: 4401a384e06edae0ac2d17733f15a6d40b1b11603c0ce881f1f93313e11b088b - spec: - serviceAccountName: authentik - terminationGracePeriodSeconds: 30 - containers: - - name: worker - image: ghcr.io/goauthentik/server:2025.10.2 - imagePullPolicy: IfNotPresent - args: - - worker - env: - - name: AUTHENTIK_SECRET_KEY - valueFrom: - secretKeyRef: - key: key - name: authentik-key-secret - - name: AUTHENTIK_POSTGRESQL__HOST - valueFrom: - secretKeyRef: - key: host - name: authentik-postgresql-17-cluster-app - - name: AUTHENTIK_POSTGRESQL__NAME - valueFrom: - secretKeyRef: - key: dbname - name: authentik-postgresql-17-cluster-app - - name: AUTHENTIK_POSTGRESQL__USER - valueFrom: - secretKeyRef: - key: user - name: authentik-postgresql-17-cluster-app - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - key: password - name: authentik-postgresql-17-cluster-app - - name: AUTHENTIK_LISTEN__HTTP - value: "0.0.0.0:9000" - - name: AUTHENTIK_LISTEN__METRICS - value: "0.0.0.0:9300" - envFrom: - - secretRef: - name: authentik - ports: - - name: http - containerPort: 9000 - protocol: TCP - - name: metrics - containerPort: 9300 - protocol: TCP - livenessProbe: - - exec: - command: - - ak - - healthcheck - failureThreshold: 3 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 3 - readinessProbe: - - exec: - command: - - ak - - healthcheck - failureThreshold: 3 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 3 - startupProbe: - - exec: - command: - - ak - - healthcheck - failureThreshold: 60 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 3 - resources: - {} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "worker" - topologyKey: kubernetes.io/hostname - enableServiceLinks: true ---- -# Source: authentik/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authentik-cloudflared - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: authentik - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: authentik -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: authentik - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: authentik - app.kubernetes.io/name: cloudflared - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: authentik-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: authentik/templates/ingress.yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: authentik-tailscale - namespace: authentik - labels: - app.kubernetes.io/name: authentik-tailscale - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - tailscale.com/proxy-class: no-metrics - annotations: - tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" -spec: - ingressClassName: tailscale - tls: - - hosts: - - auth-cl01tl - secretName: auth-cl01tl - rules: - - host: auth-cl01tl - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: authentik-server - port: - number: 80 ---- -# Source: authentik/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: authentik-postgresql-17-cluster - namespace: authentik - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: authentik-postgresql-17 - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "authentik-postgresql-17-external-backup" - serverName: "authentik-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "authentik-postgresql-17-garage-local-backup" - serverName: "authentik-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "authentik-postgresql-17-recovery" - serverName: authentik-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: authentik-postgresql-17-backup-1 - - externalClusters: - - name: authentik-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "authentik-postgresql-17-recovery" - serverName: authentik-postgresql-17-backup-1 ---- -# Source: authentik/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: authentik-key-secret - namespace: authentik - labels: - app.kubernetes.io/name: authentik-key-secret - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/authentik/key - metadataPolicy: None - property: key ---- -# Source: authentik/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: authentik-cloudflared-secret - namespace: authentik - labels: - app.kubernetes.io/name: authentik-cloudflared-secret - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/authentik - metadataPolicy: None - property: token ---- -# Source: authentik/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: authentik-postgresql-17-cluster-backup-secret - namespace: authentik - labels: - app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: authentik/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: authentik-postgresql-17-cluster-backup-secret-garage - namespace: authentik - labels: - app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: authentik/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-authentik - namespace: authentik - labels: - app.kubernetes.io/name: http-route-authentik - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - authentik.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: authentik-server - port: 80 - weight: 100 ---- -# Source: authentik/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "authentik-postgresql-17-external-backup" - namespace: authentik - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: authentik-postgresql-17 - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: authentik-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: authentik-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: authentik/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "authentik-postgresql-17-garage-local-backup" - namespace: authentik - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: authentik-postgresql-17 - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: authentik-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: authentik-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: authentik-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: authentik/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "authentik-postgresql-17-recovery" - namespace: authentik - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: authentik-postgresql-17 - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: authentik-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: authentik-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: authentik/charts/authentik/templates/prometheusrule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: authentik - namespace: "authentik" - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" -spec: - groups: - - name: authentik Aggregate request counters - rules: - - record: job:django_http_requests_before_middlewares_total:sum_rate30s - expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job) - - record: job:django_http_requests_unknown_latency_total:sum_rate30s - expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job) - - record: job:django_http_ajax_requests_total:sum_rate30s - expr: sum(rate(django_http_ajax_requests_total[30s])) by (job) - - record: job:django_http_responses_before_middlewares_total:sum_rate30s - expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job) - - record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s - expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job) - - record: job:django_http_requests_body_total_bytes:sum_rate30s - expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job) - - record: job:django_http_responses_streaming_total:sum_rate30s - expr: sum(rate(django_http_responses_streaming_total[30s])) by (job) - - record: job:django_http_responses_body_total_bytes:sum_rate30s - expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job) - - record: job:django_http_requests_total:sum_rate30s - expr: sum(rate(django_http_requests_total_by_method[30s])) by (job) - - record: job:django_http_requests_total_by_method:sum_rate30s - expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method) - - record: job:django_http_requests_total_by_transport:sum_rate30s - expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport) - - record: job:django_http_requests_total_by_view:sum_rate30s - expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view) - - record: job:django_http_requests_total_by_view_transport_method:sum_rate30s - expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method) - - record: job:django_http_responses_total_by_templatename:sum_rate30s - expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename) - - record: job:django_http_responses_total_by_status:sum_rate30s - expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status) - - record: job:django_http_responses_total_by_status_name_method:sum_rate30s - expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method) - - record: job:django_http_responses_total_by_charset:sum_rate30s - expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset) - - record: job:django_http_exceptions_total_by_type:sum_rate30s - expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type) - - record: job:django_http_exceptions_total_by_view:sum_rate30s - expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view) - - - name: authentik Aggregate latency histograms - rules: - - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s - expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "50" - - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s - expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "95" - - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s - expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "99" - - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s - expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "99.9" - - record: job:django_http_requests_latency_seconds:quantile_rate30s - expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "50" - - record: job:django_http_requests_latency_seconds:quantile_rate30s - expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "95" - - record: job:django_http_requests_latency_seconds:quantile_rate30s - expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "99" - - record: job:django_http_requests_latency_seconds:quantile_rate30s - expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "99.9" - - - name: authentik Aggregate model operations - rules: - - record: job:django_model_inserts_total:sum_rate1m - expr: sum(rate(django_model_inserts_total[1m])) by (job, model) - - record: job:django_model_updates_total:sum_rate1m - expr: sum(rate(django_model_updates_total[1m])) by (job, model) - - record: job:django_model_deletes_total:sum_rate1m - expr: sum(rate(django_model_deletes_total[1m])) by (job, model) - - name: authentik Aggregate database operations - rules: - - record: job:django_db_new_connections_total:sum_rate30s - expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor) - - record: job:django_db_new_connection_errors_total:sum_rate30s - expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor) - - record: job:django_db_execute_total:sum_rate30s - expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor) - - record: job:django_db_execute_many_total:sum_rate30s - expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor) - - record: job:django_db_errors_total:sum_rate30s - expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type) - - - name: authentik Aggregate migrations - rules: - - record: job:django_migrations_applied_total:max - expr: max(django_migrations_applied_total) by (job, connection) - - record: job:django_migrations_unapplied_total:max - expr: max(django_migrations_unapplied_total) by (job, connection) - - - name: authentik Alerts - rules: - - alert: NoWorkersConnected - labels: - severity: critical - expr: max (authentik_tasks_workers) < 1 - for: 10m - annotations: - - summary: No workers connected - message: authentik instance {{ $labels.instance }}'s worker are either not running or not connected. - - - - - alert: PendingMigrations - labels: - severity: critical - expr: max without (pid) (django_migrations_unapplied_total) > 0 - for: 10m - annotations: - - summary: Pending database migrations - message: authentik instance {{ $labels.instance }} has pending database migrations - - - - alert: FailedSystemTasks - labels: - severity: critical - expr: sum(increase(authentik_tasks_errors_total[2h])) by (actor_name) > 0 - for: 2h - annotations: - - summary: Failed system tasks - message: System task {{ $labels.actor_name }} has failed on authentik instance {{ $labels.instance }} - - - - alert: DisconnectedOutposts - labels: - severity: critical - expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"})) < 1 - for: 30m - annotations: - - summary: Disconnected outpost - message: Outpost {{ $labels.outpost }} has at least 1 disconnected instance ---- -# Source: authentik/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: authentik-postgresql-17-alert-rules - namespace: authentik - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: authentik-postgresql-17 - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/authentik-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="authentik"} - cnpg_pg_replication_is_wal_receiver_up{namespace="authentik"}) < 1 - for: 5m - labels: - severity: critical - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="authentik"} - cnpg_pg_replication_is_wal_receiver_up{namespace="authentik"}) < 2 - for: 5m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "authentik/authentik-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="authentik", pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="authentik", pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "authentik/authentik-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="authentik", pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="authentik", pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "authentik/authentik-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="authentik",pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "authentik/authentik-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="authentik", pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "authentik/authentik-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "authentik/authentik-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="authentik", persistentvolumeclaim=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "authentik/authentik-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="authentik",pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "authentik/authentik-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="authentik", pod=~"authentik-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: authentik - cnpg_cluster: authentik-postgresql-17-cluster ---- -# Source: authentik/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-authentik - namespace: authentik - labels: - app.kubernetes.io/name: redis-replication-authentik - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: authentik/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "authentik-postgresql-17-daily-backup-scheduled-backup" - namespace: authentik - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: authentik-postgresql-17 - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: authentik-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "authentik-postgresql-17-external-backup" ---- -# Source: authentik/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "authentik-postgresql-17-live-backup-scheduled-backup" - namespace: authentik - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: authentik-postgresql-17 - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: authentik-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "authentik-postgresql-17-garage-local-backup" ---- -# Source: authentik/charts/authentik/templates/server/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: authentik-server - namespace: "authentik" - labels: - helm.sh/chart: "authentik-2025.10.2" - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server-metrics" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/part-of: "authentik" - app.kubernetes.io/version: "2025.10.2" -spec: - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 3s - path: /metrics - namespaceSelector: - matchNames: - - authentik - selector: - matchLabels: - app.kubernetes.io/name: "authentik" - app.kubernetes.io/instance: "authentik" - app.kubernetes.io/component: "server-metrics" ---- -# Source: authentik/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-authentik - namespace: authentik - labels: - app.kubernetes.io/name: redis-replication-authentik - app.kubernetes.io/instance: authentik - app.kubernetes.io/part-of: authentik - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/backrest/backrest.yaml b/clusters/cl01tl/manifests/backrest/backrest.yaml deleted file mode 100644 index 1e459f5b3..000000000 --- a/clusters/cl01tl/manifests/backrest/backrest.yaml +++ /dev/null @@ -1,289 +0,0 @@ ---- -# Source: backrest/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: backrest-nfs-storage - namespace: backrest - labels: - app.kubernetes.io/name: backrest-nfs-storage - app.kubernetes.io/instance: backrest - app.kubernetes.io/part-of: backrest -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: backrest/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: backrest-nfs-share - namespace: backrest - labels: - app.kubernetes.io/name: backrest-nfs-share - app.kubernetes.io/instance: backrest - app.kubernetes.io/part-of: backrest -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Share - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: backrest/charts/backrest/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: backrest-config - labels: - app.kubernetes.io/instance: backrest - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: backrest - helm.sh/chart: backrest-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: backrest -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "1Gi" - storageClassName: "ceph-block" ---- -# Source: backrest/charts/backrest/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: backrest-data - labels: - app.kubernetes.io/instance: backrest - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: backrest - helm.sh/chart: backrest-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: backrest -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: backrest/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: backrest-nfs-storage - namespace: backrest - labels: - app.kubernetes.io/name: backrest-nfs-storage - app.kubernetes.io/instance: backrest - app.kubernetes.io/part-of: backrest -spec: - volumeName: backrest-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: backrest/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: backrest-nfs-share - namespace: backrest - labels: - app.kubernetes.io/name: backrest-nfs-share - app.kubernetes.io/instance: backrest - app.kubernetes.io/part-of: backrest -spec: - volumeName: backrest-nfs-share - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: backrest/charts/backrest/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: backrest - labels: - app.kubernetes.io/instance: backrest - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: backrest - app.kubernetes.io/service: backrest - helm.sh/chart: backrest-4.4.0 - namespace: backrest -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 9898 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: backrest - app.kubernetes.io/name: backrest ---- -# Source: backrest/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: garage-ps10rp - namespace: backrest - labels: - app.kubernetes.io/name: garage-ps10rp - app.kubernetes.io/instance: backrest - app.kubernetes.io/part-of: backrest - annotations: - tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: backrest/charts/backrest/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: backrest - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: backrest - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: backrest - helm.sh/chart: backrest-4.4.0 - namespace: backrest -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: backrest - app.kubernetes.io/instance: backrest - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: backrest - app.kubernetes.io/name: backrest - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: America/Chicago - - name: BACKREST_DATA - value: /data - - name: BACKREST_CONFIG - value: /config/config.json - - name: XDG_CACHE_HOME - value: /cache - - name: TMPDIR - value: /tmp - image: garethgeorge/backrest:v1.10.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /cache - name: cache - - mountPath: /config - name: config - - mountPath: /data - name: data - - mountPath: /mnt/share - name: share - readOnly: true - - mountPath: /mnt/storage - name: storage - readOnly: true - - mountPath: /tmp - name: tmp - volumes: - - emptyDir: {} - name: cache - - name: config - persistentVolumeClaim: - claimName: backrest-config - - name: data - persistentVolumeClaim: - claimName: backrest-data - - name: share - persistentVolumeClaim: - claimName: backrest-nfs-share - - name: storage - persistentVolumeClaim: - claimName: backrest-nfs-storage - - emptyDir: {} - name: tmp ---- -# Source: backrest/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-backrest - namespace: backrest - labels: - app.kubernetes.io/name: http-route-backrest - app.kubernetes.io/instance: backrest - app.kubernetes.io/part-of: backrest -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - backrest.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: backrest - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/bazarr/bazarr.yaml b/clusters/cl01tl/manifests/bazarr/bazarr.yaml deleted file mode 100644 index b2542e9ab..000000000 --- a/clusters/cl01tl/manifests/bazarr/bazarr.yaml +++ /dev/null @@ -1,278 +0,0 @@ ---- -# Source: bazarr/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: bazarr-nfs-storage - namespace: bazarr - labels: - app.kubernetes.io/name: bazarr-nfs-storage - app.kubernetes.io/instance: bazarr - app.kubernetes.io/part-of: bazarr -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: bazarr/charts/bazarr/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: bazarr-config - labels: - app.kubernetes.io/instance: bazarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: bazarr - helm.sh/chart: bazarr-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: bazarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: bazarr/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: bazarr-nfs-storage - namespace: bazarr - labels: - app.kubernetes.io/name: bazarr-nfs-storage - app.kubernetes.io/instance: bazarr - app.kubernetes.io/part-of: bazarr -spec: - volumeName: bazarr-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: bazarr/charts/bazarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: bazarr - labels: - app.kubernetes.io/instance: bazarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: bazarr - app.kubernetes.io/service: bazarr - helm.sh/chart: bazarr-4.4.0 - namespace: bazarr -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 6767 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: bazarr - app.kubernetes.io/name: bazarr ---- -# Source: bazarr/charts/bazarr/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bazarr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: bazarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: bazarr - helm.sh/chart: bazarr-4.4.0 - namespace: bazarr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: bazarr - app.kubernetes.io/instance: bazarr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: bazarr - app.kubernetes.io/name: bazarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/bazarr:1.5.3@sha256:ec11e988e8e13411c994a4d9f43ed9b97409aa92c1da54d9f23926c3da7c2032 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - volumes: - - name: config - persistentVolumeClaim: - claimName: bazarr-config - - name: media - persistentVolumeClaim: - claimName: bazarr-nfs-storage ---- -# Source: bazarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: bazarr-config-backup-secret - namespace: bazarr - labels: - app.kubernetes.io/name: bazarr-config-backup-secret - app.kubernetes.io/instance: bazarr - app.kubernetes.io/part-of: bazarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/bazarr/bazarr-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: bazarr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-bazarr - namespace: bazarr - labels: - app.kubernetes.io/name: http-route-bazarr - app.kubernetes.io/instance: bazarr - app.kubernetes.io/part-of: bazarr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - bazarr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: bazarr - port: 80 - weight: 100 ---- -# Source: bazarr/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: bazarr-config-backup-source - namespace: bazarr - labels: - app.kubernetes.io/name: bazarr-config-backup-source - app.kubernetes.io/instance: bazarr - app.kubernetes.io/part-of: bazarr -spec: - sourcePVC: bazarr-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: bazarr-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/manifests/blocky/blocky.yaml b/clusters/cl01tl/manifests/blocky/blocky.yaml deleted file mode 100644 index 96471a697..000000000 --- a/clusters/cl01tl/manifests/blocky/blocky.yaml +++ /dev/null @@ -1,448 +0,0 @@ ---- -# Source: blocky/charts/blocky/templates/common.yaml ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: blocky - labels: - app.kubernetes.io/instance: blocky - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: blocky - helm.sh/chart: blocky-4.4.0 - namespace: blocky -data: - config.yml: | - upstreams: - init: - strategy: fast - groups: - default: - - tcp-tls:1.1.1.1:853 - - tcp-tls:1.0.0.1:853 - strategy: parallel_best - timeout: 2s - - connectIPVersion: v4 - - customDNS: - filterUnmappedTypes: false - zone: | - $ORIGIN alexlebens.net. - $TTL 86400 - - ;; Name Server - IN NS patryk.ns.cloudflare.com. - IN NS veda.ns.cloudflare.com. - IN NS dns1. - IN NS dns2. - IN NS dns3. - - dns1 IN A 10.232.1.22 - dns2 IN A 10.232.1.51 - dns3 IN A 10.232.1.52 - - - ;; Computer Names - nw01un IN A 192.168.1.1 ; Unifi Gateway - - ps08rp IN A 10.232.1.51 ; DNS - ps09rp IN A 10.232.1.52 ; DNS - ps02sn IN A 10.232.1.61 ; Synology Web - ps02sn-bond IN A 10.232.1.64 ; Synology Bond for Storage - - pd05wd IN A 10.230.0.115 ; Desktop - pl02mc IN A 10.230.0.105 ; Laptop - - dv01hr IN A 10.232.1.72 ; HD Homerun - dv02kv IN A 10.232.1.71 ; Pi KVM - - it01ag IN A 10.232.1.83 ; Airgradient - it02ph IN A 10.232.1.85 ; Phillips Hue - it03tb IN A 10.232.1.81 ; TubesZB ZigBee - it04tb IN A 10.232.1.82 ; TubesZB Z-Wave - it05sp IN A 10.230.0.100 ; Shelly Plug - - - ;; Common Names - synology IN CNAME ps02sn - synologybond IN CNAME ps02sn-bond - unifi IN CNAME nw01un - airgradient IN CNAME it01ag - hdhr IN CNAME dv01hr - pikvm IN CNAME dv02kv - - - ;; Service Names - cl01tl IN A 10.232.1.11 - cl01tl IN A 10.232.1.12 - cl01tl IN A 10.232.1.13 - - cl01tl-api IN A 10.232.1.11 - cl01tl-api IN A 10.232.1.12 - cl01tl-api IN A 10.232.1.13 - - cl01tl-endpoint IN A 10.232.1.21 - cl01tl-endpoint IN A 10.232.1.22 - cl01tl-endpoint IN A 10.232.1.23 - - cl01tl-gateway IN A 10.232.1.200 - - traefik-cl01tl IN A 10.232.1.21 - blocky IN A 10.232.1.22 - plex-lb IN A 10.232.1.23 - - ;; Application Names - actual IN CNAME traefik-cl01tl - alertmanager IN CNAME traefik-cl01tl - argo-workflows IN CNAME traefik-cl01tl - argocd IN CNAME traefik-cl01tl - audiobookshelf IN CNAME traefik-cl01tl - authentik IN CNAME traefik-cl01tl - backrest IN CNAME traefik-cl01tl - bazarr IN CNAME traefik-cl01tl - booklore IN CNAME traefik-cl01tl - ceph IN CNAME traefik-cl01tl - code-server IN CNAME traefik-cl01tl - ephemera IN CNAME traefik-cl01tl - garage-s3 IN CNAME traefik-cl01tl - garage-webui IN CNAME traefik-cl01tl - gatus IN CNAME traefik-cl01tl - gitea IN CNAME traefik-cl01tl - grafana IN CNAME traefik-cl01tl - harbor IN CNAME traefik-cl01tl - headlamp IN CNAME traefik-cl01tl - home IN CNAME traefik-cl01tl - home-assistant IN CNAME traefik-cl01tl - home-assistant-code-server IN CNAME traefik-cl01tl - hubble IN CNAME cl01tl-gateway - huntarr IN CNAME traefik-cl01tl - immich IN CNAME traefik-cl01tl - jellyfin IN CNAME traefik-cl01tl - jellystat IN CNAME traefik-cl01tl - kiwix IN CNAME traefik-cl01tl - komodo IN CNAME traefik-cl01tl - kronic IN CNAME traefik-cl01tl - lidarr IN CNAME traefik-cl01tl - lidatube IN CNAME traefik-cl01tl - listenarr IN CNAME traefik-cl01tl - mail IN CNAME traefik-cl01tl - n8n IN CNAME traefik-cl01tl - ntfy IN CNAME traefik-cl01tl - objects IN CNAME traefik-cl01tl - ollama IN CNAME traefik-cl01tl - omni-tools IN CNAME traefik-cl01tl - overseerr IN CNAME traefik-cl01tl - pgadmin IN CNAME traefik-cl01tl - photoview IN CNAME traefik-cl01tl - plex IN CNAME traefik-cl01tl - postiz IN CNAME traefik-cl01tl - prometheus IN CNAME traefik-cl01tl - prowlarr IN CNAME traefik-cl01tl - qbittorrent IN CNAME traefik-cl01tl - qui IN CNAME traefik-cl01tl - radarr IN CNAME traefik-cl01tl - radarr-4k IN CNAME traefik-cl01tl - radarr-anime IN CNAME traefik-cl01tl - radarr-standup IN CNAME traefik-cl01tl - searxng IN CNAME traefik-cl01tl - slskd IN CNAME traefik-cl01tl - sonarr IN CNAME traefik-cl01tl - sonarr-4k IN CNAME traefik-cl01tl - sonarr-anime IN CNAME traefik-cl01tl - stalwart IN CNAME traefik-cl01tl - tautulli IN CNAME traefik-cl01tl - tdarr IN CNAME traefik-cl01tl - tubearchivist IN CNAME traefik-cl01tl - vault IN CNAME traefik-cl01tl - whodb IN CNAME traefik-cl01tl - yamtrack IN CNAME traefik-cl01tl - - blocking: - denylists: - sus: - - https://v.firebog.net/hosts/static/w3kbl.txt - ads: - - https://v.firebog.net/hosts/AdguardDNS.txt - - https://v.firebog.net/hosts/Admiral.txt - - https://v.firebog.net/hosts/Easylist.txt - - https://adaway.org/hosts.txt - priv: - - https://v.firebog.net/hosts/Easyprivacy.txt - - https://v.firebog.net/hosts/Prigent-Ads.txt - mal: - - https://v.firebog.net/hosts/Prigent-Crypto.txt - - https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt - pro: - - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.plus.txt - allowlists: - sus: - - | - *.alexlebens.net - *.alexlebens.dev - *.boreal-beaufort.ts.net - ads: - - | - *.alexlebens.net - *.alexlebens.dev - *.boreal-beaufort.ts.net - priv: - - | - *.alexlebens.net - *.alexlebens.dev - *.boreal-beaufort.ts.net - mal: - - | - *.alexlebens.net - *.alexlebens.dev - *.boreal-beaufort.ts.net - pro: - - | - *.alexlebens.net - *.alexlebens.dev - *.boreal-beaufort.ts.net - clientGroupsBlock: - default: - - sus - - ads - - priv - - mal - - pro - blockType: zeroIp - blockTTL: 1m - loading: - refreshPeriod: 24h - downloads: - timeout: 60s - attempts: 5 - cooldown: 10s - concurrency: 16 - strategy: fast - maxErrorsPerSource: 5 - - caching: - minTime: 5m - maxTime: 30m - maxItemsCount: 0 - prefetching: true - prefetchExpires: 2h - prefetchThreshold: 5 - prefetchMaxItemsCount: 0 - cacheTimeNegative: 30m - - redis: - address: redis-replication-blocky-master.blocky:6379 - required: true - - prometheus: - enable: true - path: /metrics - - queryLog: - type: console - logRetentionDays: 7 - creationAttempts: 1 - creationCooldown: 2s - flushInterval: 30s - - minTlsServeVersion: 1.3 - - ports: - dns: 53 - http: 4000 - - log: - level: info - format: text - timestamp: true - privacy: false ---- -# Source: blocky/charts/blocky/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: blocky-dns-external - labels: - app.kubernetes.io/instance: blocky - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: blocky - app.kubernetes.io/service: blocky-dns-external - helm.sh/chart: blocky-4.4.0 - annotations: - tailscale.com/expose: "true" - namespace: blocky -spec: - type: LoadBalancer - ports: - - port: 53 - targetPort: 53 - protocol: TCP - name: tcp - - port: 53 - targetPort: 53 - protocol: UDP - name: udp - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: blocky - app.kubernetes.io/name: blocky ---- -# Source: blocky/charts/blocky/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: blocky-metrics - labels: - app.kubernetes.io/instance: blocky - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: blocky - app.kubernetes.io/service: blocky-metrics - helm.sh/chart: blocky-4.4.0 - namespace: blocky -spec: - type: ClusterIP - ports: - - port: 4000 - targetPort: 4000 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: blocky - app.kubernetes.io/name: blocky ---- -# Source: blocky/charts/blocky/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: blocky - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: blocky - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: blocky - helm.sh/chart: blocky-4.4.0 - namespace: blocky -spec: - revisionHistoryLimit: 3 - replicas: 3 - strategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: blocky - app.kubernetes.io/instance: blocky - template: - metadata: - annotations: - checksum/configMaps: 8a197f81daed9048c4565ecafc0c7ca534383a898e709a13c3441bc00bd12652 - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: blocky - app.kubernetes.io/name: blocky - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - image: ghcr.io/0xerr0r/blocky:v0.28.2@sha256:5f84a54e4ee950c4ab21db905b7497476ece2f4e1a376d23ab8c4855cabddcba - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /app/config.yml - mountPropagation: None - name: config - readOnly: true - subPath: config.yml - volumes: - - configMap: - name: blocky - name: config ---- -# Source: blocky/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-blocky - namespace: blocky - labels: - app.kubernetes.io/name: redis-replication-blocky - app.kubernetes.io/instance: blocky - app.kubernetes.io/part-of: blocky -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: blocky/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: blocky - namespace: blocky - labels: - app.kubernetes.io/name: blocky - app.kubernetes.io/instance: blocky - app.kubernetes.io/part-of: blocky -spec: - selector: - matchLabels: - app.kubernetes.io/name: blocky - app.kubernetes.io/instance: blocky - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 10s - path: /metrics ---- -# Source: blocky/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-blocky - namespace: blocky - labels: - app.kubernetes.io/name: redis-replication-blocky - app.kubernetes.io/instance: blocky - app.kubernetes.io/part-of: blocky - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/booklore/booklore.yaml b/clusters/cl01tl/manifests/booklore/booklore.yaml deleted file mode 100644 index 473884f84..000000000 --- a/clusters/cl01tl/manifests/booklore/booklore.yaml +++ /dev/null @@ -1,946 +0,0 @@ ---- -# Source: booklore/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: booklore - annotations: - volsync.backube/privileged-movers: "true" - labels: - app.kubernetes.io/name: booklore - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore ---- -# Source: booklore/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: booklore-books-nfs-storage - namespace: booklore - labels: - app.kubernetes.io/name: booklore-books-nfs-storage - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Books - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: booklore/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: booklore-books-import-nfs-storage - namespace: booklore - labels: - app.kubernetes.io/name: booklore-books-import-nfs-storage - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Books Import - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: booklore/charts/booklore/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: booklore-config - labels: - app.kubernetes.io/instance: booklore - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: booklore - helm.sh/chart: booklore-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: booklore -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: booklore/charts/booklore/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: booklore-data - labels: - app.kubernetes.io/instance: booklore - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: booklore - helm.sh/chart: booklore-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: booklore -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: booklore/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: booklore-books-nfs-storage - namespace: booklore - labels: - app.kubernetes.io/name: booklore-books-nfs-storage - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - volumeName: booklore-books-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: booklore/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: booklore-books-import-nfs-storage - namespace: booklore - labels: - app.kubernetes.io/name: booklore-books-import-nfs-storage - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - volumeName: booklore-books-import-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: booklore/charts/booklore/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: booklore - labels: - app.kubernetes.io/instance: booklore - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: booklore - app.kubernetes.io/service: booklore - helm.sh/chart: booklore-4.4.0 - namespace: booklore -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 6060 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: booklore - app.kubernetes.io/name: booklore ---- -# Source: booklore/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: garage-ps10rp - namespace: booklore - labels: - app.kubernetes.io/name: garage-ps10rp - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore - annotations: - tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: booklore/charts/booklore/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: booklore - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: booklore - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: booklore - helm.sh/chart: booklore-4.4.0 - namespace: booklore -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: booklore - app.kubernetes.io/instance: booklore - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: booklore - app.kubernetes.io/name: booklore - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: America/Chicago - - name: DATABASE_URL - value: jdbc:mariadb://booklore-mariadb-cluster-primary.booklore:3306/booklore - - name: DATABASE_USERNAME - value: booklore - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: booklore-database-secret - - name: BOOKLORE_PORT - value: "6060" - - name: SWAGGER_ENABLED - value: "false" - image: ghcr.io/booklore-app/booklore:v1.13.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 50m - memory: 128Mi - volumeMounts: - - mountPath: /bookdrop - name: books-import - - mountPath: /app/data - name: config - - mountPath: /data - name: data - - mountPath: /bookdrop/ingest - name: ingest - volumes: - - emptyDir: {} - name: books-import - - name: config - persistentVolumeClaim: - claimName: booklore-config - - name: data - persistentVolumeClaim: - claimName: booklore-data - - name: ingest - persistentVolumeClaim: - claimName: booklore-books-import-nfs-storage ---- -# Source: booklore/charts/mariadb-cluster/templates/database.yaml -apiVersion: k8s.mariadb.com/v1alpha1 -kind: Database -metadata: - name: booklore-mariadb-cluster-booklore - namespace: booklore - labels: - helm.sh/chart: mariadb-cluster-25.10.2 - app.kubernetes.io/name: mariadb-cluster - app.kubernetes.io/instance: booklore - app.kubernetes.io/version: "0.0.0" - app.kubernetes.io/managed-by: Helm -spec: - mariaDbRef: - name: booklore-mariadb-cluster - namespace: booklore - characterSet: utf8 - cleanupPolicy: Delete - collate: utf8_general_ci - name: booklore - requeueInterval: 10h ---- -# Source: booklore/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: booklore-database-secret - namespace: booklore - labels: - app.kubernetes.io/name: booklore-database-secret - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/booklore/database - metadataPolicy: None - property: password ---- -# Source: booklore/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: booklore-data-replication-secret - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-replication-secret - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: psk.txt - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/booklore/replication - metadataPolicy: None - property: psk.txt ---- -# Source: booklore/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: booklore-config-backup-secret - namespace: booklore - labels: - app.kubernetes.io/name: booklore-config-backup-secret - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/booklore/booklore-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /volsync/restic/digital-ocean - metadataPolicy: None - property: BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /volsync/restic/digital-ocean - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: AWS_SECRET_ACCESS_KEY ---- -# Source: booklore/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: booklore-data-backup-secret-local - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-backup-secret-local - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/booklore/booklore-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /volsync/restic/garage-local - metadataPolicy: None - property: BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /volsync/restic/garage-local - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/volsync-backups - metadataPolicy: None - property: ACCESS_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/volsync-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/volsync-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY ---- -# Source: booklore/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: booklore-data-backup-secret-remote - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-backup-secret-remote - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/booklore/booklore-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /volsync/restic/garage-remote - metadataPolicy: None - property: BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /volsync/restic/garage-remote - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/volsync-backups - metadataPolicy: None - property: ACCESS_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/volsync-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/volsync-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY ---- -# Source: booklore/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: booklore-data-backup-secret-external - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-backup-secret-external - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/booklore/booklore-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /volsync/restic/digital-ocean - metadataPolicy: None - property: BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /volsync/restic/digital-ocean - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: AWS_SECRET_ACCESS_KEY ---- -# Source: booklore/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: booklore-mariadb-cluster-backup-secret-external - namespace: booklore - labels: - app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-external - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: access - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/mariadb-backups - metadataPolicy: None - property: access - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/mariadb-backups - metadataPolicy: None - property: secret ---- -# Source: booklore/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: booklore-mariadb-cluster-backup-secret-garage - namespace: booklore - labels: - app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-garage - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: access - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/mariadb-backups - metadataPolicy: None - property: access - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/mariadb-backups - metadataPolicy: None - property: secret ---- -# Source: booklore/charts/mariadb-cluster/templates/grant.yaml -apiVersion: k8s.mariadb.com/v1alpha1 -kind: Grant -metadata: - name: booklore-mariadb-cluster-booklore - namespace: booklore - labels: - helm.sh/chart: mariadb-cluster-25.10.2 - app.kubernetes.io/name: mariadb-cluster - app.kubernetes.io/instance: booklore - app.kubernetes.io/version: "0.0.0" - app.kubernetes.io/managed-by: Helm -spec: - mariaDbRef: - name: booklore-mariadb-cluster - namespace: booklore - cleanupPolicy: Delete - database: booklore - grantOption: true - host: '%' - privileges: - - ALL PRIVILEGES - requeueInterval: 10h - retryInterval: 30s - table: '*' - username: booklore ---- -# Source: booklore/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-booklore - namespace: booklore - labels: - app.kubernetes.io/name: http-route-booklore - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - booklore.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: booklore - port: 80 - weight: 100 ---- -# Source: booklore/charts/mariadb-cluster/templates/mariadb.yaml -apiVersion: k8s.mariadb.com/v1alpha1 -kind: MariaDB -metadata: - name: booklore-mariadb-cluster - namespace: booklore - labels: - helm.sh/chart: mariadb-cluster-25.10.2 - app.kubernetes.io/name: mariadb-cluster - app.kubernetes.io/instance: booklore - app.kubernetes.io/version: "0.0.0" - app.kubernetes.io/managed-by: Helm -spec: - galera: - enabled: true - replicas: 3 - rootPasswordSecretKeyRef: - generate: false - key: password - name: booklore-database-secret - storage: - size: 5Gi ---- -# Source: booklore/charts/mariadb-cluster/templates/physicalbackup.yaml -apiVersion: k8s.mariadb.com/v1alpha1 -kind: PhysicalBackup -metadata: - name: booklore-mariadb-cluster-backup-external - namespace: booklore - labels: - helm.sh/chart: mariadb-cluster-25.10.2 - app.kubernetes.io/name: mariadb-cluster - app.kubernetes.io/instance: booklore - app.kubernetes.io/version: "0.0.0" - app.kubernetes.io/managed-by: Helm -spec: - mariaDbRef: - name: booklore-mariadb-cluster - namespace: booklore - compression: gzip - maxRetention: 720h - schedule: - cron: 0 0 * * 0 - immediate: true - suspend: false - storage: - s3: - accessKeyIdSecretKeyRef: - key: access - name: booklore-mariadb-cluster-backup-secret-external - bucket: mariadb-backups-b230a2f5aecf080a4b372c08 - endpoint: nyc3.digitaloceanspaces.com - prefix: cl01tl/booklore - region: us-east-1 - secretAccessKeySecretKeyRef: - key: secret - name: booklore-mariadb-cluster-backup-secret-external - tls: - enabled: true ---- -# Source: booklore/charts/mariadb-cluster/templates/physicalbackup.yaml -apiVersion: k8s.mariadb.com/v1alpha1 -kind: PhysicalBackup -metadata: - name: booklore-mariadb-cluster-backup-garage - namespace: booklore - labels: - helm.sh/chart: mariadb-cluster-25.10.2 - app.kubernetes.io/name: mariadb-cluster - app.kubernetes.io/instance: booklore - app.kubernetes.io/version: "0.0.0" - app.kubernetes.io/managed-by: Helm -spec: - mariaDbRef: - name: booklore-mariadb-cluster - namespace: booklore - compression: gzip - maxRetention: 360h - schedule: - cron: 0 0 * * * - immediate: true - suspend: false - storage: - s3: - accessKeyIdSecretKeyRef: - key: access - name: booklore-mariadb-cluster-backup-secret-garage - bucket: mariadb-backups - endpoint: garage-main.garage:3900 - prefix: cl01tl/booklore - region: us-east-1 - secretAccessKeySecretKeyRef: - key: secret - name: booklore-mariadb-cluster-backup-secret-garage ---- -# Source: booklore/templates/replication-destination.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationDestination -metadata: - name: booklore-data-replication-destination - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-replication-destination - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - rsyncTLS: - copyMethod: Direct - accessModes: ["ReadWriteMany"] - destinationPVC: booklore-books-nfs-storage - keySecret: booklore-data-replication-secret ---- -# Source: booklore/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: booklore-data-replication-source - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-replication-source - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - sourcePVC: booklore-data - trigger: - schedule: "0 0 * * *" - rsyncTLS: - keySecret: booklore-data-replication-secret - address: volsync-rsync-tls-dst-booklore-data-replication-destination - copyMethod: Snapshot ---- -# Source: booklore/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: booklore-config-backup-source - namespace: booklore - labels: - app.kubernetes.io/name: booklore-config-backup-source - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - sourcePVC: booklore-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: booklore-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot - cacheCapacity: 10Gi ---- -# Source: booklore/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: booklore-data-backup-source-local - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-backup-source-local - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - sourcePVC: booklore-data - trigger: - schedule: 0 2 * * * - restic: - pruneIntervalDays: 7 - repository: booklore-data-backup-secret-local - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot - cacheCapacity: 10Gi ---- -# Source: booklore/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: booklore-data-backup-source-remote - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-backup-source-remote - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - sourcePVC: booklore-data - trigger: - schedule: 0 3 * * * - restic: - pruneIntervalDays: 7 - repository: booklore-data-backup-secret-remote - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot - cacheCapacity: 10Gi ---- -# Source: booklore/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: booklore-data-backup-source-external - namespace: booklore - labels: - app.kubernetes.io/name: booklore-data-backup-source-external - app.kubernetes.io/instance: booklore - app.kubernetes.io/part-of: booklore -spec: - sourcePVC: booklore-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: booklore-data-backup-secret-external - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot - cacheCapacity: 10Gi ---- -# Source: booklore/charts/mariadb-cluster/templates/user.yaml -apiVersion: k8s.mariadb.com/v1alpha1 -kind: User -metadata: - name: booklore-mariadb-cluster-booklore - namespace: booklore - labels: - helm.sh/chart: mariadb-cluster-25.10.2 - app.kubernetes.io/name: mariadb-cluster - app.kubernetes.io/instance: booklore - app.kubernetes.io/version: "0.0.0" - app.kubernetes.io/managed-by: Helm -spec: - mariaDbRef: - name: booklore-mariadb-cluster - namespace: booklore - cleanupPolicy: Delete - host: '%' - name: booklore - passwordSecretKeyRef: - key: password - name: booklore-database-secret - requeueInterval: 10h - retryInterval: 30s diff --git a/clusters/cl01tl/manifests/cert-manager/cert-manager.yaml b/clusters/cl01tl/manifests/cert-manager/cert-manager.yaml deleted file mode 100644 index 0c349c94b..000000000 --- a/clusters/cl01tl/manifests/cert-manager/cert-manager.yaml +++ /dev/null @@ -1,13844 +0,0 @@ ---- -# Source: cert-manager/charts/cert-manager/templates/cainjector-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: cert-manager-cainjector - namespace: cert-manager - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 ---- -# Source: cert-manager/charts/cert-manager/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: cert-manager - namespace: cert-manager - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: cert-manager-webhook - namespace: cert-manager - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 ---- -# Source: cert-manager/charts/cert-manager/templates/crd-acme.cert-manager.io_challenges.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "challenges.acme.cert-manager.io" - annotations: - helm.sh/resource-policy: keep - labels: - app: "cert-manager" - app.kubernetes.io/name: "cert-manager" - app.kubernetes.io/instance: "cert-manager" - app.kubernetes.io/component: "crds" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - group: acme.cert-manager.io - names: - categories: - - cert-manager - - cert-manager-acme - kind: Challenge - listKind: ChallengeList - plural: challenges - singular: challenge - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME server - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - authorizationURL: - description: |- - The URL to the ACME Authorization resource that this - challenge is a part of. - type: string - dnsName: - description: |- - dnsName is the identifier that this challenge is for, e.g., example.com. - If the requested DNSName is a 'wildcard', this field MUST be set to the - non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. - type: string - issuerRef: - description: |- - References a properly configured ACME-type Issuer which should - be used to create this Challenge. - If the Issuer does not exist, processing will be retried. - If the Issuer is not an 'ACME' Issuer, an error will be returned and the - Challenge will be marked as failed. - properties: - group: - description: |- - Group of the issuer being referred to. - Defaults to 'cert-manager.io'. - type: string - kind: - description: |- - Kind of the issuer being referred to. - Defaults to 'Issuer'. - type: string - name: - description: Name of the issuer being referred to. - type: string - required: - - name - type: object - key: - description: |- - The ACME challenge key for this challenge - For HTTP01 challenges, this is the value that must be responded with to - complete the HTTP01 challenge in the format: - `.`. - For DNS01 challenges, this is the base64 encoded SHA256 sum of the - `.` - text that must be set as the TXT record content. - type: string - solver: - description: |- - Contains the domain solving configuration that should be used to - solve this challenge resource. - properties: - dns01: - description: |- - Configures cert-manager to attempt to complete authorizations by - performing the DNS01 challenge flow. - properties: - acmeDNS: - description: |- - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage - DNS01 challenge records. - properties: - accountSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientTokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - properties: - clientID: - description: |- - Auth: Azure Service Principal: - The ClientID of the Azure Service Principal used to authenticate with Azure DNS. - If set, ClientSecret and TenantID must also be set. - type: string - clientSecretSecretRef: - description: |- - Auth: Azure Service Principal: - A reference to a Secret containing the password associated with the Service Principal. - If set, ClientID and TenantID must also be set. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - environment: - description: name of the Azure environment (default AzurePublicCloud) - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: |- - Auth: Azure Workload Identity or Azure Managed Service Identity: - Settings to enable Azure Workload Identity or Azure Managed Service Identity - If set, ClientID, ClientSecret and TenantID must not be set. - properties: - clientID: - description: client ID of the managed identity, cannot be used at the same time as resourceID - type: string - resourceID: - description: |- - resource ID of the managed identity, cannot be used at the same time as clientID - Cannot be used for Azure Managed Service Identity - type: string - tenantID: - description: tenant ID of the managed identity, cannot be used at the same time as resourceID - type: string - type: object - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: |- - Auth: Azure Service Principal: - The TenantID of the Azure Service Principal used to authenticate with Azure DNS. - If set, ClientID and ClientSecret must also be set. - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - properties: - hostedZoneName: - description: |- - HostedZoneName is an optional field that tells cert-manager in which - Cloud DNS zone the challenge record has to be created. - If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - properties: - apiKeySecretRef: - description: |- - API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the recommended method - as it allows greater control of permissions. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - email: - description: Email of the account, only required when using API key based authentication. - type: string - type: object - cnameStrategy: - description: |- - CNAMEStrategy configures how the DNS01 provider should handle CNAME - records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - properties: - tokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: |- - Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: |- - The IP address or hostname of an authoritative DNS server supporting - RFC2136 in the form host:port. If the host is an IPv6 address it must be - enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - protocol: - description: Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - enum: - - TCP - - UDP - type: string - tsigAlgorithm: - description: |- - The TSIG Algorithm configured in the DNS supporting RFC2136. Used only - when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. - Supported values are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. - type: string - tsigKeyName: - description: |- - The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: |- - The name of the secret containing the TSIG value. - If ``tsigKeyName`` is defined, this field is required. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - properties: - accessKeyID: - description: |- - The AccessKeyID is used for authentication. - Cannot be set when SecretAccessKeyID is set. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: string - accessKeyIDSecretRef: - description: |- - The SecretAccessKey is used for authentication. If set, pull the AWS - access key ID from a key within a Kubernetes Secret. - Cannot be set when AccessKeyID is set. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - auth: - description: Auth configures how cert-manager authenticates. - properties: - kubernetes: - description: |- - Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity - by passing a bound ServiceAccount token. - properties: - serviceAccountRef: - description: |- - A reference to a service account that will be used to request a bound - token (also known as "projected token"). To use this field, you must - configure an RBAC rule to let cert-manager request a token. - properties: - audiences: - description: |- - TokenAudiences is an optional list of audiences to include in the - token passed to AWS. The default token consisting of the issuer's namespace - and name is always included. - If unset the audience defaults to `sts.amazonaws.com`. - items: - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: Name of the ServiceAccount used to request a token. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - required: - - kubernetes - type: object - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: |- - Override the AWS region. - - Route53 is a global service and does not have regional endpoints but the - region specified here (or via environment variables) is used as a hint to - help compute the correct AWS credential scope and partition when it - connects to Route53. See: - - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - - If you omit this region field, cert-manager will use the region from - AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - in the cert-manager controller Pod. - - The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - In this case this `region` field value is ignored. - - The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - In this case this `region` field value is ignored. - type: string - role: - description: |- - Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: |- - The SecretAccessKey is used for authentication. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - type: object - webhook: - description: |- - Configure an external webhook based DNS01 challenge solver to manage - DNS01 challenge records. - properties: - config: - description: |- - Additional configuration that should be passed to the webhook apiserver - when challenges are processed. - This can contain arbitrary JSON data. - Secret values should not be specified in this stanza. - If secret values are needed (e.g., credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult the webhook provider - implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: |- - The API group name that should be used when POSTing ChallengePayload - resources to the webhook apiserver. - This should be the same as the GroupName specified in the webhook - provider implementation. - type: string - solverName: - description: |- - The name of the solver to use, as defined in the webhook provider - implementation. - This will typically be the name of the provider, e.g., 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: |- - Configures cert-manager to attempt to complete authorizations by - performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard domain names - (e.g., `*.example.com`) using the HTTP01 challenge mechanism. - properties: - gatewayHTTPRoute: - description: |- - The Gateway API is a sig-network community API that models service networking - in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will - create HTTPRoutes with the specified labels in the same namespace as the challenge. - This solver is experimental, and fields / behaviour may change in the future. - properties: - labels: - additionalProperties: - type: string - description: |- - Custom labels that will be applied to HTTPRoutes created by cert-manager - while solving HTTP-01 challenges. - type: object - parentRefs: - description: |- - When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. - cert-manager needs to know which parentRefs should be used when creating - the HTTPRoute. Usually, the parentRef references a Gateway. See: - https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - type: array - x-kubernetes-list-type: atomic - podTemplate: - description: |- - Optional pod template used to configure the ACME challenge solver pods - used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the pod used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: |- - PodSpec defines overrides for the HTTP01 challenge solver pod. - Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the pod to fit on a node. - Selector which must match a node's labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - resources: - description: |- - If specified, the pod's resource requirements. - These values override the global resource configuration flags. - Note that when only specifying resource limits, ensure they are greater than or equal - to the corresponding global resource requests configured via controller flags - (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: If specified, the pod's security context - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - type: object - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - serviceType: - description: |- - Optional service type for Kubernetes solver service. Supported values - are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - type: object - ingress: - description: |- - The ingress based HTTP01 challenge solver will solve challenges by - creating or modifying Ingress resources in order to route requests for - '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are - provisioned by cert-manager for each Challenge to be completed. - properties: - class: - description: |- - This field configures the annotation `kubernetes.io/ingress.class` when - creating Ingress resources to solve ACME challenges that use this - challenge solver. Only one of `class`, `name` or `ingressClassName` may - be specified. - type: string - ingressClassName: - description: |- - This field configures the field `ingressClassName` on the created Ingress - resources used to solve ACME challenges that use this challenge solver. - This is the recommended way of configuring the ingress class. Only one of - `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: |- - Optional ingress template used to configure the ACME challenge solver - ingress used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the ingress used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: |- - The name of the ingress resource that should have ACME challenge solving - routes inserted into it in order to solve HTTP01 challenges. - This is typically used in conjunction with ingress controllers like - ingress-gce, which maintains a 1:1 mapping between external IPs and - ingress resources. Only one of `class`, `name` or `ingressClassName` may - be specified. - type: string - podTemplate: - description: |- - Optional pod template used to configure the ACME challenge solver pods - used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the pod used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: |- - PodSpec defines overrides for the HTTP01 challenge solver pod. - Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the pod to fit on a node. - Selector which must match a node's labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - resources: - description: |- - If specified, the pod's resource requirements. - These values override the global resource configuration flags. - Note that when only specifying resource limits, ensure they are greater than or equal - to the corresponding global resource requests configured via controller flags - (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: If specified, the pod's security context - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - type: object - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - serviceType: - description: |- - Optional service type for Kubernetes solver service. Supported values - are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - type: object - type: object - selector: - description: |- - Selector selects a set of DNSNames on the Certificate resource that - should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' solver - with the lowest priority, i.e. if any other solver has a more specific - match, it will be used instead. - properties: - dnsNames: - description: |- - List of DNSNames that this solver will be used to solve. - If specified and a match is found, a dnsNames selector will take - precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, the solver - with the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier in the list - will be selected. - items: - type: string - type: array - x-kubernetes-list-type: atomic - dnsZones: - description: |- - List of DNSZones that this solver will be used to solve. - The most specific DNS zone match specified here will take precedence - over other DNS zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for the domain - www.sys.example.com. - If multiple solvers match with the same dnsZones value, the solver - with the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier in the list - will be selected. - items: - type: string - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - A label selector that is used to refine the set of certificate's that - this challenge solver will apply to. - type: object - type: object - type: object - token: - description: |- - The ACME challenge token for this challenge. - This is the raw value returned from the ACME server. - type: string - type: - description: |- - The type of ACME challenge this resource represents. - One of "HTTP-01" or "DNS-01". - enum: - - HTTP-01 - - DNS-01 - type: string - url: - description: |- - The URL of the ACME Challenge resource for this challenge. - This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: |- - wildcard will be true if this challenge is for a wildcard identifier, - for example '*.example.com'. - type: boolean - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: |- - presented will be set to true if the challenge values for this challenge - are currently 'presented'. - This *does not* imply the self check is passing. Only that the values - have been 'submitted' for the appropriate challenge mechanism (i.e. the - DNS01 TXT record has been presented, or the HTTP01 configuration has been - configured). - type: boolean - processing: - description: |- - Used to denote whether this challenge should be processed or not. - This field will only be set to true by the 'scheduling' component. - It will only be set to false by the 'challenges' controller, after the - challenge has reached a final state or timed out. - If this field is set to false, the challenge controller will not take - any more action. - type: boolean - reason: - description: |- - Contains human readable information on why the Challenge is in the - current state. - type: string - state: - description: |- - Contains the current 'state' of the challenge. - If not set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/charts/cert-manager/templates/crd-acme.cert-manager.io_orders.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "orders.acme.cert-manager.io" - annotations: - helm.sh/resource-policy: keep - labels: - app: "cert-manager" - app.kubernetes.io/name: "cert-manager" - app.kubernetes.io/instance: "cert-manager" - app.kubernetes.io/component: "crds" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - group: acme.cert-manager.io - names: - categories: - - cert-manager - - cert-manager-acme - kind: Order - listKind: OrderList - plural: orders - singular: order - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - commonName: - description: |- - CommonName is the common name as specified on the DER encoded CSR. - If specified, this value must also be present in `dnsNames` or `ipAddresses`. - This field must match the corresponding field on the DER encoded CSR. - type: string - dnsNames: - description: |- - DNSNames is a list of DNS names that should be included as part of the Order - validation process. - This field must match the corresponding field on the DER encoded CSR. - items: - type: string - type: array - x-kubernetes-list-type: atomic - duration: - description: |- - Duration is the duration for the not after date for the requested certificate. - this is set on order creation as pe the ACME spec. - type: string - ipAddresses: - description: |- - IPAddresses is a list of IP addresses that should be included as part of the Order - validation process. - This field must match the corresponding field on the DER encoded CSR. - items: - type: string - type: array - x-kubernetes-list-type: atomic - issuerRef: - description: |- - IssuerRef references a properly configured ACME-type Issuer which should - be used to create this Order. - If the Issuer does not exist, processing will be retried. - If the Issuer is not an 'ACME' Issuer, an error will be returned and the - Order will be marked as failed. - properties: - group: - description: |- - Group of the issuer being referred to. - Defaults to 'cert-manager.io'. - type: string - kind: - description: |- - Kind of the issuer being referred to. - Defaults to 'Issuer'. - type: string - name: - description: Name of the issuer being referred to. - type: string - required: - - name - type: object - profile: - description: |- - Profile allows requesting a certificate profile from the ACME server. - Supported profiles are listed by the server's ACME directory URL. - type: string - request: - description: |- - Certificate signing request bytes in DER encoding. - This will be used when finalizing the order. - This field must be set on the order. - format: byte - type: string - required: - - issuerRef - - request - type: object - status: - properties: - authorizations: - description: |- - Authorizations contains data returned from the ACME server on what - authorizations must be completed in order to validate the DNS names - specified on the Order. - items: - description: |- - ACMEAuthorization contains data returned from the ACME server on an - authorization that must be completed in order validate a DNS name on an ACME - Order resource. - properties: - challenges: - description: |- - Challenges specifies the challenge types offered by the ACME server. - One of these challenge types will be selected when validating the DNS - name and an appropriate Challenge resource will be created to perform - the ACME challenge process. - items: - description: |- - Challenge specifies a challenge offered by the ACME server for an Order. - An appropriate Challenge resource can be created to perform the ACME - challenge process. - properties: - token: - description: |- - Token is the token that must be presented for this challenge. - This is used to compute the 'key' that must also be presented. - type: string - type: - description: |- - Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', - 'tls-sni-01', etc. - This is the raw value retrieved from the ACME server. - Only 'http-01' and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: |- - URL is the URL of this challenge. It can be used to retrieve additional - metadata about the Challenge from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - x-kubernetes-list-type: atomic - identifier: - description: Identifier is the DNS name to be validated as part of this authorization - type: string - initialState: - description: |- - InitialState is the initial state of the ACME authorization when first - fetched from the ACME server. - If an Authorization is already 'valid', the Order controller will not - create a Challenge resource for the authorization. This will occur when - working with an ACME server that enables 'authz reuse' (such as Let's - Encrypt's production endpoint). - If not set and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: URL is the URL of the Authorization that must be completed - type: string - wildcard: - description: |- - Wildcard will be true if this authorization is for a wildcard DNS name. - If this is true, the identifier will be the *non-wildcard* version of - the DNS name. - For example, if '*.example.com' is the DNS name being validated, this - field will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - required: - - url - type: object - type: array - x-kubernetes-list-type: atomic - certificate: - description: |- - Certificate is a copy of the PEM encoded certificate for this Order. - This field will be populated after the order has been successfully - finalized with the ACME server, and the order has transitioned to the - 'valid' state. - format: byte - type: string - failureTime: - description: |- - FailureTime stores the time that this order failed. - This is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: |- - FinalizeURL of the Order. - This is used to obtain certificates for this order once it has been completed. - type: string - reason: - description: |- - Reason optionally provides more information about a why the order is in - the current state. - type: string - state: - description: |- - State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: |- - URL of the Order. - This will initially be empty when the resource is first created. - The Order controller will populate this field when the Order is first processed. - This field will be immutable after it is initially set. - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/charts/cert-manager/templates/crd-cert-manager.io_certificaterequests.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "certificaterequests.cert-manager.io" - annotations: - helm.sh/resource-policy: keep - labels: - app: "cert-manager" - app.kubernetes.io/name: "cert-manager" - app.kubernetes.io/instance: "cert-manager" - app.kubernetes.io/component: "crds" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - group: cert-manager.io - names: - categories: - - cert-manager - kind: CertificateRequest - listKind: CertificateRequestList - plural: certificaterequests - shortNames: - - cr - - crs - singular: certificaterequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type == "Approved")].status - name: Approved - type: string - - jsonPath: .status.conditions[?(@.type == "Denied")].status - name: Denied - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - type: string - - jsonPath: .spec.username - name: Requester - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - A CertificateRequest is used to request a signed certificate from one of the - configured issuers. - - All fields within the CertificateRequest's `spec` are immutable after creation. - A CertificateRequest will either succeed or fail, as denoted by its `Ready` status - condition and its `status.failureTime` field. - - A CertificateRequest is a one-shot resource, meaning it represents a single - point in time request for a certificate and cannot be re-used. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired state of the CertificateRequest resource. - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - duration: - description: |- - Requested 'duration' (i.e. lifetime) of the Certificate. Note that the - issuer may choose to ignore the requested duration, just like any other - requested attribute. - type: string - extra: - additionalProperties: - items: - type: string - type: array - description: |- - Extra contains extra attributes of the user that created the CertificateRequest. - Populated by the cert-manager webhook on creation and immutable. - type: object - groups: - description: |- - Groups contains group membership of the user that created the CertificateRequest. - Populated by the cert-manager webhook on creation and immutable. - items: - type: string - type: array - x-kubernetes-list-type: atomic - isCA: - description: |- - Requested basic constraints isCA value. Note that the issuer may choose - to ignore the requested isCA value, just like any other requested attribute. - - NOTE: If the CSR in the `Request` field has a BasicConstraints extension, - it must have the same isCA value as specified here. - - If true, this will automatically add the `cert sign` usage to the list - of requested `usages`. - type: boolean - issuerRef: - description: |- - Reference to the issuer responsible for issuing the certificate. - If the issuer is namespace-scoped, it must be in the same namespace - as the Certificate. If the issuer is cluster-scoped, it can be used - from any namespace. - - The `name` field of the reference must always be specified. - properties: - group: - description: |- - Group of the issuer being referred to. - Defaults to 'cert-manager.io'. - type: string - kind: - description: |- - Kind of the issuer being referred to. - Defaults to 'Issuer'. - type: string - name: - description: Name of the issuer being referred to. - type: string - required: - - name - type: object - request: - description: |- - The PEM-encoded X.509 certificate signing request to be submitted to the - issuer for signing. - - If the CSR has a BasicConstraints extension, its isCA attribute must - match the `isCA` value of this CertificateRequest. - If the CSR has a KeyUsage extension, its key usages must match the - key usages in the `usages` field of this CertificateRequest. - If the CSR has a ExtKeyUsage extension, its extended key usages - must match the extended key usages in the `usages` field of this - CertificateRequest. - format: byte - type: string - uid: - description: |- - UID contains the uid of the user that created the CertificateRequest. - Populated by the cert-manager webhook on creation and immutable. - type: string - usages: - description: |- - Requested key usages and extended key usages. - - NOTE: If the CSR in the `Request` field has uses the KeyUsage or - ExtKeyUsage extension, these extensions must have the same values - as specified here without any additional values. - - If unset, defaults to `digital signature` and `key encipherment`. - items: - description: |- - KeyUsage specifies valid usage contexts for keys. - See: - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - - Valid KeyUsage values are as follows: - "signing", - "digital signature", - "content commitment", - "key encipherment", - "key agreement", - "data encipherment", - "cert sign", - "crl sign", - "encipher only", - "decipher only", - "any", - "server auth", - "client auth", - "code signing", - "email protection", - "s/mime", - "ipsec end system", - "ipsec tunnel", - "ipsec user", - "timestamping", - "ocsp signing", - "microsoft sgc", - "netscape sgc" - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - x-kubernetes-list-type: atomic - username: - description: |- - Username contains the name of the user that created the CertificateRequest. - Populated by the cert-manager webhook on creation and immutable. - type: string - required: - - issuerRef - - request - type: object - status: - description: |- - Status of the CertificateRequest. - This is set and managed automatically. - Read-only. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - ca: - description: |- - The PEM encoded X.509 certificate of the signer, also known as the CA - (Certificate Authority). - This is set on a best-effort basis by different issuers. - If not set, the CA is assumed to be unknown/not available. - format: byte - type: string - certificate: - description: |- - The PEM encoded X.509 certificate resulting from the certificate - signing request. - If not set, the CertificateRequest has either not been completed or has - failed. More information on failure can be found by checking the - `conditions` field. - format: byte - type: string - conditions: - description: |- - List of status conditions to indicate the status of a CertificateRequest. - Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`. - items: - description: CertificateRequestCondition contains condition information for a CertificateRequest. - properties: - lastTransitionTime: - description: |- - LastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - type: string - message: - description: |- - Message is a human readable description of the details of the last - transition, complementing reason. - type: string - reason: - description: |- - Reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - Type of the condition, known values are (`Ready`, `InvalidRequest`, - `Approved`, `Denied`). - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - failureTime: - description: |- - FailureTime stores the time that this CertificateRequest failed. This is - used to influence garbage collection and back-off. - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/charts/cert-manager/templates/crd-cert-manager.io_certificates.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "certificates.cert-manager.io" - annotations: - helm.sh/resource-policy: keep - labels: - app: "cert-manager" - app.kubernetes.io/name: "cert-manager" - app.kubernetes.io/instance: "cert-manager" - app.kubernetes.io/component: "crds" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - group: cert-manager.io - names: - categories: - - cert-manager - kind: Certificate - listKind: CertificateList - plural: certificates - shortNames: - - cert - - certs - singular: certificate - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - A Certificate resource should be created to ensure an up to date and signed - X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. - - The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired state of the Certificate resource. - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - additionalOutputFormats: - description: |- - Defines extra output formats of the private key and signed certificate chain - to be written to this Certificate's target Secret. - items: - description: |- - CertificateAdditionalOutputFormat defines an additional output format of a - Certificate resource. These contain supplementary data formats of the signed - certificate chain and paired private key. - properties: - type: - description: |- - Type is the name of the format type that should be written to the - Certificate's target Secret. - enum: - - DER - - CombinedPEM - type: string - required: - - type - type: object - type: array - x-kubernetes-list-type: atomic - commonName: - description: |- - Requested common name X509 certificate subject attribute. - More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 - NOTE: TLS clients will ignore this value when any subject alternative name is - set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). - - Should have a length of 64 characters or fewer to avoid generating invalid CSRs. - Cannot be set if the `literalSubject` field is set. - type: string - dnsNames: - description: Requested DNS subject alternative names. - items: - type: string - type: array - x-kubernetes-list-type: atomic - duration: - description: |- - Requested 'duration' (i.e. lifetime) of the Certificate. Note that the - issuer may choose to ignore the requested duration, just like any other - requested attribute. - - If unset, this defaults to 90 days. - Minimum accepted duration is 1 hour. - Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - type: string - emailAddresses: - description: Requested email subject alternative names. - items: - type: string - type: array - x-kubernetes-list-type: atomic - encodeUsagesInRequest: - description: |- - Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. - - This option defaults to true, and should only be disabled if the target - issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. - type: boolean - ipAddresses: - description: Requested IP address subject alternative names. - items: - type: string - type: array - x-kubernetes-list-type: atomic - isCA: - description: |- - Requested basic constraints isCA value. - The isCA value is used to set the `isCA` field on the created CertificateRequest - resources. Note that the issuer may choose to ignore the requested isCA value, just - like any other requested attribute. - - If true, this will automatically add the `cert sign` usage to the list - of requested `usages`. - type: boolean - issuerRef: - description: |- - Reference to the issuer responsible for issuing the certificate. - If the issuer is namespace-scoped, it must be in the same namespace - as the Certificate. If the issuer is cluster-scoped, it can be used - from any namespace. - - The `name` field of the reference must always be specified. - properties: - group: - description: |- - Group of the issuer being referred to. - Defaults to 'cert-manager.io'. - type: string - kind: - description: |- - Kind of the issuer being referred to. - Defaults to 'Issuer'. - type: string - name: - description: Name of the issuer being referred to. - type: string - required: - - name - type: object - keystores: - description: Additional keystore output formats to be stored in the Certificate's Secret. - properties: - jks: - description: |- - JKS configures options for storing a JKS keystore in the - `spec.secretName` Secret resource. - properties: - alias: - description: |- - Alias specifies the alias of the key in the keystore, required by the JKS format. - If not provided, the default alias `certificate` will be used. - type: string - create: - description: |- - Create enables JKS keystore creation for the Certificate. - If true, a file named `keystore.jks` will be created in the target - Secret resource, encrypted using the password stored in - `passwordSecretRef` or `password`. - The keystore file will be updated immediately. - If the issuer provided a CA certificate, a file named `truststore.jks` - will also be created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef` - containing the issuing Certificate Authority - type: boolean - password: - description: |- - Password provides a literal password used to encrypt the JKS keystore. - Mutually exclusive with passwordSecretRef. - One of password or passwordSecretRef must provide a password with a non-zero length. - type: string - passwordSecretRef: - description: |- - PasswordSecretRef is a reference to a non-empty key in a Secret resource - containing the password used to encrypt the JKS keystore. - Mutually exclusive with password. - One of password or passwordSecretRef must provide a password with a non-zero length. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - create - type: object - pkcs12: - description: |- - PKCS12 configures options for storing a PKCS12 keystore in the - `spec.secretName` Secret resource. - properties: - create: - description: |- - Create enables PKCS12 keystore creation for the Certificate. - If true, a file named `keystore.p12` will be created in the target - Secret resource, encrypted using the password stored in - `passwordSecretRef` or in `password`. - The keystore file will be updated immediately. - If the issuer provided a CA certificate, a file named `truststore.p12` will - also be created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef` containing the issuing Certificate - Authority - type: boolean - password: - description: |- - Password provides a literal password used to encrypt the PKCS#12 keystore. - Mutually exclusive with passwordSecretRef. - One of password or passwordSecretRef must provide a password with a non-zero length. - type: string - passwordSecretRef: - description: |- - PasswordSecretRef is a reference to a non-empty key in a Secret resource - containing the password used to encrypt the PKCS#12 keystore. - Mutually exclusive with password. - One of password or passwordSecretRef must provide a password with a non-zero length. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - profile: - description: |- - Profile specifies the key and certificate encryption algorithms and the HMAC algorithm - used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. - - If provided, allowed values are: - `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. - `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. - `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - (e.g., because of company policy). Please note that the security of the algorithm is not that important - in reality, because the unencrypted certificate and private key are also stored in the Secret. - enum: - - LegacyRC2 - - LegacyDES - - Modern2023 - type: string - required: - - create - type: object - type: object - literalSubject: - description: |- - Requested X.509 certificate subject, represented using the LDAP "String - Representation of a Distinguished Name" [1]. - Important: the LDAP string format also specifies the order of the attributes - in the subject, this is important when issuing certs for LDAP authentication. - Example: `CN=foo,DC=corp,DC=example,DC=com` - More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 - More info: https://github.com/cert-manager/cert-manager/issues/3203 - More info: https://github.com/cert-manager/cert-manager/issues/4424 - - Cannot be set if the `subject` or `commonName` field is set. - type: string - nameConstraints: - description: |- - x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. - More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 - - This is an Alpha Feature and is only enabled with the - `--feature-gates=NameConstraints=true` option set on both - the controller and webhook components. - properties: - critical: - description: if true then the name constraints are marked critical. - type: boolean - excluded: - description: |- - Excluded contains the constraints which must be disallowed. Any name matching a - restriction in the excluded field is invalid regardless - of information appearing in the permitted - properties: - dnsDomains: - description: DNSDomains is a list of DNS domains that are permitted or excluded. - items: - type: string - type: array - x-kubernetes-list-type: atomic - emailAddresses: - description: EmailAddresses is a list of Email Addresses that are permitted or excluded. - items: - type: string - type: array - x-kubernetes-list-type: atomic - ipRanges: - description: |- - IPRanges is a list of IP Ranges that are permitted or excluded. - This should be a valid CIDR notation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uriDomains: - description: URIDomains is a list of URI domains that are permitted or excluded. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - permitted: - description: Permitted contains the constraints in which the names must be located. - properties: - dnsDomains: - description: DNSDomains is a list of DNS domains that are permitted or excluded. - items: - type: string - type: array - x-kubernetes-list-type: atomic - emailAddresses: - description: EmailAddresses is a list of Email Addresses that are permitted or excluded. - items: - type: string - type: array - x-kubernetes-list-type: atomic - ipRanges: - description: |- - IPRanges is a list of IP Ranges that are permitted or excluded. - This should be a valid CIDR notation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - uriDomains: - description: URIDomains is a list of URI domains that are permitted or excluded. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - otherNames: - description: |- - `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 - Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. - Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 - You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this. - items: - properties: - oid: - description: |- - OID is the object identifier for the otherName SAN. - The object identifier must be expressed as a dotted string, for - example, "1.2.840.113556.1.4.221". - type: string - utf8Value: - description: |- - utf8Value is the string value of the otherName SAN. - The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - privateKey: - description: |- - Private key options. These include the key algorithm and size, the used - encoding and the rotation policy. - properties: - algorithm: - description: |- - Algorithm is the private key algorithm of the corresponding private key - for this certificate. - - If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. - If `algorithm` is specified and `size` is not provided, - key size of 2048 will be used for `RSA` key algorithm and - key size of 256 will be used for `ECDSA` key algorithm. - key size is ignored when using the `Ed25519` key algorithm. - enum: - - RSA - - ECDSA - - Ed25519 - type: string - encoding: - description: |- - The private key cryptography standards (PKCS) encoding for this - certificate's private key to be encoded in. - - If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 - and PKCS#8, respectively. - Defaults to `PKCS1` if not specified. - enum: - - PKCS1 - - PKCS8 - type: string - rotationPolicy: - description: |- - RotationPolicy controls how private keys should be regenerated when a - re-issuance is being processed. - - If set to `Never`, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exist but it - does not have the correct algorithm or size, a warning will be raised - to await user intervention. - If set to `Always`, a private key matching the specified requirements - will be generated whenever a re-issuance occurs. - Default is `Always`. - The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - The new default can be disabled by setting the - `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - the controller component. - enum: - - Never - - Always - type: string - size: - description: |- - Size is the key bit size of the corresponding private key for this certificate. - - If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, - and will default to `2048` if not specified. - If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, - and will default to `256` if not specified. - If `algorithm` is set to `Ed25519`, Size is ignored. - No other values are allowed. - type: integer - type: object - renewBefore: - description: |- - How long before the currently issued certificate's expiry cert-manager should - renew the certificate. For example, if a certificate is valid for 60 minutes, - and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate - 50 minutes after it was issued (i.e. when there are 10 minutes remaining until - the certificate is no longer valid). - - NOTE: The actual lifetime of the issued certificate is used to determine the - renewal time. If an issuer returns a certificate with a different lifetime than - the one requested, cert-manager will use the lifetime of the issued certificate. - - If unset, this defaults to 1/3 of the issued certificate's lifetime. - Minimum accepted value is 5 minutes. - Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - Cannot be set if the `renewBeforePercentage` field is set. - type: string - renewBeforePercentage: - description: |- - `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - rather than an absolute duration. For example, if a certificate is valid for 60 - minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - renew the certificate 45 minutes after it was issued (i.e. when there are 15 - minutes (25%) remaining until the certificate is no longer valid). - - NOTE: The actual lifetime of the issued certificate is used to determine the - renewal time. If an issuer returns a certificate with a different lifetime than - the one requested, cert-manager will use the lifetime of the issued certificate. - - Value must be an integer in the range (0,100). The minimum effective - `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - minutes. - Cannot be set if the `renewBefore` field is set. - format: int32 - type: integer - revisionHistoryLimit: - description: |- - The maximum number of CertificateRequest revisions that are maintained in - the Certificate's history. Each revision represents a single `CertificateRequest` - created by this Certificate, either when it was created, renewed, or Spec - was changed. Revisions will be removed by oldest first if the number of - revisions exceeds this number. - - If set, revisionHistoryLimit must be a value of `1` or greater. - Default value is `1`. - format: int32 - type: integer - secretName: - description: |- - Name of the Secret resource that will be automatically created and - managed by this Certificate resource. It will be populated with a - private key and certificate, signed by the denoted issuer. The Secret - resource lives in the same namespace as the Certificate resource. - type: string - secretTemplate: - description: |- - Defines annotations and labels to be copied to the Certificate's Secret. - Labels and annotations on the Secret will be changed as they appear on the - SecretTemplate when added or removed. SecretTemplate annotations are added - in conjunction with, and cannot overwrite, the base set of annotations - cert-manager sets on the Certificate's Secret. - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a key value map to be copied to the target Kubernetes Secret. - type: object - labels: - additionalProperties: - type: string - description: Labels is a key value map to be copied to the target Kubernetes Secret. - type: object - type: object - signatureAlgorithm: - description: |- - Signature algorithm to use. - Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - Allowed values for Ed25519 keys: PureEd25519. - enum: - - SHA256WithRSA - - SHA384WithRSA - - SHA512WithRSA - - ECDSAWithSHA256 - - ECDSAWithSHA384 - - ECDSAWithSHA512 - - PureEd25519 - type: string - subject: - description: |- - Requested set of X509 certificate subject attributes. - More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 - - The common name attribute is specified separately in the `commonName` field. - Cannot be set if the `literalSubject` field is set. - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - organizations: - description: Organizations to be used on the Certificate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - uris: - description: Requested URI subject alternative names. - items: - type: string - type: array - x-kubernetes-list-type: atomic - usages: - description: |- - Requested key usages and extended key usages. - These usages are used to set the `usages` field on the created CertificateRequest - resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages - will additionally be encoded in the `request` field which contains the CSR blob. - - If unset, defaults to `digital signature` and `key encipherment`. - items: - description: |- - KeyUsage specifies valid usage contexts for keys. - See: - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - - Valid KeyUsage values are as follows: - "signing", - "digital signature", - "content commitment", - "key encipherment", - "key agreement", - "data encipherment", - "cert sign", - "crl sign", - "encipher only", - "decipher only", - "any", - "server auth", - "client auth", - "code signing", - "email protection", - "s/mime", - "ipsec end system", - "ipsec tunnel", - "ipsec user", - "timestamping", - "ocsp signing", - "microsoft sgc", - "netscape sgc" - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - x-kubernetes-list-type: atomic - required: - - issuerRef - - secretName - type: object - status: - description: |- - Status of the Certificate. - This is set and managed automatically. - Read-only. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - conditions: - description: |- - List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: CertificateCondition contains condition information for a Certificate. - properties: - lastTransitionTime: - description: |- - LastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - type: string - message: - description: |- - Message is a human readable description of the details of the last - transition, complementing reason. - type: string - observedGeneration: - description: |- - If set, this represents the .metadata.generation that the condition was - set based upon. - For instance, if .metadata.generation is currently 12, but the - .status.condition[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the Certificate. - format: int64 - type: integer - reason: - description: |- - Reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are (`Ready`, `Issuing`). - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - failedIssuanceAttempts: - description: |- - The number of continuous failed issuance attempts up till now. This - field gets removed (if set) on a successful issuance and gets set to - 1 if unset and an issuance has failed. If an issuance has failed, the - delay till the next issuance will be calculated using formula - time.Hour * 2 ^ (failedIssuanceAttempts - 1). - type: integer - lastFailureTime: - description: |- - LastFailureTime is set only if the latest issuance for this - Certificate failed and contains the time of the failure. If an - issuance has failed, the delay till the next issuance will be - calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - - 1). If the latest issuance has succeeded this field will be unset. - format: date-time - type: string - nextPrivateKeySecretName: - description: |- - The name of the Secret resource containing the private key to be used - for the next certificate iteration. - The keymanager controller will automatically set this field if the - `Issuing` condition is set to `True`. - It will automatically unset this field when the Issuing condition is - not set or False. - type: string - notAfter: - description: |- - The expiration time of the certificate stored in the secret named - by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: |- - The time after which the certificate stored in the secret named - by this resource in `spec.secretName` is valid. - format: date-time - type: string - renewalTime: - description: |- - RenewalTime is the time at which the certificate will be next - renewed. - If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: |- - The current 'revision' of the certificate as issued. - - When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. - - Upon issuance, this field will be set to the value of the annotation - on the CertificateRequest resource used to issue the certificate. - - Persisting the value on the CertificateRequest resource allows the - certificates controller to know whether a request is part of an old - issuance or if it is part of the ongoing revision's issuance by - checking if the revision value in the annotation is greater than this - field. - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/charts/cert-manager/templates/crd-cert-manager.io_clusterissuers.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "clusterissuers.cert-manager.io" - annotations: - helm.sh/resource-policy: keep - labels: - app: "cert-manager" - app.kubernetes.io/name: "cert-manager" - app.kubernetes.io/instance: "cert-manager" - app.kubernetes.io/component: "crds" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - group: cert-manager.io - names: - categories: - - cert-manager - kind: ClusterIssuer - listKind: ClusterIssuerList - plural: clusterissuers - shortNames: - - ciss - singular: clusterissuer - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - A ClusterIssuer represents a certificate issuing authority which can be - referenced as part of `issuerRef` fields. - It is similar to an Issuer, however it is cluster-scoped and therefore can - be referenced by resources that exist in *any* namespace, not just the same - namespace as the referent. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: |- - ACME configures this issuer to communicate with a RFC8555 (ACME) server - to obtain signed x509 certificates. - properties: - caBundle: - description: |- - Base64-encoded bundle of PEM CAs which can be used to validate the certificate - chain presented by the ACME server. - Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various - kinds of security vulnerabilities. - If CABundle and SkipTLSVerify are unset, the system certificate bundle inside - the container is used to validate the TLS connection. - format: byte - type: string - disableAccountKeyGeneration: - description: |- - Enables or disables generating a new ACME account key. - If true, the Issuer resource will *not* request a new account but will expect - the account key to be supplied via an existing secret. - If false, the cert-manager system will generate a new ACME account key - for the Issuer. - Defaults to false. - type: boolean - email: - description: |- - Email is the email address to be associated with the ACME account. - This field is optional, but it is strongly recommended to be set. - It will be used to contact you in case of issues with your account or - certificates, including expiry notification emails. - This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: |- - Enables requesting a Not After date on certificates that matches the - duration of the certificate. This is not supported by all ACME servers - like Let's Encrypt. If set to true when the ACME server does not support - it, it will create an error on the Order. - Defaults to false. - type: boolean - externalAccountBinding: - description: |- - ExternalAccountBinding is a reference to a CA external account of the ACME - server. - If set, upon registration cert-manager will attempt to associate the given - external account credentials with the registered ACME account. - properties: - keyAlgorithm: - description: |- - Deprecated: keyAlgorithm field exists for historical compatibility - reasons and should not be used. The algorithm is now hardcoded to HS256 - in golang/x/crypto/acme. - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: |- - keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes - Secret which holds the symmetric MAC key of the External Account Binding. - The `key` is the index string that is paired with the key data in the - Secret and should not be confused with the key data itself, or indeed with - the External Account Binding keyID above. - The secret key stored in the Secret **must** be un-padded, base64 URL - encoded data. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - keyID - - keySecretRef - type: object - preferredChain: - description: |- - PreferredChain is the chain to use if the ACME server outputs multiple. - PreferredChain is no guarantee that this one gets delivered by the ACME - endpoint. - For example, for Let's Encrypt's DST cross-sign you would use: - "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. - This value picks the first certificate bundle in the combined set of - ACME default and alternative chains that has a root-most certificate with - this value as its issuer's commonname. - maxLength: 64 - type: string - privateKeySecretRef: - description: |- - PrivateKey is the name of a Kubernetes Secret resource that will be used to - store the automatically generated ACME account private key. - Optionally, a `key` may be specified to select a specific entry within - the named Secret resource. - If `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - profile: - description: |- - Profile allows requesting a certificate profile from the ACME server. - Supported profiles are listed by the server's ACME directory URL. - type: string - server: - description: |- - Server is the URL used to access the ACME server's 'directory' endpoint. - For example, for Let's Encrypt's staging endpoint, you would use: - "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported. - type: string - skipTLSVerify: - description: |- - INSECURE: Enables or disables validation of the ACME server TLS certificate. - If true, requests to the ACME server will not have the TLS certificate chain - validated. - Mutually exclusive with CABundle; prefer using CABundle to prevent various - kinds of security vulnerabilities. - Only enable this option in development environments. - If CABundle and SkipTLSVerify are unset, the system certificate bundle inside - the container is used to validate the TLS connection. - Defaults to false. - type: boolean - solvers: - description: |- - Solvers is a list of challenge solvers that will be used to solve - ACME challenges for the matching domains. - Solver configurations must be provided in order to obtain certificates - from an ACME server. - For more information, see: https://cert-manager.io/docs/configuration/acme/ - items: - description: |- - An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. - A selector may be provided to use different solving strategies for different DNS names. - Only one of HTTP01 or DNS01 must be provided. - properties: - dns01: - description: |- - Configures cert-manager to attempt to complete authorizations by - performing the DNS01 challenge flow. - properties: - acmeDNS: - description: |- - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage - DNS01 challenge records. - properties: - accountSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientTokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - properties: - clientID: - description: |- - Auth: Azure Service Principal: - The ClientID of the Azure Service Principal used to authenticate with Azure DNS. - If set, ClientSecret and TenantID must also be set. - type: string - clientSecretSecretRef: - description: |- - Auth: Azure Service Principal: - A reference to a Secret containing the password associated with the Service Principal. - If set, ClientID and TenantID must also be set. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - environment: - description: name of the Azure environment (default AzurePublicCloud) - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: |- - Auth: Azure Workload Identity or Azure Managed Service Identity: - Settings to enable Azure Workload Identity or Azure Managed Service Identity - If set, ClientID, ClientSecret and TenantID must not be set. - properties: - clientID: - description: client ID of the managed identity, cannot be used at the same time as resourceID - type: string - resourceID: - description: |- - resource ID of the managed identity, cannot be used at the same time as clientID - Cannot be used for Azure Managed Service Identity - type: string - tenantID: - description: tenant ID of the managed identity, cannot be used at the same time as resourceID - type: string - type: object - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: |- - Auth: Azure Service Principal: - The TenantID of the Azure Service Principal used to authenticate with Azure DNS. - If set, ClientID and ClientSecret must also be set. - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - properties: - hostedZoneName: - description: |- - HostedZoneName is an optional field that tells cert-manager in which - Cloud DNS zone the challenge record has to be created. - If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - properties: - apiKeySecretRef: - description: |- - API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the recommended method - as it allows greater control of permissions. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - email: - description: Email of the account, only required when using API key based authentication. - type: string - type: object - cnameStrategy: - description: |- - CNAMEStrategy configures how the DNS01 provider should handle CNAME - records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - properties: - tokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: |- - Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: |- - The IP address or hostname of an authoritative DNS server supporting - RFC2136 in the form host:port. If the host is an IPv6 address it must be - enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - protocol: - description: Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - enum: - - TCP - - UDP - type: string - tsigAlgorithm: - description: |- - The TSIG Algorithm configured in the DNS supporting RFC2136. Used only - when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. - Supported values are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. - type: string - tsigKeyName: - description: |- - The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: |- - The name of the secret containing the TSIG value. - If ``tsigKeyName`` is defined, this field is required. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - properties: - accessKeyID: - description: |- - The AccessKeyID is used for authentication. - Cannot be set when SecretAccessKeyID is set. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: string - accessKeyIDSecretRef: - description: |- - The SecretAccessKey is used for authentication. If set, pull the AWS - access key ID from a key within a Kubernetes Secret. - Cannot be set when AccessKeyID is set. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - auth: - description: Auth configures how cert-manager authenticates. - properties: - kubernetes: - description: |- - Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity - by passing a bound ServiceAccount token. - properties: - serviceAccountRef: - description: |- - A reference to a service account that will be used to request a bound - token (also known as "projected token"). To use this field, you must - configure an RBAC rule to let cert-manager request a token. - properties: - audiences: - description: |- - TokenAudiences is an optional list of audiences to include in the - token passed to AWS. The default token consisting of the issuer's namespace - and name is always included. - If unset the audience defaults to `sts.amazonaws.com`. - items: - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: Name of the ServiceAccount used to request a token. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - required: - - kubernetes - type: object - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: |- - Override the AWS region. - - Route53 is a global service and does not have regional endpoints but the - region specified here (or via environment variables) is used as a hint to - help compute the correct AWS credential scope and partition when it - connects to Route53. See: - - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - - If you omit this region field, cert-manager will use the region from - AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - in the cert-manager controller Pod. - - The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - In this case this `region` field value is ignored. - - The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - In this case this `region` field value is ignored. - type: string - role: - description: |- - Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: |- - The SecretAccessKey is used for authentication. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - type: object - webhook: - description: |- - Configure an external webhook based DNS01 challenge solver to manage - DNS01 challenge records. - properties: - config: - description: |- - Additional configuration that should be passed to the webhook apiserver - when challenges are processed. - This can contain arbitrary JSON data. - Secret values should not be specified in this stanza. - If secret values are needed (e.g., credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult the webhook provider - implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: |- - The API group name that should be used when POSTing ChallengePayload - resources to the webhook apiserver. - This should be the same as the GroupName specified in the webhook - provider implementation. - type: string - solverName: - description: |- - The name of the solver to use, as defined in the webhook provider - implementation. - This will typically be the name of the provider, e.g., 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: |- - Configures cert-manager to attempt to complete authorizations by - performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard domain names - (e.g., `*.example.com`) using the HTTP01 challenge mechanism. - properties: - gatewayHTTPRoute: - description: |- - The Gateway API is a sig-network community API that models service networking - in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will - create HTTPRoutes with the specified labels in the same namespace as the challenge. - This solver is experimental, and fields / behaviour may change in the future. - properties: - labels: - additionalProperties: - type: string - description: |- - Custom labels that will be applied to HTTPRoutes created by cert-manager - while solving HTTP-01 challenges. - type: object - parentRefs: - description: |- - When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. - cert-manager needs to know which parentRefs should be used when creating - the HTTPRoute. Usually, the parentRef references a Gateway. See: - https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - type: array - x-kubernetes-list-type: atomic - podTemplate: - description: |- - Optional pod template used to configure the ACME challenge solver pods - used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the pod used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: |- - PodSpec defines overrides for the HTTP01 challenge solver pod. - Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the pod to fit on a node. - Selector which must match a node's labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - resources: - description: |- - If specified, the pod's resource requirements. - These values override the global resource configuration flags. - Note that when only specifying resource limits, ensure they are greater than or equal - to the corresponding global resource requests configured via controller flags - (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: If specified, the pod's security context - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - type: object - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - serviceType: - description: |- - Optional service type for Kubernetes solver service. Supported values - are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - type: object - ingress: - description: |- - The ingress based HTTP01 challenge solver will solve challenges by - creating or modifying Ingress resources in order to route requests for - '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are - provisioned by cert-manager for each Challenge to be completed. - properties: - class: - description: |- - This field configures the annotation `kubernetes.io/ingress.class` when - creating Ingress resources to solve ACME challenges that use this - challenge solver. Only one of `class`, `name` or `ingressClassName` may - be specified. - type: string - ingressClassName: - description: |- - This field configures the field `ingressClassName` on the created Ingress - resources used to solve ACME challenges that use this challenge solver. - This is the recommended way of configuring the ingress class. Only one of - `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: |- - Optional ingress template used to configure the ACME challenge solver - ingress used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the ingress used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: |- - The name of the ingress resource that should have ACME challenge solving - routes inserted into it in order to solve HTTP01 challenges. - This is typically used in conjunction with ingress controllers like - ingress-gce, which maintains a 1:1 mapping between external IPs and - ingress resources. Only one of `class`, `name` or `ingressClassName` may - be specified. - type: string - podTemplate: - description: |- - Optional pod template used to configure the ACME challenge solver pods - used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the pod used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: |- - PodSpec defines overrides for the HTTP01 challenge solver pod. - Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the pod to fit on a node. - Selector which must match a node's labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - resources: - description: |- - If specified, the pod's resource requirements. - These values override the global resource configuration flags. - Note that when only specifying resource limits, ensure they are greater than or equal - to the corresponding global resource requests configured via controller flags - (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: If specified, the pod's security context - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - type: object - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - serviceType: - description: |- - Optional service type for Kubernetes solver service. Supported values - are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - type: object - type: object - selector: - description: |- - Selector selects a set of DNSNames on the Certificate resource that - should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' solver - with the lowest priority, i.e. if any other solver has a more specific - match, it will be used instead. - properties: - dnsNames: - description: |- - List of DNSNames that this solver will be used to solve. - If specified and a match is found, a dnsNames selector will take - precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, the solver - with the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier in the list - will be selected. - items: - type: string - type: array - x-kubernetes-list-type: atomic - dnsZones: - description: |- - List of DNSZones that this solver will be used to solve. - The most specific DNS zone match specified here will take precedence - over other DNS zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for the domain - www.sys.example.com. - If multiple solvers match with the same dnsZones value, the solver - with the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier in the list - will be selected. - items: - type: string - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - A label selector that is used to refine the set of certificate's that - this challenge solver will apply to. - type: object - type: object - type: object - type: array - x-kubernetes-list-type: atomic - required: - - privateKeySecretRef - - server - type: object - ca: - description: |- - CA configures this issuer to sign certificates using a signing CA keypair - stored in a Secret resource. - This is used to build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: |- - The CRL distribution points is an X.509 v3 certificate extension which identifies - the location of the CRL from which the revocation of this certificate can be checked. - If not set, certificates will be issued without distribution points set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - issuingCertificateURLs: - description: |- - IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates - it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. - As an example, such a URL might be "http://ca.domain.com/ca.crt". - items: - type: string - type: array - x-kubernetes-list-type: atomic - ocspServers: - description: |- - The OCSP server list is an X.509 v3 extension that defines a list of - URLs of OCSP responders. The OCSP responders can be queried for the - revocation status of an issued certificate. If not set, the - certificate will be issued with no OCSP servers set. For example, an - OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: |- - SecretName is the name of the secret used to sign Certificates issued - by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: |- - SelfSigned configures this issuer to 'self sign' certificates using the - private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: |- - The CRL distribution points is an X.509 v3 certificate extension which identifies - the location of the CRL from which the revocation of this certificate can be checked. - If not set certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - vault: - description: |- - Vault configures this issuer to sign certificates using a HashiCorp Vault - PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - description: |- - Path where the App Role authentication backend is mounted in Vault, e.g: - "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - clientCertificate: - description: |- - ClientCertificate authenticates with Vault by presenting a client - certificate during the request's TLS handshake. - Works only when using HTTPS protocol. - properties: - mountPath: - description: |- - The Vault mountPath here is the mount path to use when authenticating with - Vault. For example, setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - default value "/v1/auth/cert" will be used. - type: string - name: - description: |- - Name of the certificate role to authenticate against. - If not set, matching any certificate role, if available. - type: string - secretName: - description: |- - Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - tls.crt and tls.key) used to authenticate to Vault using TLS client - authentication. - type: string - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - description: |- - The Vault mountPath here is the mount path to use when authenticating with - Vault. For example, setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - The required Secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. Use of 'ambient credentials' is not - supported. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - serviceAccountRef: - description: |- - A reference to a service account that will be used to request a bound - token (also known as "projected token"). Compared to using "secretRef", - using this field means that you don't rely on statically bound tokens. To - use this field, you must configure an RBAC rule to let cert-manager - request a token. - properties: - audiences: - description: |- - TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token - consisting of the issuer's namespace and name is always included. - items: - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: Name of the ServiceAccount used to request a token. - type: string - required: - - name - type: object - required: - - role - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - type: object - caBundle: - description: |- - Base64-encoded bundle of PEM CAs which will be used to validate the certificate - chain presented by Vault. Only used if using HTTPS to connect to Vault and - ignored for HTTP connections. - Mutually exclusive with CABundleSecretRef. - If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in - the cert-manager controller container is used to validate the TLS connection. - format: byte - type: string - caBundleSecretRef: - description: |- - Reference to a Secret containing a bundle of PEM-encoded CAs to use when - verifying the certificate chain presented by Vault when using HTTPS. - Mutually exclusive with CABundle. - If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in - the cert-manager controller container is used to validate the TLS connection. - If no key for the Secret is specified, cert-manager will default to 'ca.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientCertSecretRef: - description: |- - Reference to a Secret containing a PEM-encoded Client Certificate to use when the - Vault server requires mTLS. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientKeySecretRef: - description: |- - Reference to a Secret containing a PEM-encoded Client Private Key to use when the - Vault server requires mTLS. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g: - "my_pki_mount/sign/my-role-name". - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - serverName: - description: |- - ServerName is used to verify the hostname on the returned certificates - by the Vault server. - type: string - required: - - auth - - path - - server - type: object - venafi: - description: |- - Venafi configures this issuer to sign certificates using a Venafi TPP - or Venafi Cloud policy zone. - properties: - cloud: - description: |- - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - url: - description: |- - URL is the base URL for Venafi Cloud. - Defaults to "https://api.venafi.cloud/". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: |- - TPP specifies Trust Protection Platform configuration settings. - Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: |- - Base64-encoded bundle of PEM CAs which will be used to validate the certificate - chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. - If undefined, the certificate bundle in the cert-manager controller container - is used to validate the chain. - format: byte - type: string - caBundleSecretRef: - description: |- - Reference to a Secret containing a base64-encoded bundle of PEM CAs - which will be used to validate the certificate chain presented by the TPP server. - Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - the cert-manager controller container is used to validate the TLS connection. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - credentialsRef: - description: |- - CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - The secret must contain the key 'access-token' for the Access Token Authentication, - or two keys, 'username' and 'password' for the API Keys Authentication. - properties: - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - url: - description: |- - URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, - for example: "https://tpp.example.com/vedsdk". - type: string - required: - - credentialsRef - - url - type: object - zone: - description: |- - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted by the named - zone policy. - This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: |- - ACME specific status options. - This field should only be set if the Issuer is configured to use an ACME - server to issue certificates. - properties: - lastPrivateKeyHash: - description: |- - LastPrivateKeyHash is a hash of the private key associated with the latest - registered ACME account, in order to track changes made to registered account - associated with the Issuer - type: string - lastRegisteredEmail: - description: |- - LastRegisteredEmail is the email associated with the latest registered - ACME account, in order to track changes made to registered account - associated with the Issuer - type: string - uri: - description: |- - URI is the unique account identifier, which can also be used to retrieve - account details from the CA - type: string - type: object - conditions: - description: |- - List of status conditions to indicate the status of a CertificateRequest. - Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for an Issuer. - properties: - lastTransitionTime: - description: |- - LastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - type: string - message: - description: |- - Message is a human readable description of the details of the last - transition, complementing reason. - type: string - observedGeneration: - description: |- - If set, this represents the .metadata.generation that the condition was - set based upon. - For instance, if .metadata.generation is currently 12, but the - .status.condition[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the Issuer. - format: int64 - type: integer - reason: - description: |- - Reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are (`Ready`). - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/charts/cert-manager/templates/crd-cert-manager.io_issuers.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: "issuers.cert-manager.io" - annotations: - helm.sh/resource-policy: keep - labels: - app: "cert-manager" - app.kubernetes.io/name: "cert-manager" - app.kubernetes.io/instance: "cert-manager" - app.kubernetes.io/component: "crds" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - group: cert-manager.io - names: - categories: - - cert-manager - kind: Issuer - listKind: IssuerList - plural: issuers - shortNames: - - iss - singular: issuer - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - An Issuer represents a certificate issuing authority which can be - referenced as part of `issuerRef` fields. - It is scoped to a single namespace and can therefore only be referenced by - resources within the same namespace. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: |- - ACME configures this issuer to communicate with a RFC8555 (ACME) server - to obtain signed x509 certificates. - properties: - caBundle: - description: |- - Base64-encoded bundle of PEM CAs which can be used to validate the certificate - chain presented by the ACME server. - Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various - kinds of security vulnerabilities. - If CABundle and SkipTLSVerify are unset, the system certificate bundle inside - the container is used to validate the TLS connection. - format: byte - type: string - disableAccountKeyGeneration: - description: |- - Enables or disables generating a new ACME account key. - If true, the Issuer resource will *not* request a new account but will expect - the account key to be supplied via an existing secret. - If false, the cert-manager system will generate a new ACME account key - for the Issuer. - Defaults to false. - type: boolean - email: - description: |- - Email is the email address to be associated with the ACME account. - This field is optional, but it is strongly recommended to be set. - It will be used to contact you in case of issues with your account or - certificates, including expiry notification emails. - This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: |- - Enables requesting a Not After date on certificates that matches the - duration of the certificate. This is not supported by all ACME servers - like Let's Encrypt. If set to true when the ACME server does not support - it, it will create an error on the Order. - Defaults to false. - type: boolean - externalAccountBinding: - description: |- - ExternalAccountBinding is a reference to a CA external account of the ACME - server. - If set, upon registration cert-manager will attempt to associate the given - external account credentials with the registered ACME account. - properties: - keyAlgorithm: - description: |- - Deprecated: keyAlgorithm field exists for historical compatibility - reasons and should not be used. The algorithm is now hardcoded to HS256 - in golang/x/crypto/acme. - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: |- - keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes - Secret which holds the symmetric MAC key of the External Account Binding. - The `key` is the index string that is paired with the key data in the - Secret and should not be confused with the key data itself, or indeed with - the External Account Binding keyID above. - The secret key stored in the Secret **must** be un-padded, base64 URL - encoded data. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - keyID - - keySecretRef - type: object - preferredChain: - description: |- - PreferredChain is the chain to use if the ACME server outputs multiple. - PreferredChain is no guarantee that this one gets delivered by the ACME - endpoint. - For example, for Let's Encrypt's DST cross-sign you would use: - "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. - This value picks the first certificate bundle in the combined set of - ACME default and alternative chains that has a root-most certificate with - this value as its issuer's commonname. - maxLength: 64 - type: string - privateKeySecretRef: - description: |- - PrivateKey is the name of a Kubernetes Secret resource that will be used to - store the automatically generated ACME account private key. - Optionally, a `key` may be specified to select a specific entry within - the named Secret resource. - If `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - profile: - description: |- - Profile allows requesting a certificate profile from the ACME server. - Supported profiles are listed by the server's ACME directory URL. - type: string - server: - description: |- - Server is the URL used to access the ACME server's 'directory' endpoint. - For example, for Let's Encrypt's staging endpoint, you would use: - "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported. - type: string - skipTLSVerify: - description: |- - INSECURE: Enables or disables validation of the ACME server TLS certificate. - If true, requests to the ACME server will not have the TLS certificate chain - validated. - Mutually exclusive with CABundle; prefer using CABundle to prevent various - kinds of security vulnerabilities. - Only enable this option in development environments. - If CABundle and SkipTLSVerify are unset, the system certificate bundle inside - the container is used to validate the TLS connection. - Defaults to false. - type: boolean - solvers: - description: |- - Solvers is a list of challenge solvers that will be used to solve - ACME challenges for the matching domains. - Solver configurations must be provided in order to obtain certificates - from an ACME server. - For more information, see: https://cert-manager.io/docs/configuration/acme/ - items: - description: |- - An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. - A selector may be provided to use different solving strategies for different DNS names. - Only one of HTTP01 or DNS01 must be provided. - properties: - dns01: - description: |- - Configures cert-manager to attempt to complete authorizations by - performing the DNS01 challenge flow. - properties: - acmeDNS: - description: |- - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage - DNS01 challenge records. - properties: - accountSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientTokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - properties: - clientID: - description: |- - Auth: Azure Service Principal: - The ClientID of the Azure Service Principal used to authenticate with Azure DNS. - If set, ClientSecret and TenantID must also be set. - type: string - clientSecretSecretRef: - description: |- - Auth: Azure Service Principal: - A reference to a Secret containing the password associated with the Service Principal. - If set, ClientID and TenantID must also be set. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - environment: - description: name of the Azure environment (default AzurePublicCloud) - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: |- - Auth: Azure Workload Identity or Azure Managed Service Identity: - Settings to enable Azure Workload Identity or Azure Managed Service Identity - If set, ClientID, ClientSecret and TenantID must not be set. - properties: - clientID: - description: client ID of the managed identity, cannot be used at the same time as resourceID - type: string - resourceID: - description: |- - resource ID of the managed identity, cannot be used at the same time as clientID - Cannot be used for Azure Managed Service Identity - type: string - tenantID: - description: tenant ID of the managed identity, cannot be used at the same time as resourceID - type: string - type: object - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: |- - Auth: Azure Service Principal: - The TenantID of the Azure Service Principal used to authenticate with Azure DNS. - If set, ClientID and ClientSecret must also be set. - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - properties: - hostedZoneName: - description: |- - HostedZoneName is an optional field that tells cert-manager in which - Cloud DNS zone the challenge record has to be created. - If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - properties: - apiKeySecretRef: - description: |- - API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the recommended method - as it allows greater control of permissions. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - email: - description: Email of the account, only required when using API key based authentication. - type: string - type: object - cnameStrategy: - description: |- - CNAMEStrategy configures how the DNS01 provider should handle CNAME - records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - properties: - tokenSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: |- - Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: |- - The IP address or hostname of an authoritative DNS server supporting - RFC2136 in the form host:port. If the host is an IPv6 address it must be - enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - protocol: - description: Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - enum: - - TCP - - UDP - type: string - tsigAlgorithm: - description: |- - The TSIG Algorithm configured in the DNS supporting RFC2136. Used only - when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. - Supported values are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. - type: string - tsigKeyName: - description: |- - The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: |- - The name of the secret containing the TSIG value. - If ``tsigKeyName`` is defined, this field is required. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - properties: - accessKeyID: - description: |- - The AccessKeyID is used for authentication. - Cannot be set when SecretAccessKeyID is set. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: string - accessKeyIDSecretRef: - description: |- - The SecretAccessKey is used for authentication. If set, pull the AWS - access key ID from a key within a Kubernetes Secret. - Cannot be set when AccessKeyID is set. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - auth: - description: Auth configures how cert-manager authenticates. - properties: - kubernetes: - description: |- - Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity - by passing a bound ServiceAccount token. - properties: - serviceAccountRef: - description: |- - A reference to a service account that will be used to request a bound - token (also known as "projected token"). To use this field, you must - configure an RBAC rule to let cert-manager request a token. - properties: - audiences: - description: |- - TokenAudiences is an optional list of audiences to include in the - token passed to AWS. The default token consisting of the issuer's namespace - and name is always included. - If unset the audience defaults to `sts.amazonaws.com`. - items: - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: Name of the ServiceAccount used to request a token. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - required: - - kubernetes - type: object - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: |- - Override the AWS region. - - Route53 is a global service and does not have regional endpoints but the - region specified here (or via environment variables) is used as a hint to - help compute the correct AWS credential scope and partition when it - connects to Route53. See: - - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - - If you omit this region field, cert-manager will use the region from - AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - in the cert-manager controller Pod. - - The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - In this case this `region` field value is ignored. - - The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - In this case this `region` field value is ignored. - type: string - role: - description: |- - Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: |- - The SecretAccessKey is used for authentication. - If neither the Access Key nor Key ID are set, we fall-back to using env - vars, shared credentials file or AWS Instance metadata, - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - type: object - webhook: - description: |- - Configure an external webhook based DNS01 challenge solver to manage - DNS01 challenge records. - properties: - config: - description: |- - Additional configuration that should be passed to the webhook apiserver - when challenges are processed. - This can contain arbitrary JSON data. - Secret values should not be specified in this stanza. - If secret values are needed (e.g., credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult the webhook provider - implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: |- - The API group name that should be used when POSTing ChallengePayload - resources to the webhook apiserver. - This should be the same as the GroupName specified in the webhook - provider implementation. - type: string - solverName: - description: |- - The name of the solver to use, as defined in the webhook provider - implementation. - This will typically be the name of the provider, e.g., 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: |- - Configures cert-manager to attempt to complete authorizations by - performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard domain names - (e.g., `*.example.com`) using the HTTP01 challenge mechanism. - properties: - gatewayHTTPRoute: - description: |- - The Gateway API is a sig-network community API that models service networking - in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will - create HTTPRoutes with the specified labels in the same namespace as the challenge. - This solver is experimental, and fields / behaviour may change in the future. - properties: - labels: - additionalProperties: - type: string - description: |- - Custom labels that will be applied to HTTPRoutes created by cert-manager - while solving HTTP-01 challenges. - type: object - parentRefs: - description: |- - When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. - cert-manager needs to know which parentRefs should be used when creating - the HTTPRoute. Usually, the parentRef references a Gateway. See: - https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - type: array - x-kubernetes-list-type: atomic - podTemplate: - description: |- - Optional pod template used to configure the ACME challenge solver pods - used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the pod used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: |- - PodSpec defines overrides for the HTTP01 challenge solver pod. - Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the pod to fit on a node. - Selector which must match a node's labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - resources: - description: |- - If specified, the pod's resource requirements. - These values override the global resource configuration flags. - Note that when only specifying resource limits, ensure they are greater than or equal - to the corresponding global resource requests configured via controller flags - (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: If specified, the pod's security context - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - type: object - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - serviceType: - description: |- - Optional service type for Kubernetes solver service. Supported values - are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - type: object - ingress: - description: |- - The ingress based HTTP01 challenge solver will solve challenges by - creating or modifying Ingress resources in order to route requests for - '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are - provisioned by cert-manager for each Challenge to be completed. - properties: - class: - description: |- - This field configures the annotation `kubernetes.io/ingress.class` when - creating Ingress resources to solve ACME challenges that use this - challenge solver. Only one of `class`, `name` or `ingressClassName` may - be specified. - type: string - ingressClassName: - description: |- - This field configures the field `ingressClassName` on the created Ingress - resources used to solve ACME challenges that use this challenge solver. - This is the recommended way of configuring the ingress class. Only one of - `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: |- - Optional ingress template used to configure the ACME challenge solver - ingress used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the ingress used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: |- - The name of the ingress resource that should have ACME challenge solving - routes inserted into it in order to solve HTTP01 challenges. - This is typically used in conjunction with ingress controllers like - ingress-gce, which maintains a 1:1 mapping between external IPs and - ingress resources. Only one of `class`, `name` or `ingressClassName` may - be specified. - type: string - podTemplate: - description: |- - Optional pod template used to configure the ACME challenge solver pods - used for HTTP01 challenges. - properties: - metadata: - description: |- - ObjectMeta overrides for the pod used to solve HTTP01 challenges. - Only the 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built values, the values here - will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added to the created ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: |- - PodSpec defines overrides for the HTTP01 challenge solver pod. - Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the pod to fit on a node. - Selector which must match a node's labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - resources: - description: |- - If specified, the pod's resource requirements. - These values override the global resource configuration flags. - Note that when only specifying resource limits, ensure they are greater than or equal - to the corresponding global resource requests configured via controller flags - (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: If specified, the pod's security context - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - type: object - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - serviceType: - description: |- - Optional service type for Kubernetes solver service. Supported values - are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - type: object - type: object - selector: - description: |- - Selector selects a set of DNSNames on the Certificate resource that - should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' solver - with the lowest priority, i.e. if any other solver has a more specific - match, it will be used instead. - properties: - dnsNames: - description: |- - List of DNSNames that this solver will be used to solve. - If specified and a match is found, a dnsNames selector will take - precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, the solver - with the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier in the list - will be selected. - items: - type: string - type: array - x-kubernetes-list-type: atomic - dnsZones: - description: |- - List of DNSZones that this solver will be used to solve. - The most specific DNS zone match specified here will take precedence - over other DNS zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for the domain - www.sys.example.com. - If multiple solvers match with the same dnsZones value, the solver - with the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier in the list - will be selected. - items: - type: string - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - A label selector that is used to refine the set of certificate's that - this challenge solver will apply to. - type: object - type: object - type: object - type: array - x-kubernetes-list-type: atomic - required: - - privateKeySecretRef - - server - type: object - ca: - description: |- - CA configures this issuer to sign certificates using a signing CA keypair - stored in a Secret resource. - This is used to build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: |- - The CRL distribution points is an X.509 v3 certificate extension which identifies - the location of the CRL from which the revocation of this certificate can be checked. - If not set, certificates will be issued without distribution points set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - issuingCertificateURLs: - description: |- - IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates - it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. - As an example, such a URL might be "http://ca.domain.com/ca.crt". - items: - type: string - type: array - x-kubernetes-list-type: atomic - ocspServers: - description: |- - The OCSP server list is an X.509 v3 extension that defines a list of - URLs of OCSP responders. The OCSP responders can be queried for the - revocation status of an issued certificate. If not set, the - certificate will be issued with no OCSP servers set. For example, an - OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: |- - SecretName is the name of the secret used to sign Certificates issued - by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: |- - SelfSigned configures this issuer to 'self sign' certificates using the - private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: |- - The CRL distribution points is an X.509 v3 certificate extension which identifies - the location of the CRL from which the revocation of this certificate can be checked. - If not set certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - vault: - description: |- - Vault configures this issuer to sign certificates using a HashiCorp Vault - PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - description: |- - Path where the App Role authentication backend is mounted in Vault, e.g: - "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - clientCertificate: - description: |- - ClientCertificate authenticates with Vault by presenting a client - certificate during the request's TLS handshake. - Works only when using HTTPS protocol. - properties: - mountPath: - description: |- - The Vault mountPath here is the mount path to use when authenticating with - Vault. For example, setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - default value "/v1/auth/cert" will be used. - type: string - name: - description: |- - Name of the certificate role to authenticate against. - If not set, matching any certificate role, if available. - type: string - secretName: - description: |- - Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - tls.crt and tls.key) used to authenticate to Vault using TLS client - authentication. - type: string - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - description: |- - The Vault mountPath here is the mount path to use when authenticating with - Vault. For example, setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - The required Secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. Use of 'ambient credentials' is not - supported. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - serviceAccountRef: - description: |- - A reference to a service account that will be used to request a bound - token (also known as "projected token"). Compared to using "secretRef", - using this field means that you don't rely on statically bound tokens. To - use this field, you must configure an RBAC rule to let cert-manager - request a token. - properties: - audiences: - description: |- - TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token - consisting of the issuer's namespace and name is always included. - items: - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: Name of the ServiceAccount used to request a token. - type: string - required: - - name - type: object - required: - - role - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - type: object - caBundle: - description: |- - Base64-encoded bundle of PEM CAs which will be used to validate the certificate - chain presented by Vault. Only used if using HTTPS to connect to Vault and - ignored for HTTP connections. - Mutually exclusive with CABundleSecretRef. - If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in - the cert-manager controller container is used to validate the TLS connection. - format: byte - type: string - caBundleSecretRef: - description: |- - Reference to a Secret containing a bundle of PEM-encoded CAs to use when - verifying the certificate chain presented by Vault when using HTTPS. - Mutually exclusive with CABundle. - If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in - the cert-manager controller container is used to validate the TLS connection. - If no key for the Secret is specified, cert-manager will default to 'ca.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientCertSecretRef: - description: |- - Reference to a Secret containing a PEM-encoded Client Certificate to use when the - Vault server requires mTLS. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - clientKeySecretRef: - description: |- - Reference to a Secret containing a PEM-encoded Client Private Key to use when the - Vault server requires mTLS. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g: - "my_pki_mount/sign/my-role-name". - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - serverName: - description: |- - ServerName is used to verify the hostname on the returned certificates - by the Vault server. - type: string - required: - - auth - - path - - server - type: object - venafi: - description: |- - Venafi configures this issuer to sign certificates using a Venafi TPP - or Venafi Cloud policy zone. - properties: - cloud: - description: |- - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - url: - description: |- - URL is the base URL for Venafi Cloud. - Defaults to "https://api.venafi.cloud/". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: |- - TPP specifies Trust Protection Platform configuration settings. - Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: |- - Base64-encoded bundle of PEM CAs which will be used to validate the certificate - chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. - If undefined, the certificate bundle in the cert-manager controller container - is used to validate the chain. - format: byte - type: string - caBundleSecretRef: - description: |- - Reference to a Secret containing a base64-encoded bundle of PEM CAs - which will be used to validate the certificate chain presented by the TPP server. - Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - the cert-manager controller container is used to validate the TLS connection. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. - Some instances of this field may be defaulted, in others it may be - required. - type: string - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - credentialsRef: - description: |- - CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - The secret must contain the key 'access-token' for the Access Token Authentication, - or two keys, 'username' and 'password' for the API Keys Authentication. - properties: - name: - description: |- - Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - url: - description: |- - URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, - for example: "https://tpp.example.com/vedsdk". - type: string - required: - - credentialsRef - - url - type: object - zone: - description: |- - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted by the named - zone policy. - This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: |- - ACME specific status options. - This field should only be set if the Issuer is configured to use an ACME - server to issue certificates. - properties: - lastPrivateKeyHash: - description: |- - LastPrivateKeyHash is a hash of the private key associated with the latest - registered ACME account, in order to track changes made to registered account - associated with the Issuer - type: string - lastRegisteredEmail: - description: |- - LastRegisteredEmail is the email associated with the latest registered - ACME account, in order to track changes made to registered account - associated with the Issuer - type: string - uri: - description: |- - URI is the unique account identifier, which can also be used to retrieve - account details from the CA - type: string - type: object - conditions: - description: |- - List of status conditions to indicate the status of a CertificateRequest. - Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for an Issuer. - properties: - lastTransitionTime: - description: |- - LastTransitionTime is the timestamp corresponding to the last status - change of this condition. - format: date-time - type: string - message: - description: |- - Message is a human readable description of the details of the last - transition, complementing reason. - type: string - observedGeneration: - description: |- - If set, this represents the .metadata.generation that the condition was - set based upon. - For instance, if .metadata.generation is currently 12, but the - .status.condition[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the Issuer. - format: int64 - type: integer - reason: - description: |- - Reason is a brief machine readable explanation for the condition's last - transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are (`Ready`). - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-cainjector - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "create", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch", "update", "patch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# Issuer controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-issuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["issuers", "issuers/status"] - verbs: ["update", "patch"] - - apiGroups: ["cert-manager.io"] - resources: ["issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# ClusterIssuer controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-clusterissuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers", "clusterissuers/status"] - verbs: ["update", "patch"] - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# Certificates controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-certificates - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] - verbs: ["update", "patch"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] - verbs: ["get", "list", "watch"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["cert-manager.io"] - resources: ["certificates/finalizers", "certificaterequests/finalizers"] - verbs: ["update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# Orders controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-orders - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders", "orders/status"] - verbs: ["update", "patch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders", "challenges"] - verbs: ["get", "list", "watch"] - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers", "issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges"] - verbs: ["create", "delete"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders/finalizers"] - verbs: ["update"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# Challenges controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-challenges - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - # Use to update challenge resource status - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "challenges/status"] - verbs: ["update", "patch"] - # Used to watch challenge resources - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges"] - verbs: ["get", "list", "watch"] - # Used to watch challenges, issuer and clusterissuer resources - - apiGroups: ["cert-manager.io"] - resources: ["issuers", "clusterissuers"] - verbs: ["get", "list", "watch"] - # Need to be able to retrieve ACME account private key to complete challenges - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - # Used to create events - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - # HTTP01 rules - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch", "create", "delete", "update"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["httproutes"] - verbs: ["get", "list", "watch", "create", "delete", "update"] - # We require the ability to specify a custom hostname when we are creating - # new ingress resources. - # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 - - apiGroups: ["route.openshift.io"] - resources: ["routes/custom-host"] - verbs: ["create"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges/finalizers"] - verbs: ["update"] - # DNS01 rules (duplicated above) - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# ingress-shim controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-ingress-shim - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests"] - verbs: ["create", "update", "delete"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/finalizers"] - verbs: ["update"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gateways", "httproutes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gateways/finalizers", "httproutes/finalizers"] - verbs: ["update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-cluster-view - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers"] - verbs: ["get", "list", "watch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-view - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "orders"] - verbs: ["get", "list", "watch"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-edit - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates/status"] - verbs: ["update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "orders"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-approve:cert-manager-io - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["signers"] - verbs: ["approve"] - resourceNames: - - "issuers.cert-manager.io/*" - - "clusterissuers.cert-manager.io/*" ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# Permission to: -# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers -# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-certificatesigningrequests - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests/status"] - verbs: ["update", "patch"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] - verbs: ["sign"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-webhook:subjectaccessreviews - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] ---- -# Source: cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-cainjector - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-cainjector -subjects: - - name: cert-manager-cainjector - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-issuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-issuers -subjects: - - name: cert-manager - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-clusterissuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-clusterissuers -subjects: - - name: cert-manager - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-certificates - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-certificates -subjects: - - name: cert-manager - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-orders - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-orders -subjects: - - name: cert-manager - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-challenges - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-challenges -subjects: - - name: cert-manager - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-ingress-shim - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-ingress-shim -subjects: - - name: cert-manager - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-approve:cert-manager-io - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-approve:cert-manager-io -subjects: - - name: cert-manager - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-certificatesigningrequests - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-certificatesigningrequests -subjects: - - name: cert-manager - namespace: cert-manager - kind: ServiceAccount ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-webhook:subjectaccessreviews - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-webhook:subjectaccessreviews -subjects: -- kind: ServiceAccount - name: cert-manager-webhook - namespace: cert-manager ---- -# Source: cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml -# leader election rules -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-manager-cainjector:leaderelection - namespace: kube-system - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - # Used for leader election by the controller - # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller - # see cmd/cainjector/start.go#L113 - # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller - # see cmd/cainjector/start.go#L137 - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] - verbs: ["get", "update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-manager:leaderelection - namespace: kube-system - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - resourceNames: ["cert-manager-controller"] - verbs: ["get", "update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create"] ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-manager-tokenrequest - namespace: cert-manager - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: - - apiGroups: [""] - resources: ["serviceaccounts/token"] - resourceNames: ["cert-manager"] - verbs: ["create"] ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-manager-webhook:dynamic-serving - namespace: cert-manager - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -rules: -- apiGroups: [""] - resources: ["secrets"] - resourceNames: - - 'cert-manager-webhook-ca' - verbs: ["get", "list", "watch", "update"] -# It's not possible to grant CREATE permission on a single resourceName. -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] ---- -# Source: cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml -# grant cert-manager permission to manage the leaderelection configmap in the -# leader election namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cert-manager-cainjector:leaderelection - namespace: kube-system - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-cainjector:leaderelection -subjects: - - kind: ServiceAccount - name: cert-manager-cainjector - namespace: cert-manager ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# grant cert-manager permission to manage the leaderelection configmap in the -# leader election namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cert-manager:leaderelection - namespace: kube-system - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager:leaderelection -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -# Source: cert-manager/charts/cert-manager/templates/rbac.yaml -# grant cert-manager permission to create tokens for the serviceaccount -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cert-manager-tokenrequest - namespace: cert-manager - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-tokenrequest -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cert-manager-webhook:dynamic-serving - namespace: cert-manager - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-webhook:dynamic-serving -subjects: -- kind: ServiceAccount - name: cert-manager-webhook - namespace: cert-manager ---- -# Source: cert-manager/charts/cert-manager/templates/cainjector-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: cert-manager-cainjector - namespace: cert-manager - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - type: ClusterIP - ports: - - protocol: TCP - port: 9402 - name: http-metrics - selector: - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" ---- -# Source: cert-manager/charts/cert-manager/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: cert-manager - namespace: cert-manager - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - type: ClusterIP - ports: - - protocol: TCP - port: 9402 - name: tcp-prometheus-servicemonitor - targetPort: http-metrics - selector: - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: cert-manager-webhook - namespace: cert-manager - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - type: ClusterIP - ports: - - name: https - port: 443 - protocol: TCP - targetPort: "https" - - name: metrics - port: 9402 - protocol: TCP - targetPort: "http-metrics" - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" ---- -# Source: cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cert-manager-cainjector - namespace: cert-manager - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - template: - metadata: - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - spec: - serviceAccountName: cert-manager-cainjector - enableServiceLinks: false - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: cert-manager-cainjector - image: "quay.io/jetstack/cert-manager-cainjector:v1.19.1" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --leader-election-namespace=kube-system - ports: - - containerPort: 9402 - name: http-metrics - protocol: TCP - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - nodeSelector: - kubernetes.io/os: "linux" ---- -# Source: cert-manager/charts/cert-manager/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cert-manager - namespace: cert-manager - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - template: - metadata: - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - spec: - serviceAccountName: cert-manager - enableServiceLinks: false - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: cert-manager-controller - image: "quay.io/jetstack/cert-manager-controller:v1.19.1" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=kube-system - - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.19.1 - - --enable-gateway-api - - --max-concurrent-challenges=60 - ports: - - containerPort: 9402 - name: http-metrics - protocol: TCP - - containerPort: 9403 - name: http-healthz - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # LivenessProbe settings are based on those used for the Kubernetes - # controller-manager. See: - # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 - livenessProbe: - httpGet: - port: http-healthz - path: /livez - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 8 - nodeSelector: - kubernetes.io/os: "linux" ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cert-manager-webhook - namespace: cert-manager - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - template: - metadata: - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - spec: - serviceAccountName: cert-manager-webhook - enableServiceLinks: false - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: cert-manager-webhook - image: "quay.io/jetstack/cert-manager-webhook:v1.19.1" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --secure-port=10250 - - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - - --dynamic-serving-dns-names=cert-manager-webhook - - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE) - - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc - ports: - - name: https - protocol: TCP - containerPort: 10250 - - name: healthcheck - protocol: TCP - containerPort: 6080 - - containerPort: 9402 - name: http-metrics - protocol: TCP - livenessProbe: - httpGet: - path: /livez - port: healthcheck - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: healthcheck - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - nodeSelector: - kubernetes.io/os: "linux" ---- -# Source: cert-manager/templates/cluster-issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-issuer -spec: - acme: - email: alexanderlebens@gmail.com - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-issuer-account-key - solvers: - - selector: - dnsZones: - - "alexlebens.net" - - "*.alexlebens.net" - dns01: - cloudflare: - email: alexanderlebens@gmail.com - apiTokenSecretRef: - name: cloudflare-api-token - key: api-token ---- -# Source: cert-manager/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: cloudflare-api-token - namespace: cert-manager - labels: - app.kubernetes.io/name: cloudflare-api-token - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/part-of: cert-manager -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: api-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/alexlebens.net/clusterissuer - metadataPolicy: None - property: token ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-mutating-webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: cert-manager-webhook - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - annotations: - cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" -webhooks: - - name: webhook.cert-manager.io - rules: - - apiGroups: - - "cert-manager.io" - apiVersions: - - "v1" - operations: - - CREATE - resources: - - "certificaterequests" - admissionReviewVersions: ["v1"] - # This webhook only accepts v1 cert-manager resources. - # Equivalent matchPolicy ensures that non-v1 resource requests are sent to - # this webhook (after the resources have been converted to v1). - matchPolicy: Equivalent - timeoutSeconds: 30 - failurePolicy: Fail - # Only include 'sideEffects' field in Kubernetes 1.12+ - sideEffects: None - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /mutate ---- -# Source: cert-manager/charts/cert-manager/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: cert-manager - namespace: cert-manager - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - prometheus: default -spec: - jobLabel: cert-manager - selector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - cainjector - - cert-manager - - webhook - - key: app.kubernetes.io/instance - operator: In - values: - - cert-manager - - key: app.kubernetes.io/component - operator: In - values: - - cainjector - - controller - - webhook - endpoints: - - targetPort: http-metrics - path: /metrics - interval: 60s - scrapeTimeout: 30s - honorLabels: true ---- -# Source: cert-manager/charts/cert-manager/templates/webhook-validating-webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: cert-manager-webhook - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - annotations: - cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" -webhooks: - - name: webhook.cert-manager.io - namespaceSelector: - matchExpressions: - - key: cert-manager.io/disable-validation - operator: NotIn - values: - - "true" - rules: - - apiGroups: - - "cert-manager.io" - - "acme.cert-manager.io" - apiVersions: - - "v1" - operations: - - CREATE - - UPDATE - resources: - - "*/*" - admissionReviewVersions: ["v1"] - # This webhook only accepts v1 cert-manager resources. - # Equivalent matchPolicy ensures that non-v1 resource requests are sent to - # this webhook (after the resources have been converted to v1). - matchPolicy: Equivalent - timeoutSeconds: 30 - failurePolicy: Fail - sideEffects: None - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /validate ---- -# Source: cert-manager/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: cert-manager-startupapicheck - namespace: cert-manager - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "-5" - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 ---- -# Source: cert-manager/charts/cert-manager/templates/startupapicheck-rbac.yaml -# create certificate role -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-manager-startupapicheck:create-cert - namespace: cert-manager - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "-5" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificaterequests"] - verbs: ["create"] ---- -# Source: cert-manager/charts/cert-manager/templates/startupapicheck-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cert-manager-startupapicheck:create-cert - namespace: cert-manager - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "-5" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-startupapicheck:create-cert -subjects: - - kind: ServiceAccount - name: cert-manager-startupapicheck - namespace: cert-manager ---- -# Source: cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: cert-manager-startupapicheck - namespace: cert-manager - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "1" -spec: - backoffLimit: 4 - template: - metadata: - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.19.1" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.19.1 - spec: - restartPolicy: OnFailure - serviceAccountName: cert-manager-startupapicheck - enableServiceLinks: false - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: cert-manager-startupapicheck - image: "quay.io/jetstack/cert-manager-startupapicheck:v1.19.1" - imagePullPolicy: IfNotPresent - args: - - check - - api - - --wait=1m - - -v - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - nodeSelector: - kubernetes.io/os: "linux" diff --git a/clusters/cl01tl/manifests/cilium/cilium.yaml b/clusters/cl01tl/manifests/cilium/cilium.yaml deleted file mode 100644 index d27e5ac0b..000000000 --- a/clusters/cl01tl/manifests/cilium/cilium.yaml +++ /dev/null @@ -1,2499 +0,0 @@ ---- -# Source: cilium/charts/cilium/templates/cilium-secrets-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium - annotations: ---- -# Source: cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "cilium" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "cilium-envoy" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "cilium-operator" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "hubble-relay" - namespace: kube-system -automountServiceAccountToken: false ---- -# Source: cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "hubble-ui" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-ca-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: cilium-ca - namespace: kube-system -data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQUpUODAxYzVDQWRObi9wQTcrNzVTdFV3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJd05EQXhNRFV6TUZvWERUSTRNVEl3TXpBeApNRFV6TUZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFzYXJVaDNwVjI0ekhQWkFoVXZPeExHNnN3MzFoMUlyTU9MelZzamdrSHA3OXFXWXYKY0R5U1BMSlBZUjRwZU9lMmgvTWJjN0lUQVMrR0MrcTJwRGFKOU9WcXdCV2xzVmUxWm1rZUVuSldFeUV6bE5VYgpBclRiVzFDbkdMUlBVZzljOFhJUDFHYnRGekE3TEF4UEZpWG5ZTW8yVDRMcU5xMGhtU2F2UUdBQTM0VzhQSHd0CkI2UHRkdDlTK0pjRzFSS05HR1A2K3N6U0NDWm5IR09TM2EvM2J5aml1WXdJckF1Mk82amt6WHMwU2pWQlhtNm4Kd1JJblBhTGFvNjNoL2pqR05SaVJMZ21BWjBEZzBKWi8xdDNoVW1iV3RTU25qUTZWcklKdFZFVnZwOEZpV3FYcwpKOHJOR2RJVDBKQjAxSFZMRTlpVlRYM1p4R1VtZ1VhdG5ZemM2UUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQ1F6R2g5YlU3RldLWHcrMk10ZXBWKzBSTEgwTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQmJIMjJ1OG5ic0ZYdWxZbkZOdjF2bVpsTGI2bmVIbFkwaitwNGZ1Zk5vaDZkWmlxRXNtc0FoCjloZ2c2d3dmeUIwK2QwNTBwbFhXSW4velFnTkRoWXdsY2M3TTRVWlI4aGhjVTZEb3pLaHpCV1VFaFI4aVBCYkkKWjVSZ3l3VWE1a3Yvbmtndi9jM2dEUGUxZEFyVitieVZxYlJGOVdQaGRlREFwWlM5cTNscVd2TmxjQkVGaVBYMgpqNVd1VlZnVmFvT2VNZ0k3UFBZOWZRK0k2STBsR3o1eFlVNnRZTk5BTko3UmlXdjhOakQzdzRSdHBXOFJ3SWtJClhadHhZQnllU3BGQTJ5SUNlaUdNSmNhNTlHRkp3ZDFMbkJ5dENPTzRZdHpPTThWdEYrbkJ3Nm5sMjBFa09lYzkKelYwK0JZb1cxWXZwbVFVUk8xRCs0OXBpR3ZIUlBpMTgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc2FyVWgzcFYyNHpIUFpBaFV2T3hMRzZzdzMxaDFJck1PTHpWc2pna0hwNzlxV1l2CmNEeVNQTEpQWVI0cGVPZTJoL01iYzdJVEFTK0dDK3EycERhSjlPVnF3Qldsc1ZlMVpta2VFbkpXRXlFemxOVWIKQXJUYlcxQ25HTFJQVWc5YzhYSVAxR2J0RnpBN0xBeFBGaVhuWU1vMlQ0THFOcTBobVNhdlFHQUEzNFc4UEh3dApCNlB0ZHQ5UytKY0cxUktOR0dQNitzelNDQ1puSEdPUzNhLzNieWppdVl3SXJBdTJPNmprelhzMFNqVkJYbTZuCndSSW5QYUxhbzYzaC9qakdOUmlSTGdtQVowRGcwSlovMXQzaFVtYld0U1NualE2VnJJSnRWRVZ2cDhGaVdxWHMKSjhyTkdkSVQwSkIwMUhWTEU5aVZUWDNaeEdVbWdVYXRuWXpjNlFJREFRQUJBb0lCQUZEZFpUQm9vUTExelBXYgpWVitSSlZJSTZiOXNvUXVCUlNTSjVtWGdvYWdDUzRnL3gxVzViQUlPVW96c2tvbkNSVlVwZEpRN04rVXhRVHpKClR1bjlITnVIVkFncmtpZmV1T1RzOFZBS0ZGMU9ubENla2xXd0JhdFJVVXl3UE80bnFmRUhMbWRKbFo0WlNNVnEKc05CdTNob3l6M2R2S2JWTEplQzBOODRBSkVXWHNnZ3htVmRrRDVINlc4SFhKMVRSUXdFcW1qSU0weVU1RHp2UQpOdFhBY09Sdi9sZnluOHZ6T0xtYURqOGU0czdaMXJzb01jMU5wQkN2SSt1bFNvVVFQUlZ2K25Lek1wR29XV3pICnd1VWJSazE2SXlmQy85VUd0RmRGbjdlL05FRTdldURkRmI3SFgxTElkQjJndFpJZTFHUEJTWXVXYjg5UlluMUQKaVYxbElDVUNnWUVBMTRiNFd6emt4azRXcFJtc2JLaXVnaWlTVHRmVk1qOW84cDEzV3V0QTZVVTJTc0F6a1RyTwpGTGJkYVo0MmNIYU5yVCt5UjJNRW4rTHJhMjFISkRSWXFKNGp0TkY1QTVPaU9sWkFhdjVFbDR4bFAwU2FybmtkCmlJcVBzRE5VUXVBZEJwU1RmeHBjaHI2V3ZHNmRQVXBIb3lFTGJwMC9oYjYxNytlMEZha0hhQjhDZ1lFQTB3ZlMKWnhBc2RQVUVNTmZDYy9jb21GRXdKSW84d3RlY2dQNGR6MC8rd25YNmtZVkp2ZHJUK2tUeDNNRTNuaGZHWkhpdgo0NzJBT0FJMjc0Mm53Q0RrbWxPd01mYTJtVjBtcVQrelljTG85Q2FFdVJNR2dVTEhhRFVxQnBidWV1WjlLWks3CnR0bzRMaFdkVHdGeHMxS3pBTEZIVllYYkd2cGpkWnJ2M21HM3VmY0NnWUJNYkxET2NZWlNCMGlpWExzMmdJMzQKMjNnZCt3eS9WNXJZUlJ3WW9ra1BMcHEwNFBpb0srajlrV1pyMkUxSGpkSnBONmY1QmxTU2VYMnZSejJ0eWQ0UwpWSmttdWd5bVJ3aUVsU2NjaVhNN0plNlZBN2V4M0lLcmN5N0dkVDBReGJXbEtyUXVvdU5pYUZ5OURxQTFKb3pHCmZLWTRJQXh4V1pIY014WTVoQWw3VXdLQmdRQytVQnlJdzhaRUI3OHF5VG5kV1RWc0FEUDVrQTF4N2Y1L09penEKREl1RkZkN09JN1U0R2NQM3ZQdWVDVVkrTmRTK1FUVG1ucnltUmlFQzh1NG96OEU2Q0dVcStnTDgxa3dLY0o4MgplQStjTjZ5VU43c3pFV1ZCN2tnalB6Ujg4NlpHdXNTOUI1bUl2Z2RxKzdOdGRCUm9lSGdMZ2JieVlvTVZ5WSt2Ckx0TUJTd0tCZ0RJWUV2NDBaLzFCNzA2OEU3UjRRWGowYkRsQUttM21KaXlJQ1JaMU85RUlha1Z6bktwVmZBeEIKN2VzbGZXUkw1WlBHWmNHZWw3ek52V1RralBScWNDWmdGWEVZRmNHNVl3Z2NLRGM3MzFaWGpTdjlrUHNkZjVTTApmdm5zWTlodTNEY1Z5aU9oSFlSejh6UlgxSEsxSEVoNDFIQTJHV2kyazJPQU16RXFvUTM4Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== ---- -# Source: cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: hubble-relay-client-certs - namespace: kube-system -type: kubernetes.io/tls -data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQUpUODAxYzVDQWRObi9wQTcrNzVTdFV3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJd05EQXhNRFV6TUZvWERUSTRNVEl3TXpBeApNRFV6TUZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFzYXJVaDNwVjI0ekhQWkFoVXZPeExHNnN3MzFoMUlyTU9MelZzamdrSHA3OXFXWXYKY0R5U1BMSlBZUjRwZU9lMmgvTWJjN0lUQVMrR0MrcTJwRGFKOU9WcXdCV2xzVmUxWm1rZUVuSldFeUV6bE5VYgpBclRiVzFDbkdMUlBVZzljOFhJUDFHYnRGekE3TEF4UEZpWG5ZTW8yVDRMcU5xMGhtU2F2UUdBQTM0VzhQSHd0CkI2UHRkdDlTK0pjRzFSS05HR1A2K3N6U0NDWm5IR09TM2EvM2J5aml1WXdJckF1Mk82amt6WHMwU2pWQlhtNm4Kd1JJblBhTGFvNjNoL2pqR05SaVJMZ21BWjBEZzBKWi8xdDNoVW1iV3RTU25qUTZWcklKdFZFVnZwOEZpV3FYcwpKOHJOR2RJVDBKQjAxSFZMRTlpVlRYM1p4R1VtZ1VhdG5ZemM2UUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQ1F6R2g5YlU3RldLWHcrMk10ZXBWKzBSTEgwTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQmJIMjJ1OG5ic0ZYdWxZbkZOdjF2bVpsTGI2bmVIbFkwaitwNGZ1Zk5vaDZkWmlxRXNtc0FoCjloZ2c2d3dmeUIwK2QwNTBwbFhXSW4velFnTkRoWXdsY2M3TTRVWlI4aGhjVTZEb3pLaHpCV1VFaFI4aVBCYkkKWjVSZ3l3VWE1a3Yvbmtndi9jM2dEUGUxZEFyVitieVZxYlJGOVdQaGRlREFwWlM5cTNscVd2TmxjQkVGaVBYMgpqNVd1VlZnVmFvT2VNZ0k3UFBZOWZRK0k2STBsR3o1eFlVNnRZTk5BTko3UmlXdjhOakQzdzRSdHBXOFJ3SWtJClhadHhZQnllU3BGQTJ5SUNlaUdNSmNhNTlHRkp3ZDFMbkJ5dENPTzRZdHpPTThWdEYrbkJ3Nm5sMjBFa09lYzkKelYwK0JZb1cxWXZwbVFVUk8xRCs0OXBpR3ZIUlBpMTgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQVBGMTVCa1BXZTZ6dk4xaDZRY1hZaUl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJd05EQXhNRFV6TUZvWERUSTJNVEl3TkRBeApNRFV6TUZvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXJLL0FmdFRUWGlnWkFZWjRBalM4MnJjVVFTc1AKM3ExTmZxVEZWSFcrMm93a3BxZkE1UnpVeGNzUzhKZ2ZyeHdqM2R5YlZNa0VNbmpONVpsTTdtT0NRVEx5dldHMAp0dzNXdy9kQjNrWG4xc1JqVEh2TWNZajBtNGVpSDd3dEhSNVFHTlVsbzNjVHlYQzdMK3BNSW5VblkwUUFYNEFkCnVndzFpazhkdk90WWJzWDVMaFI2S3I4SjlkT2hTNVltTHo1eTBZQmhHWGs5QlQyYmFIcmVLUWFzaWhSYWJJcnIKY1VDd2M5SERIRkpDZXliUE9uZ2h6WS9LTG5BTmNqS25LRlMzUWdoR1g2ZWdvMW8yOW05SlE0TkpzOHZLWFY1YgpLQ0ZjTEg5YVpHMFRQMWxGWG5ZKzFHMVI3cE1yZ3pwbmFRQmQvUFh6YkJyQVdYYjFqMmp2V2tMY3NRSURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWtNeG9mVzFPeFZpbDhQdGpMWHFWZgp0RVN4OURBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBS1BaMjErU2pxSi95OGtZYVV4eEtkZkFwaGl0aXd5dlRtNUtFYVo4MDFab3gxNFQKNXRqa1RkaWhWYkt5MDJJeGhRdjMwbytDTk9HZE0xcG1uOFhnWFRjV3lTQmE1REZ3ZUZMV0tKMDcrVWNGNFIvRAp5UkoybkY2K2lDMms3ak44dVVrTlZCZ0xObzhDZUZqSTgvc1pwblRRNzFzUm50Q3hNRUlHc0Q5c3IwQUczNC9OCjZHSThrVmxNOE5CbnptY0lUbEVHSm1SVHY0dzUvMENMYkhUbUlrcmMwanhyOVplZ0ZJTk56SEpUb0phdWdGaXQKdzlWSXc4aGtISnZic0t3ZUFzZ3cwQ1pCVzhlUjZjb1BLZS8va0RMb3kvMDlFQ28yQzRDNFpEUVg4U25OYlBuYwp6WnI2MTdjMm1tRFpQelFyc2IxK05sREdhcGs2SFlyeURzZmdJMkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcksvQWZ0VFRYaWdaQVlaNEFqUzgycmNVUVNzUDNxMU5mcVRGVkhXKzJvd2twcWZBCjVSelV4Y3NTOEpnZnJ4d2ozZHliVk1rRU1uak41WmxNN21PQ1FUTHl2V0cwdHczV3cvZEIza1huMXNSalRIdk0KY1lqMG00ZWlIN3d0SFI1UUdOVWxvM2NUeVhDN0wrcE1JblVuWTBRQVg0QWR1Z3cxaWs4ZHZPdFlic1g1TGhSNgpLcjhKOWRPaFM1WW1MejV5MFlCaEdYazlCVDJiYUhyZUtRYXNpaFJhYklycmNVQ3djOUhESEZKQ2V5YlBPbmdoCnpZL0tMbkFOY2pLbktGUzNRZ2hHWDZlZ28xbzI5bTlKUTROSnM4dktYVjViS0NGY0xIOWFaRzBUUDFsRlhuWSsKMUcxUjdwTXJnenBuYVFCZC9QWHpiQnJBV1hiMWoyanZXa0xjc1FJREFRQUJBb0lCQVFDZHlJUmhIc0wyVURydwo2dFd5Wms5OHBEVnNpaFVaQ0U0N2ZnQVRlUFptcUJCQStoeEUrMy9xTGUvalI0d0Rxdm1XbVNDUWFvOWNNb2NtCjExaTBwTlY2RHp3K0VBMVlDTndIK0Y4RjRlZkFrM2FMaHI0NXFzS2RiV09VRFpORy9OQ0FzQmlROEpkeXduODIKZTZVUEF1NTNROFgzZkk4czFFVURWK0M3SW1xTjR2UGI2WHZuQzd5NUx6R0x1ME9oRlRSeEgvVm1QMldSSGxvcQprNWlNQWFxVXpzU05NaG41bDlMdks1ZExqUDVqV21JYUdJdzNTemRod2Uvb3YveksxcCtGWFdUMHZxVFAzUTNFClJHT2NnR0gzSU9USG1wQnBTb0hYNDBLYjFtZU82SFlYYXI5ZnRlUlE0eEJyVU16TC90NHp6VWFqS3RJand4NEEKdS93WGdkTEZBb0dCQU5FS1JJS3R4QkY2VlF1MkpsaWhNdXRSSUpEUDdaNmlvWXJ2YWtYeldjYUMrUHE0NXZrcwpPeC9SVEFqWHJrbnBITG5pQUJQeW5EM0VKMHVzSW5XckYyRElrclBmaFdLVTIrcGlPQmVGZ3UxTnZzUXdYMm5VCjd6ZUxXR003ZmROTVJmS1owbEZVM0srRXF2M0Q2VXFZYW9NMWFTQ2IxWlJkVjlIc0htVEpHVHNYQW9HQkFOTjYKMFpSTFJDZFFDK2l4WVVES09RS2xSNmNNWUtJRmFXdDA5Um0vajQwcXRYYzA1WXNnOWpUV3hWMk5iSE11SHlVago0L1FFV0lNQVhLRVZQbUV5UVl3YUdBMVZXcVZ6LzZ2QU9rRitCelV0SDZhOVU5MDJCdUwzUWVuekJERXFLMURBCk12dkp4SDNvdjdlb1dxWmhuTkZtdDB1UlF0cDJ3TXJDR2lvYTFlTjNBb0dBSEd0MjhRVksyTTEyN29hdkkvR1cKaUtPWTk5Y3RDUm8zT0RwZ2ltNFJVSW5SNjlSam9wQys0UTZGZGRaTTNjT1JvanYxb3NDak9VcUh4U1A3ODE5MQphRFVjck5QQXdLeFlVYjlVdk8zcjVQTmk4aTFaYTN3Rm9kbVNCTHU3MlpSUEZqS1BnM3MwSGJDOXhvNXlFekF4Cm12RVIvOXJ2NktIZ0pLd2pYYlJ4ZDdVQ2dZQmdwc0VpQlVRZ3MzUzk1Rk9PU04zRlY4Um5sRUNWeStOaU9SSEwKc3NEb3c1d3Izd0VKbFFieEh6Y1VpbzRHRmc0bDYwRkRSTGt2SmZzdm80WGU1aGtPN3Q0UE9mTXpxdEF1cnF2eApRcWdJcFpiUm5iVzJZL3JCd0Q5ZnJMRTl4d2dFMzlKdFFNbU13ZExkSFJSUTlrdTFhRHhkVFFaQTBnVktwV3RQCjB2UHVBUUtCZ0dpWURQTmxMVjJaZTVpWnVLZ3dTZjdDWkEvejQyTHJrQU01aWk1YktYSm9JcDdVR1lHY0gvVWIKUUwrL01tOEJUcTUrYkJ5aXk2M3FMemp2UkphZDQ1SVZ5bFREQmJIa1VITU9ZbWZwcVNWNFRES3RBbFhWNFpjSwpidkI4MEJua0d3cVBvQjNuZUh6eGhlb2ptaUZObUwxa2llc3NEdnZ5WlVEeUNxTlhjZzJzCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== ---- -# Source: cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: hubble-server-certs - namespace: kube-system -type: kubernetes.io/tls -data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQUpUODAxYzVDQWRObi9wQTcrNzVTdFV3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJd05EQXhNRFV6TUZvWERUSTRNVEl3TXpBeApNRFV6TUZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFzYXJVaDNwVjI0ekhQWkFoVXZPeExHNnN3MzFoMUlyTU9MelZzamdrSHA3OXFXWXYKY0R5U1BMSlBZUjRwZU9lMmgvTWJjN0lUQVMrR0MrcTJwRGFKOU9WcXdCV2xzVmUxWm1rZUVuSldFeUV6bE5VYgpBclRiVzFDbkdMUlBVZzljOFhJUDFHYnRGekE3TEF4UEZpWG5ZTW8yVDRMcU5xMGhtU2F2UUdBQTM0VzhQSHd0CkI2UHRkdDlTK0pjRzFSS05HR1A2K3N6U0NDWm5IR09TM2EvM2J5aml1WXdJckF1Mk82amt6WHMwU2pWQlhtNm4Kd1JJblBhTGFvNjNoL2pqR05SaVJMZ21BWjBEZzBKWi8xdDNoVW1iV3RTU25qUTZWcklKdFZFVnZwOEZpV3FYcwpKOHJOR2RJVDBKQjAxSFZMRTlpVlRYM1p4R1VtZ1VhdG5ZemM2UUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQ1F6R2g5YlU3RldLWHcrMk10ZXBWKzBSTEgwTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQmJIMjJ1OG5ic0ZYdWxZbkZOdjF2bVpsTGI2bmVIbFkwaitwNGZ1Zk5vaDZkWmlxRXNtc0FoCjloZ2c2d3dmeUIwK2QwNTBwbFhXSW4velFnTkRoWXdsY2M3TTRVWlI4aGhjVTZEb3pLaHpCV1VFaFI4aVBCYkkKWjVSZ3l3VWE1a3Yvbmtndi9jM2dEUGUxZEFyVitieVZxYlJGOVdQaGRlREFwWlM5cTNscVd2TmxjQkVGaVBYMgpqNVd1VlZnVmFvT2VNZ0k3UFBZOWZRK0k2STBsR3o1eFlVNnRZTk5BTko3UmlXdjhOakQzdzRSdHBXOFJ3SWtJClhadHhZQnllU3BGQTJ5SUNlaUdNSmNhNTlHRkp3ZDFMbkJ5dENPTzRZdHpPTThWdEYrbkJ3Nm5sMjBFa09lYzkKelYwK0JZb1cxWXZwbVFVUk8xRCs0OXBpR3ZIUlBpMTgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lSQUtldDQ2SVU0UUFGaUU3VHBOQ0crMzR3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRJd05EQXhNRFV6TUZvWERUSTJNVEl3TkRBeApNRFV6TUZvd0tqRW9NQ1lHQTFVRUF3d2ZLaTVrWldaaGRXeDBMbWgxWW1Kc1pTMW5jbkJqTG1OcGJHbDFiUzVwCmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUswZnlySEZvZFpvcHYwWVVieGQKK2d2U2ZTQlpYT3BpUXRMQTJIcUJIY1NSamFGa3hZWGdkd09IZXdRd0dmTURVTzFlcEY1L3NlMURCN2l4M3hRawprR2psZ2M1WUVoZ2hmb3k2VkQ5SWpsZzVJZ0VHbVVJaUxUMjE4RmQ5NHl0MWdWVXRzYTZoTzNhUjJsN1k4QVdqCitIWWV0eWhZMVFnVysvT0ZQSlptYk1pNlVDZjJsNUErNFZab0h3SVVjZGlCbGRpWVNqcDg2QWRSNkpWNEpaV0wKVjBKTEdrZHdSZFpvMVd2cXoxdlEwZE5hMFdtSW12MndhanB1OVV0UitudDVXUTROSUtubllIUlZyOHhnd2VBUQo5bTF2Ri9Qc0NDVzRUQ2Jzd0VYSUduTUlPb1ByWE5mV3cvSXliV0twR1l1L01lclQxQUExdEZRTWFPbnUzY2VCCmQ3OENBd0VBQWFPQmpUQ0JpakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVUpETWFIMXRUc1ZZcApmRDdZeTE2bFg3UkVzZlF3S2dZRFZSMFJCQ013SVlJZktpNWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZZdlBGN2tqUTY1SFE0ZHU4NDF2cGlHeGM2WWcKU096RzBvTzZUd21vRXNHMk1kVzd3S1pjWnNWQU00U0dFaVA1WkxLc2pZYkhoL05Xd3ZiVExIa0JBYnFOUDNTMAovL1JaSW0xZzFOM1lIcVdkQmtNTEs4SXk0aFZnUkt4bHlaaTN6aXg2dWUzRFNPZUlkNzJsa0x6NFJZQy9rMlFQCnBPemZTUGxtTy9OdGtvWUw4anlXb0ZnNVdSQ3N2Y2FTRmppWlB4MU5xdFFKNDBOekg2b0laalpQMHZQNVY3aU4KdW1JVnZJQjZicTA0QzNXTFJRYTVtSVd0YnlPS1ZRTW42d2MyL3RJMm40dGZSR2IwekZnQm1TVjI2c2poZVVpRgoxKytyWGRlWWJQV2xvYVAybzBkNGFMZ0J3ZlJTVVNkV3dNRHJNS0gwcktPTEZza1VQbEpxUDVmdkZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBclIvS3NjV2gxbWltL1JoUnZGMzZDOUo5SUZsYzZtSkMwc0RZZW9FZHhKR05vV1RGCmhlQjNBNGQ3QkRBWjh3TlE3VjZrWG4reDdVTUh1TEhmRkNTUWFPV0J6bGdTR0NGK2pMcFVQMGlPV0RraUFRYVoKUWlJdFBiWHdWMzNqSzNXQlZTMnhycUU3ZHBIYVh0andCYVA0ZGg2M0tGalZDQmI3ODRVOGxtWnN5THBRSi9hWAprRDdoVm1nZkFoUngySUdWMkpoS09uem9CMUhvbFhnbGxZdFhRa3NhUjNCRjFtalZhK3JQVzlEUjAxclJhWWlhCi9iQnFPbTcxUzFINmUzbFpEZzBncWVkZ2RGV3Z6R0RCNEJEMmJXOFg4K3dJSmJoTUp1ekFSY2dhY3dnNmcrdGMKMTliRDhqSnRZcWtaaTc4eDZ0UFVBRFcwVkF4bzZlN2R4NEYzdndJREFRQUJBb0lCQUVOdzBRc3ppL24wUnFqdApvbG1ZMm1Ga20rM1FJZ3dFUHpmT2ZBWXM2aVc2OWN0YmNEN1kxRVFCc1FCT3BLMHdLNFJzaStkc0l5bmtKTXZrCkxweXdLYmxUUHAvZFd4OGZYU2NCSnZTSUZUdDA5alFrRit2VldINWpzNzdCZ1k5YWRRbHpoWFlieFFoSmhTSFIKcko3bDQxSlFZTlZNMWFBVEpBOFhaaVRJdmJQcmpHdi96RFZ1S0RNT0JOTVZPZUtEczI5Wm92SXRUSy9xU080bwo0MGk0VStrdzVMcStLSHlobDZERDBFa1hqcEppWDNKT0NWTDd5NEVGc0tMb05YRnlPdmtHZWdMRGxMdTcyUDlSCmlXaEJOYzdVeWxJMFRqWXZyTmJoSmIwV0NVTzFUY3pNdXR3NTVsY3RTc0JTR09kSnJ3aWtld2kvRGN3eVVEMW4KbXZ5RlByRUNnWUVBMFVaVHUzSUwwbk5Canl3ZXE4RlovdVN2bTVDV0JUNHFkR3FYTnZDVGw3S09tL21la29yWQpYamlqdWcvTy8zRWNjaWJxRlpHYnpIekVVRFFud3FnRFIreXJ4VHN1c1N3dmh4bG52ak14T2x2eHdrb2Y5UERWCnRHZ0VBUUZwTEQ0ak15Ri83dzhUOUw4N3NpMmRGdjdRRnYrajRKYmlTVXRvZzl5QXB1aHl0MDBDZ1lFQTA4Y3UKZitTOUdXeUxUR3VnK09SVy8vTUpLd3V2MDZIV1BrYVRnWXpPT250K0x3MEllbFRlZE05cEFXUzNYSS9yU1Yrawp6VlFmczV6T0Jta2UzUSt3YkJ0S0JlTGM4dW5pcityTXptUkU3a1Bob3lwTlltc1REaFZ5S0J5R0xKNnRuMHgrCmtJZVlYaDU5MGtZdmIwRUFJT1JMRnBocDZnZExvUWQrNzZmRG5Uc0NnWUEwN2xTL1ZGa3BJWDJ6ZUxWSk85NUgKV2hBUWlNRnBFaEFxNGNyZFdudjZJbTl2Zy9OWG5VYWNqamJiR0tTQ2QxbDZoZDB2RjJVUWszNFR5eDFEWHJ0MQp0YWE4ZS91VFZGbXhFZnZyWDRkVCsyMXFkdFVlWHN1dWxhQnRvSzI1UXY0a01KVHJJaVVxQWpSWEhMSmUzcFJEClBPVjJLTE9UVmo5WkdxeHZpdHQ1QVFLQmdRQ3U1cWc3amNDeXQ1ZFB0Ty9Mdm1Fdm54dHFSb3VlditDOXEvSDAKbzBKS3dHVFZIUEZzZnB6K1liRjZLaURaUEM3NGVSb1ZUYTJrM0JLMjdxaERyOHBuYmg0elFFcHovNzlzeEFFRApUNEl5T1RPbldxOXdZYmZxQU1JMzZGN1RpUFVoUTc2ZlJLME14aWZwdW5kQWJiRmFlTkNleDU5cFhUOFRyYW9pCjZTMi9zd0tCZ1FDRm5XZ2tPMzF2L0RRb3lWUExodXUwKzd4aEt0STZ6NzRxSjBCQkNyUEkzWDhrWEtYVmF5WkkKQ1kxYUE5YVpnZklwRFc4SWg1UEl5WU4waUp3cmhCT2hhcGlkekZyK3FaYTlpcUc2UzlWaS84NlNCekxqdWk2SQpDYmFHVStFYlJOUDF0TlFUYWpyeTJEUDRodnF3TXFYMjMrb1dkRVJhc2xKRER3bWM3YkRONmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= ---- -# Source: cilium/charts/cilium/templates/cilium-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: cilium-config - namespace: kube-system -data: - - # Identity allocation mode selects how identities are shared between cilium - # nodes by setting how they are stored. The options are "crd", "kvstore" or - # "doublewrite-readkvstore" / "doublewrite-readcrd". - # - "crd" stores identities in kubernetes as CRDs (custom resource definition). - # These can be queried with: - # kubectl get ciliumid - # - "kvstore" stores identities in an etcd kvstore, that is - # configured below. Cilium versions before 1.6 supported only the kvstore - # backend. Upgrades from these older cilium versions should continue using - # the kvstore by commenting out the identity-allocation-mode below, or - # setting it to "kvstore". - # - "doublewrite" modes store identities in both the kvstore and CRDs. This is useful - # for seamless migrations from the kvstore mode to the crd mode. Consult the - # documentation for more information on how to perform the migration. - identity-allocation-mode: crd - - identity-heartbeat-timeout: "30m0s" - identity-gc-interval: "15m0s" - cilium-endpoint-gc-interval: "5m0s" - nodes-gc-interval: "5m0s" - - # If you want to run cilium in debug mode change this value to true - debug: "false" - metrics-sampling-interval: "5m" - # The agent can be put into the following three policy enforcement modes - # default, always and never. - # https://docs.cilium.io/en/latest/security/policy/intro/#policy-enforcement-modes - enable-policy: "default" - # If you want metrics enabled in all of your Cilium agents, set the port for - # which the Cilium agents will have their metrics exposed. - # This option deprecates the "prometheus-serve-addr" in the - # "cilium-metrics-config" ConfigMap - # NOTE that this will open the port on ALL nodes where Cilium pods are - # scheduled. - prometheus-serve-addr: ":9962" - # A space-separated list of controller groups for which to enable metrics. - # The special values of "all" and "none" are supported. - controller-group-metrics: - write-cni-file - sync-host-ips - sync-lb-maps-with-k8s-services - # If you want metrics enabled in cilium-operator, set the port for - # which the Cilium Operator will have their metrics exposed. - # NOTE that this will open the port on the nodes where Cilium operator pod - # is scheduled. - operator-prometheus-serve-addr: ":9963" - enable-metrics: "true" - enable-envoy-config: "true" - envoy-config-retry-interval: "15s" - enable-gateway-api: "true" - enable-gateway-api-secrets-sync: "true" - enable-gateway-api-proxy-protocol: "false" - enable-gateway-api-app-protocol: "true" - enable-gateway-api-alpn: "true" - gateway-api-xff-num-trusted-hops: "0" - gateway-api-service-externaltrafficpolicy: "Cluster" - gateway-api-secrets-namespace: "cilium-secrets" - gateway-api-hostnetwork-enabled: "false" - gateway-api-hostnetwork-nodelabelselector: "" - enable-policy-secrets-sync: "true" - policy-secrets-only-from-secrets-namespace: "true" - policy-secrets-namespace: "cilium-secrets" - - # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 - # address. - enable-ipv4: "true" - - # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 - # address. - enable-ipv6: "false" - # Users who wish to specify their own custom CNI configuration file must set - # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. - custom-cni-conf: "false" - enable-bpf-clock-probe: "false" - # If you want cilium monitor to aggregate tracing for packets, set this level - # to "low", "medium", or "maximum". The higher the level, the less packets - # that will be seen in monitor output. - monitor-aggregation: medium - - # The monitor aggregation interval governs the typical time between monitor - # notification events for each allowed connection. - # - # Only effective when monitor aggregation is set to "medium" or higher. - monitor-aggregation-interval: "5s" - - # The monitor aggregation flags determine which TCP flags which, upon the - # first observation, cause monitor notifications to be generated. - # - # Only effective when monitor aggregation is set to "medium" or higher. - monitor-aggregation-flags: all - # Specifies the ratio (0.0-1.0] of total system memory to use for dynamic - # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. - bpf-map-dynamic-size-ratio: "0.0025" - # bpf-policy-map-max specifies the maximum number of entries in endpoint - # policy map (per endpoint) - bpf-policy-map-max: "16384" - # bpf-policy-stats-map-max specifies the maximum number of entries in global - # policy stats map - bpf-policy-stats-map-max: "65536" - # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, - # backend and affinity maps. - bpf-lb-map-max: "65536" - bpf-lb-external-clusterip: "false" - bpf-lb-source-range-all-types: "false" - bpf-lb-algorithm-annotation: "false" - bpf-lb-mode-annotation: "false" - - bpf-distributed-lru: "false" - bpf-events-drop-enabled: "true" - bpf-events-policy-verdict-enabled: "true" - bpf-events-trace-enabled: "true" - - # Pre-allocation of map entries allows per-packet latency to be reduced, at - # the expense of up-front memory allocation for the entries in the maps. The - # default value below will minimize memory usage in the default installation; - # users who are sensitive to latency may consider setting this to "true". - # - # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore - # this option and behave as though it is set to "true". - # - # If this value is modified, then during the next Cilium startup the restore - # of existing endpoints and tracking of ongoing connections may be disrupted. - # As a result, reply packets may be dropped and the load-balancing decisions - # for established connections may change. - # - # If this option is set to "false" during an upgrade from 1.3 or earlier to - # 1.4 or later, then it may cause one-time disruptions during the upgrade. - preallocate-bpf-maps: "false" - - # Name of the cluster. Only relevant when building a mesh of clusters. - cluster-name: "default" - # Unique ID of the cluster. Must be unique across all conneted clusters and - # in the range of 1 and 255. Only relevant when building a mesh of clusters. - cluster-id: "0" - - # Encapsulation mode for communication between nodes - # Possible values: - # - disabled - # - vxlan (default) - # - geneve - - routing-mode: "tunnel" - tunnel-protocol: "vxlan" - tunnel-source-port-range: "0-0" - service-no-backend-response: "reject" - - - # Enables L7 proxy for L7 policy enforcement and visibility - enable-l7-proxy: "true" - enable-ipv4-masquerade: "true" - enable-ipv4-big-tcp: "false" - enable-ipv6-big-tcp: "false" - enable-ipv6-masquerade: "true" - enable-tcx: "true" - datapath-mode: "veth" - enable-masquerade-to-route-source: "false" - - enable-xt-socket-fallback: "true" - install-no-conntrack-iptables-rules: "false" - iptables-random-fully: "false" - - auto-direct-node-routes: "false" - direct-routing-skip-unreachable: "false" - - - # List of devices used to attach bpf_host.o (implements BPF NodePort, - # host-firewall and BPF masquerading) - devices: "end0 enp6s0" - - kube-proxy-replacement: "true" - kube-proxy-replacement-healthz-bind-address: "" - bpf-lb-sock: "true" - bpf-lb-sock-hostns-only: "true" - enable-health-check-nodeport: "true" - enable-health-check-loadbalancer-ip: "false" - node-port-bind-protection: "true" - enable-auto-protect-node-port-range: "true" - bpf-lb-acceleration: "disabled" - enable-svc-source-range-check: "true" - enable-l2-neigh-discovery: "false" - k8s-require-ipv4-pod-cidr: "false" - k8s-require-ipv6-pod-cidr: "false" - enable-k8s-networkpolicy: "true" - enable-endpoint-lockdown-on-policy-overflow: "false" - # Tell the agent to generate and write a CNI configuration file - write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist - cni-exclusive: "true" - cni-log-file: "/var/run/cilium/cilium-cni.log" - enable-endpoint-health-checking: "true" - enable-health-checking: "true" - health-check-icmp-failure-threshold: "3" - enable-well-known-identities: "false" - enable-node-selector-labels: "false" - synchronize-k8s-nodes: "true" - operator-api-serve-addr: "127.0.0.1:9234" - - enable-hubble: "true" - # UNIX domain socket for Hubble server to listen to. - hubble-socket-path: "/var/run/cilium/hubble.sock" - hubble-network-policy-correlation-enabled: "true" - # An additional address for Hubble server to listen to (e.g. ":4244"). - hubble-listen-address: ":4244" - hubble-disable-tls: "false" - hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt - hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key - hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt - ipam: "kubernetes" - ipam-cilium-node-update-rate: "15s" - - default-lb-service-ipam: "lbipam" - egress-gateway-reconciliation-trigger-interval: "1s" - enable-vtep: "false" - vtep-endpoint: "" - vtep-cidr: "" - vtep-mask: "" - vtep-mac: "" - enable-k8s-endpoint-slice: "true" - procfs: "/host/proc" - bpf-root: "/sys/fs/bpf" - cgroup-root: "/sys/fs/cgroup" - enable-cilium-endpoint-slice: "true" - ces-rate-limits: "[{\"burst\":20,\"limit\":10,\"nodes\":0},{\"burst\":100,\"limit\":50,\"nodes\":100}]" - - identity-management-mode: "agent" - enable-sctp: "false" - k8s-client-qps: "50" - k8s-client-burst: "100" - remove-cilium-node-taints: "true" - set-cilium-node-taints: "true" - set-cilium-is-up-condition: "true" - unmanaged-pod-watcher-interval: "15" - # default DNS proxy to transparent mode in non-chaining modes - dnsproxy-enable-transparent-mode: "true" - dnsproxy-socket-linger-timeout: "10" - tofqdns-dns-reject-response-code: "refused" - tofqdns-enable-dns-compression: "true" - tofqdns-endpoint-max-ip-per-hostname: "1000" - tofqdns-idle-connection-grace-period: "0s" - tofqdns-max-deferred-connection-deletes: "10000" - tofqdns-proxy-response-max-delay: "100ms" - tofqdns-preallocate-identities: "true" - agent-not-ready-taint-key: "node.cilium.io/agent-not-ready" - - mesh-auth-enabled: "true" - mesh-auth-queue-size: "1024" - mesh-auth-rotated-identities-queue-size: "1024" - mesh-auth-gc-interval: "5m0s" - - proxy-xff-num-trusted-hops-ingress: "0" - proxy-xff-num-trusted-hops-egress: "0" - proxy-connect-timeout: "2" - proxy-initial-fetch-timeout: "30" - proxy-max-requests-per-connection: "0" - proxy-max-connection-duration-seconds: "0" - proxy-idle-timeout-seconds: "60" - proxy-max-concurrent-retries: "128" - http-retry-count: "3" - http-stream-idle-timeout: "300" - - external-envoy-proxy: "true" - envoy-base-id: "0" - envoy-access-log-buffer-size: "4096" - envoy-keep-cap-netbindservice: "true" - max-connected-clusters: "255" - clustermesh-enable-endpoint-sync: "false" - clustermesh-enable-mcs-api: "false" - policy-default-local-cluster: "false" - - nat-map-stats-entries: "32" - nat-map-stats-interval: "30s" - enable-internal-traffic-policy: "true" - enable-lb-ipam: "true" - enable-non-default-deny-policies: "true" - enable-source-ip-verification: "true" - -# Extra config allows adding arbitrary properties to the cilium config. -# By putting it at the end of the ConfigMap, it's also possible to override existing properties. ---- -# Source: cilium/charts/cilium/templates/cilium-envoy/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: cilium-envoy-config - namespace: kube-system -data: - # Keep the key name as bootstrap-config.json to avoid breaking changes - bootstrap-config.json: | - {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}} ---- -# Source: cilium/charts/cilium/templates/hubble-relay/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: hubble-relay-config - namespace: kube-system -data: - config.yaml: | - cluster-name: default - peer-service: "hubble-peer.kube-system.svc.cluster.local.:443" - listen-address: :4245 - gops: true - gops-port: "9893" - retry-timeout: - sort-buffer-len-max: - sort-buffer-drain-timeout: - tls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt - tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key - tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt - - disable-server-tls: true ---- -# Source: cilium/charts/cilium/templates/hubble-ui/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: hubble-ui-nginx - namespace: kube-system -data: - nginx.conf: "server {\n listen 8081;\n listen [::]:8081;\n server_name localhost;\n root /app;\n index index.html;\n client_max_body_size 1G;\n\n location / {\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n\n location /api {\n proxy_http_version 1.1;\n proxy_pass_request_headers on;\n proxy_pass http://127.0.0.1:8090;\n }\n location / {\n if ($http_user_agent ~* \"kube-probe\") { access_log off; }\n # double `/index.html` is required here\n try_files $uri $uri/ /index.html /index.html;\n }\n\n # Liveness probe\n location /healthz {\n access_log off;\n add_header Content-Type text/plain;\n return 200 'ok';\n }\n }\n}" ---- -# Source: cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cilium - labels: - app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - - services - - pods - - endpoints - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch - # This is used when validating policies in preflight. This will need to stay - # until we figure out how to avoid "get" inside the preflight, and then - # should be removed ideally. - - get -- apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools - - ciliumbgppeeringpolicies - - ciliumbgpnodeconfigs - - ciliumbgpadvertisements - - ciliumbgppeerconfigs - - ciliumclusterwideenvoyconfigs - - ciliumclusterwidenetworkpolicies - - ciliumegressgatewaypolicies - - ciliumendpoints - - ciliumendpointslices - - ciliumenvoyconfigs - - ciliumidentities - - ciliumlocalredirectpolicies - - ciliumnetworkpolicies - - ciliumnodes - - ciliumnodeconfigs - - ciliumcidrgroups - - ciliuml2announcementpolicies - - ciliumpodippools - verbs: - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumidentities - - ciliumendpoints - - ciliumnodes - verbs: - - create -- apiGroups: - - cilium.io - # To synchronize garbage collection of such resources - resources: - - ciliumidentities - verbs: - - update -- apiGroups: - - cilium.io - resources: - - ciliumendpoints - verbs: - - delete - - get -- apiGroups: - - cilium.io - resources: - - ciliumnodes - - ciliumnodes/status - verbs: - - get - - update -- apiGroups: - - cilium.io - resources: - - ciliumendpoints/status - - ciliumendpoints - - ciliuml2announcementpolicies/status - - ciliumbgpnodeconfigs/status - verbs: - - patch ---- -# Source: cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cilium-operator - labels: - app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - # to automatically delete [core|kube]dns pods so that are starting to being - # managed by Cilium - - delete -- apiGroups: - - "" - resources: - - configmaps - resourceNames: - - cilium-config - verbs: - # allow patching of the configmap to set annotations - - patch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - # To remove node taints - - nodes - # To set NetworkUnavailable false on startup - - nodes/status - verbs: - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - # to perform LB IP allocation for BGP - - services/status - verbs: - - update - - patch -- apiGroups: - - "" - resources: - # to check apiserver connectivity - - namespaces - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - # to perform the translation of a CNP that contains `ToGroup` to its endpoints - - services - - endpoints - verbs: - - get - - list - - watch - - create - - update - - delete - - patch -- apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies - - ciliumclusterwidenetworkpolicies - verbs: - # Create auto-generated CNPs and CCNPs from Policies that have 'toGroups' - - create - - update - - deletecollection - # To update the status of the CNPs and CCNPs - - patch - - get - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies/status - - ciliumclusterwidenetworkpolicies/status - verbs: - # Update the auto-generated CNPs and CCNPs status. - - patch - - update -- apiGroups: - - cilium.io - resources: - - ciliumendpoints - - ciliumidentities - verbs: - # To perform garbage collection of such resources - - delete - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumidentities - verbs: - # To synchronize garbage collection of such resources - - update -- apiGroups: - - cilium.io - resources: - - ciliumnodes - verbs: - - create - - update - - get - - list - - watch - # To perform CiliumNode garbage collector - - delete -- apiGroups: - - cilium.io - resources: - - ciliumnodes/status - verbs: - - update -- apiGroups: - - cilium.io - resources: - - ciliumendpointslices - - ciliumenvoyconfigs - - ciliumbgppeerconfigs - - ciliumbgpadvertisements - - ciliumbgpnodeconfigs - verbs: - - create - - update - - get - - list - - watch - - delete - - patch -- apiGroups: - - cilium.io - resources: - - ciliumbgpclusterconfigs/status - - ciliumbgppeerconfigs/status - verbs: - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - create - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - update - resourceNames: - - ciliumloadbalancerippools.cilium.io - - ciliumbgppeeringpolicies.cilium.io - - ciliumbgpclusterconfigs.cilium.io - - ciliumbgppeerconfigs.cilium.io - - ciliumbgpadvertisements.cilium.io - - ciliumbgpnodeconfigs.cilium.io - - ciliumbgpnodeconfigoverrides.cilium.io - - ciliumclusterwideenvoyconfigs.cilium.io - - ciliumclusterwidenetworkpolicies.cilium.io - - ciliumegressgatewaypolicies.cilium.io - - ciliumendpoints.cilium.io - - ciliumendpointslices.cilium.io - - ciliumenvoyconfigs.cilium.io - - ciliumidentities.cilium.io - - ciliumlocalredirectpolicies.cilium.io - - ciliumnetworkpolicies.cilium.io - - ciliumnodes.cilium.io - - ciliumnodeconfigs.cilium.io - - ciliumcidrgroups.cilium.io - - ciliuml2announcementpolicies.cilium.io - - ciliumpodippools.cilium.io - - ciliumgatewayclassconfigs.cilium.io -- apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools - - ciliumpodippools - - ciliumbgppeeringpolicies - - ciliumbgpclusterconfigs - - ciliumbgpnodeconfigoverrides - - ciliumbgppeerconfigs - verbs: - - get - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumpodippools - verbs: - - create -- apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools/status - verbs: - - patch -# For cilium-operator running in HA mode. -# -# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election -# between multiple running instances. -# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less -# common and fewer objects in the cluster watch "all Leases". -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - tlsroutes - - httproutes - - grpcroutes - - referencegrants - - referencepolicies - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - verbs: - - patch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses/status - - gateways/status - - httproutes/status - - grpcroutes/status - - tlsroutes/status - verbs: - - update - - patch -- apiGroups: - - cilium.io - resources: - - ciliumgatewayclassconfigs - verbs: - - get - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumgatewayclassconfigs/status - verbs: - - update - - patch -- apiGroups: - - multicluster.x-k8s.io - resources: - - serviceimports - verbs: - - get - - list - - watch ---- -# Source: cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: hubble-ui - labels: - app.kubernetes.io/part-of: cilium - -rules: -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - componentstatuses - - endpoints - - namespaces - - nodes - - pods - - services - verbs: - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch -- apiGroups: - - cilium.io - resources: - - "*" - verbs: - - get - - list - - watch ---- -# Source: cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cilium - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium -subjects: -- kind: ServiceAccount - name: "cilium" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cilium-operator - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium-operator -subjects: -- kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: hubble-ui - labels: - app.kubernetes.io/part-of: cilium - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: hubble-ui -subjects: -- kind: ServiceAccount - name: "hubble-ui" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-agent/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cilium-config-agent - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch ---- -# Source: cilium/charts/cilium/templates/cilium-agent/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cilium-gateway-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -# Source: cilium/charts/cilium/templates/cilium-agent/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cilium-tlsinterception-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -# Source: cilium/charts/cilium/templates/cilium-operator/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cilium-operator-gateway-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - update - - patch ---- -# Source: cilium/charts/cilium/templates/cilium-operator/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cilium-operator-tlsinterception-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - update - - patch ---- -# Source: cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cilium-config-agent - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-config-agent -subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cilium-gateway-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-gateway-secrets -subjects: -- kind: ServiceAccount - name: "cilium" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cilium-tlsinterception-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-tlsinterception-secrets -subjects: -- kind: ServiceAccount - name: "cilium" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cilium-operator-gateway-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-operator-gateway-secrets -subjects: -- kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: cilium-operator-tlsinterception-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-operator-tlsinterception-secrets -subjects: -- kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system ---- -# Source: cilium/charts/cilium/templates/cilium-agent/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: cilium-agent - namespace: kube-system - labels: - k8s-app: cilium - app.kubernetes.io/name: cilium-agent - app.kubernetes.io/part-of: cilium -spec: - clusterIP: None - type: ClusterIP - selector: - k8s-app: cilium - ports: - - name: metrics - port: 9962 - protocol: TCP - targetPort: prometheus ---- -# Source: cilium/charts/cilium/templates/cilium-envoy/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: cilium-envoy - namespace: kube-system - labels: - k8s-app: cilium-envoy - app.kubernetes.io/name: cilium-envoy - app.kubernetes.io/part-of: cilium - io.cilium/app: proxy -spec: - clusterIP: None - type: ClusterIP - selector: - k8s-app: cilium-envoy - ports: - - name: envoy-metrics - port: 9964 - protocol: TCP - targetPort: envoy-metrics ---- -# Source: cilium/charts/cilium/templates/cilium-operator/service.yaml -kind: Service -apiVersion: v1 -metadata: - name: cilium-operator - namespace: kube-system - labels: - io.cilium/app: operator - name: cilium-operator - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-operator -spec: - clusterIP: None - type: ClusterIP - ports: - - name: metrics - port: 9963 - protocol: TCP - targetPort: prometheus - selector: - io.cilium/app: operator - name: cilium-operator ---- -# Source: cilium/charts/cilium/templates/hubble-relay/service.yaml -kind: Service -apiVersion: v1 -metadata: - name: hubble-relay - namespace: kube-system - annotations: - labels: - k8s-app: hubble-relay - app.kubernetes.io/name: hubble-relay - app.kubernetes.io/part-of: cilium - -spec: - type: "ClusterIP" - selector: - k8s-app: hubble-relay - ports: - - protocol: TCP - port: 80 - targetPort: grpc ---- -# Source: cilium/charts/cilium/templates/hubble-ui/service.yaml -kind: Service -apiVersion: v1 -metadata: - name: hubble-ui - namespace: kube-system - labels: - k8s-app: hubble-ui - app.kubernetes.io/name: hubble-ui - app.kubernetes.io/part-of: cilium - -spec: - type: "ClusterIP" - selector: - k8s-app: hubble-ui - ports: - - name: http - port: 80 - targetPort: 8081 ---- -# Source: cilium/charts/cilium/templates/hubble/peer-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: hubble-peer - namespace: kube-system - labels: - k8s-app: cilium - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: hubble-peer - -spec: - selector: - k8s-app: cilium - ports: - - name: peer-service - port: 443 - protocol: TCP - targetPort: 4244 - internalTrafficPolicy: Local ---- -# Source: cilium/charts/cilium/templates/cilium-agent/daemonset.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: cilium - namespace: kube-system - labels: - k8s-app: cilium - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-agent -spec: - selector: - matchLabels: - k8s-app: cilium - updateStrategy: - rollingUpdate: - maxUnavailable: 2 - type: RollingUpdate - template: - metadata: - annotations: - # ensure pods roll when configmap updates - cilium.io/cilium-configmap-checksum: "31ad7748e0aefe75b6436d96c8c85754e0b44e68e6012fa188bc5bcd66085828" - kubectl.kubernetes.io/default-container: cilium-agent - labels: - k8s-app: cilium - app.kubernetes.io/name: cilium-agent - app.kubernetes.io/part-of: cilium - spec: - securityContext: - appArmorProfile: - type: Unconfined - seccompProfile: - type: Unconfined - containers: - - name: cilium-agent - image: "quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f" - imagePullPolicy: IfNotPresent - command: - - cilium-agent - args: - - --config-dir=/tmp/cilium/config-map - startupProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9879 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - failureThreshold: 300 - periodSeconds: 2 - successThreshold: 1 - initialDelaySeconds: 5 - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9879 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - - name: "require-k8s-connectivity" - value: "false" - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9879 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 3 - timeoutSeconds: 5 - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CILIUM_CLUSTERMESH_CONFIG - value: /var/lib/cilium/clustermesh/ - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - - name: KUBE_CLIENT_BACKOFF_BASE - value: "1" - - name: KUBE_CLIENT_BACKOFF_DURATION - value: "120" - lifecycle: - postStart: - exec: - command: - - "bash" - - "-c" - - | - set -o errexit - set -o pipefail - set -o nounset - - # When running in AWS ENI mode, it's likely that 'aws-node' has - # had a chance to install SNAT iptables rules. These can result - # in dropped traffic, so we should attempt to remove them. - # We do it using a 'postStart' hook since this may need to run - # for nodes which might have already been init'ed but may still - # have dangling rules. This is safe because there are no - # dependencies on anything that is part of the startup script - # itself, and can be safely run multiple times per node (e.g. in - # case of a restart). - if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; - then - echo 'Deleting iptables rules created by the AWS CNI VPC plugin' - iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore - fi - echo 'Done!' - - preStop: - exec: - command: - - /cni-uninstall.sh - ports: - - name: peer-service - containerPort: 4244 - hostPort: 4244 - protocol: TCP - - name: prometheus - containerPort: 9962 - hostPort: 9962 - protocol: TCP - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - add: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - - PERFMON - - BPF - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: envoy-sockets - mountPath: /var/run/cilium/envoy/sockets - readOnly: false - # Unprivileged containers need to mount /proc/sys/net from the host - # to have write access - - mountPath: /host/proc/sys/net - name: host-proc-sys-net - # Unprivileged containers need to mount /proc/sys/kernel from the host - # to have write access - - mountPath: /host/proc/sys/kernel - name: host-proc-sys-kernel - - name: bpf-maps - mountPath: /sys/fs/bpf - # Unprivileged containers can't set mount propagation to bidirectional - # in this case we will mount the bpf fs from an init container that - # is privileged and set the mount propagation from host to container - # in Cilium. - mountPropagation: HostToContainer - # Check for duplicate mounts before mounting - - name: cilium-cgroup - mountPath: /sys/fs/cgroup - - name: cilium-run - mountPath: /var/run/cilium - - name: cilium-netns - mountPath: /var/run/cilium/netns - mountPropagation: HostToContainer - - name: etc-cni-netd - mountPath: /host/etc/cni/net.d - - name: clustermesh-secrets - mountPath: /var/lib/cilium/clustermesh - readOnly: true - # Needed to be able to load kernel modules - - name: lib-modules - mountPath: /lib/modules - readOnly: true - - name: xtables-lock - mountPath: /run/xtables.lock - - name: hubble-tls - mountPath: /var/lib/cilium/tls/hubble - readOnly: true - - name: tmp - mountPath: /tmp - - initContainers: - - name: config - image: "quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f" - imagePullPolicy: IfNotPresent - command: - - cilium-dbg - - build-config - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - volumeMounts: - - name: tmp - mountPath: /tmp - terminationMessagePolicy: FallbackToLogsOnError - - name: apply-sysctl-overwrites - image: "quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f" - imagePullPolicy: IfNotPresent - env: - - name: BIN_PATH - value: /opt/cni/bin - command: - - sh - - -ec - # The statically linked Go program binary is invoked to avoid any - # dependency on utilities like sh that can be missing on certain - # distros installed on the underlying host. Copy the binary to the - # same directory where we install cilium cni plugin so that exec permissions - # are available. - - | - cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; - nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; - rm /hostbin/cilium-sysctlfix - volumeMounts: - - name: hostproc - mountPath: /hostproc - - name: cni-path - mountPath: /hostbin - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - add: - - SYS_ADMIN - - SYS_CHROOT - - SYS_PTRACE - drop: - - ALL - # Mount the bpf fs if it is not mounted. We will perform this task - # from a privileged container because the mount propagation bidirectional - # only works from privileged containers. - - name: mount-bpf-fs - image: "quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f" - imagePullPolicy: IfNotPresent - args: - - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' - command: - - /bin/bash - - -c - - -- - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - privileged: true - volumeMounts: - - name: bpf-maps - mountPath: /sys/fs/bpf - mountPropagation: Bidirectional - - name: clean-cilium-state - image: "quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f" - imagePullPolicy: IfNotPresent - command: - - /init-container.sh - env: - - name: CILIUM_ALL_STATE - valueFrom: - configMapKeyRef: - name: cilium-config - key: clean-cilium-state - optional: true - - name: CILIUM_BPF_STATE - valueFrom: - configMapKeyRef: - name: cilium-config - key: clean-cilium-bpf-state - optional: true - - name: WRITE_CNI_CONF_WHEN_READY - valueFrom: - configMapKeyRef: - name: cilium-config - key: write-cni-conf-when-ready - optional: true - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - add: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE - drop: - - ALL - volumeMounts: - - name: bpf-maps - mountPath: /sys/fs/bpf - # Required to mount cgroup filesystem from the host to cilium agent pod - - name: cilium-cgroup - mountPath: /sys/fs/cgroup - mountPropagation: HostToContainer - - name: cilium-run - mountPath: /var/run/cilium # wait-for-kube-proxy - # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - - name: install-cni-binaries - image: "quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f" - imagePullPolicy: IfNotPresent - command: - - "/install-plugin.sh" - resources: - requests: - cpu: 100m - memory: 10Mi - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: cni-path - mountPath: /host/opt/cni/bin # .Values.cni.install - restartPolicy: Always - priorityClassName: system-node-critical - serviceAccountName: "cilium" - automountServiceAccountToken: true - terminationGracePeriodSeconds: 1 - hostNetwork: true - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - tolerations: - - operator: Exists - volumes: - # For sharing configuration between the "config" initContainer and the agent - - name: tmp - emptyDir: {} - # To keep state between restarts / upgrades - - name: cilium-run - hostPath: - path: /var/run/cilium - type: DirectoryOrCreate - # To exec into pod network namespaces - - name: cilium-netns - hostPath: - path: /var/run/netns - type: DirectoryOrCreate - # To keep state between restarts / upgrades for bpf maps - - name: bpf-maps - hostPath: - path: /sys/fs/bpf - type: DirectoryOrCreate - # To mount cgroup2 filesystem on the host or apply sysctlfix - - name: hostproc - hostPath: - path: /proc - type: Directory - # To keep state between restarts / upgrades for cgroup2 filesystem - - name: cilium-cgroup - hostPath: - path: /sys/fs/cgroup - type: DirectoryOrCreate - # To install cilium cni plugin in the host - - name: cni-path - hostPath: - path: /opt/cni/bin - type: DirectoryOrCreate - # To install cilium cni configuration in the host - - name: etc-cni-netd - hostPath: - path: /etc/cni/net.d - type: DirectoryOrCreate - # To be able to load kernel modules - - name: lib-modules - hostPath: - path: /lib/modules - # To access iptables concurrently with other processes (e.g. kube-proxy) - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - # Sharing socket with Cilium Envoy on the same node by using a host path - - name: envoy-sockets - hostPath: - path: "/var/run/cilium/envoy/sockets" - type: DirectoryOrCreate - # To read the clustermesh configuration - - name: clustermesh-secrets - projected: - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - sources: - - secret: - name: cilium-clustermesh - optional: true - # note: items are not explicitly listed here, since the entries of this secret - # depend on the peers configured, and that would cause a restart of all agents - # at every addition/removal. Leaving the field empty makes each secret entry - # to be automatically projected into the volume as a file whose name is the key. - - secret: - name: clustermesh-apiserver-remote-cert - optional: true - items: - - key: tls.key - path: common-etcd-client.key - - key: tls.crt - path: common-etcd-client.crt - - key: ca.crt - path: common-etcd-client-ca.crt - # note: we configure the volume for the kvstoremesh-specific certificate - # regardless of whether KVStoreMesh is enabled or not, so that it can be - # automatically mounted in case KVStoreMesh gets subsequently enabled, - # without requiring an agent restart. - - secret: - name: clustermesh-apiserver-local-cert - optional: true - items: - - key: tls.key - path: local-etcd-client.key - - key: tls.crt - path: local-etcd-client.crt - - key: ca.crt - path: local-etcd-client-ca.crt - - name: host-proc-sys-net - hostPath: - path: /proc/sys/net - type: Directory - - name: host-proc-sys-kernel - hostPath: - path: /proc/sys/kernel - type: Directory - - name: hubble-tls - projected: - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - sources: - - secret: - name: hubble-server-certs - optional: true - items: - - key: tls.crt - path: server.crt - - key: tls.key - path: server.key - - key: ca.crt - path: client-ca.crt ---- -# Source: cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: cilium-envoy - namespace: kube-system - labels: - k8s-app: cilium-envoy - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-envoy - name: cilium-envoy -spec: - selector: - matchLabels: - k8s-app: cilium-envoy - updateStrategy: - rollingUpdate: - maxUnavailable: 2 - type: RollingUpdate - template: - metadata: - annotations: - labels: - k8s-app: cilium-envoy - name: cilium-envoy - app.kubernetes.io/name: cilium-envoy - app.kubernetes.io/part-of: cilium - spec: - securityContext: - appArmorProfile: - type: Unconfined - containers: - - name: cilium-envoy - image: "quay.io/cilium/cilium-envoy:v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5@sha256:1deb6709afcb5523579bf1abbc3255adf9e354565a88c4a9162c8d9cb1d77ab5" - imagePullPolicy: IfNotPresent - command: - - /usr/bin/cilium-envoy-starter - args: - - '--keep-cap-net-bind-service' - - '--' - - '-c /var/run/cilium/envoy/bootstrap-config.json' - - '--base-id 0' - - '--log-level info' - startupProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9878 - scheme: HTTP - failureThreshold: 105 - periodSeconds: 2 - successThreshold: 1 - initialDelaySeconds: 5 - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9878 - scheme: HTTP - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9878 - scheme: HTTP - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 3 - timeoutSeconds: 5 - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - ports: - - name: envoy-metrics - containerPort: 9964 - hostPort: 9964 - protocol: TCP - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - add: - - NET_ADMIN - - NET_BIND_SERVICE - - PERFMON - - BPF - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: envoy-sockets - mountPath: /var/run/cilium/envoy/sockets - readOnly: false - - name: envoy-artifacts - mountPath: /var/run/cilium/envoy/artifacts - readOnly: true - - name: envoy-config - mountPath: /var/run/cilium/envoy/ - readOnly: true - - name: bpf-maps - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer - restartPolicy: Always - priorityClassName: system-node-critical - serviceAccountName: "cilium-envoy" - automountServiceAccountToken: true - terminationGracePeriodSeconds: 1 - hostNetwork: true - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: cilium.io/no-schedule - operator: NotIn - values: - - "true" - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium - topologyKey: kubernetes.io/hostname - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium-envoy - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - tolerations: - - operator: Exists - volumes: - - name: envoy-sockets - hostPath: - path: "/var/run/cilium/envoy/sockets" - type: DirectoryOrCreate - - name: envoy-artifacts - hostPath: - path: "/var/run/cilium/envoy/artifacts" - type: DirectoryOrCreate - - name: envoy-config - configMap: - name: "cilium-envoy-config" - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - items: - - key: bootstrap-config.json - path: bootstrap-config.json - # To keep state between restarts / upgrades - # To keep state between restarts / upgrades for bpf maps - - name: bpf-maps - hostPath: - path: /sys/fs/bpf - type: DirectoryOrCreate ---- -# Source: cilium/charts/cilium/templates/cilium-operator/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cilium-operator - namespace: kube-system - labels: - io.cilium/app: operator - name: cilium-operator - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-operator -spec: - # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go - # for more details. - replicas: 2 - selector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - # ensure operator update on single node k8s clusters, by using rolling update with maxUnavailable=100% in case - # of one replica and no user configured Recreate strategy. - # otherwise an update might get stuck due to the default maxUnavailable=50% in combination with the - # podAntiAffinity which prevents deployments of multiple operator replicas on the same node. - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - annotations: - # ensure pods roll when configmap updates - cilium.io/cilium-configmap-checksum: "31ad7748e0aefe75b6436d96c8c85754e0b44e68e6012fa188bc5bcd66085828" - labels: - io.cilium/app: operator - name: cilium-operator - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-operator - spec: - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: cilium-operator - image: "quay.io/cilium/operator-generic:v1.18.4@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012" - imagePullPolicy: IfNotPresent - command: - - cilium-operator-generic - args: - - --config-dir=/tmp/cilium/config-map - - --debug=$(CILIUM_DEBUG) - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CILIUM_DEBUG - valueFrom: - configMapKeyRef: - key: debug - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - ports: - - name: prometheus - containerPort: 9963 - hostPort: 9963 - protocol: TCP - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9234 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 3 - readinessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9234 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 3 - failureThreshold: 5 - volumeMounts: - - name: cilium-config-path - mountPath: /tmp/cilium/config-map - readOnly: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - hostNetwork: true - restartPolicy: Always - priorityClassName: system-cluster-critical - serviceAccountName: "cilium-operator" - automountServiceAccountToken: true - # In HA mode, cilium-operator pods must not be scheduled on the same - # node as they will clash with each other. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - io.cilium/app: operator - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - - key: node.kubernetes.io/not-ready - operator: Exists - - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - - key: node.cilium.io/agent-not-ready - operator: Exists - - volumes: - # To read the configuration from the config map - - name: cilium-config-path - configMap: - name: cilium-config ---- -# Source: cilium/charts/cilium/templates/hubble-relay/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: hubble-relay - namespace: kube-system - labels: - k8s-app: hubble-relay - app.kubernetes.io/name: hubble-relay - app.kubernetes.io/part-of: cilium - -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: hubble-relay - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - annotations: - labels: - k8s-app: hubble-relay - app.kubernetes.io/name: hubble-relay - app.kubernetes.io/part-of: cilium - spec: - securityContext: - fsGroup: 65532 - seccompProfile: - type: RuntimeDefault - containers: - - name: hubble-relay - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - image: "quay.io/cilium/hubble-relay:v1.18.4@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723" - imagePullPolicy: IfNotPresent - command: - - hubble-relay - args: - - serve - ports: - - name: grpc - containerPort: 4245 - readinessProbe: - grpc: - port: 4222 - timeoutSeconds: 3 - # livenessProbe will kill the pod, we should be very conservative - # here on failures since killing the pod should be a last resort, and - # we should provide enough time for relay to retry before killing it. - livenessProbe: - grpc: - port: 4222 - timeoutSeconds: 10 - # Give relay time to establish connections and make a few retries - # before starting livenessProbes. - initialDelaySeconds: 10 - # 10 second * 12 failures = 2 minutes of failure. - # If relay cannot become healthy after 2 minutes, then killing it - # might resolve whatever issue is occurring. - # - # 10 seconds is a reasonable retry period so we can see if it's - # failing regularly or only sporadically. - periodSeconds: 10 - failureThreshold: 12 - startupProbe: - grpc: - port: 4222 - # Give relay time to get it's certs and establish connections and - # make a few retries before starting startupProbes. - initialDelaySeconds: 10 - # 20 * 3 seconds = 1 minute of failure before we consider startup as failed. - failureThreshold: 20 - # Retry more frequently at startup so that it can be considered started more quickly. - periodSeconds: 3 - volumeMounts: - - name: config - mountPath: /etc/hubble-relay - readOnly: true - - name: tls - mountPath: /var/lib/hubble-relay/tls - readOnly: true - terminationMessagePolicy: FallbackToLogsOnError - - restartPolicy: Always - priorityClassName: - serviceAccountName: "hubble-relay" - automountServiceAccountToken: false - terminationGracePeriodSeconds: 1 - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - volumes: - - name: config - configMap: - name: hubble-relay-config - items: - - key: config.yaml - path: config.yaml - - name: tls - projected: - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - sources: - - secret: - name: hubble-relay-client-certs - items: - - key: tls.crt - path: client.crt - - key: tls.key - path: client.key - - key: ca.crt - path: hubble-server-ca.crt ---- -# Source: cilium/charts/cilium/templates/hubble-ui/deployment.yaml -kind: Deployment -apiVersion: apps/v1 -metadata: - name: hubble-ui - namespace: kube-system - labels: - k8s-app: hubble-ui - app.kubernetes.io/name: hubble-ui - app.kubernetes.io/part-of: cilium -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: hubble-ui - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - annotations: - labels: - k8s-app: hubble-ui - app.kubernetes.io/name: hubble-ui - app.kubernetes.io/part-of: cilium - spec: - securityContext: - fsGroup: 1001 - runAsGroup: 1001 - runAsUser: 1001 - priorityClassName: - serviceAccountName: "hubble-ui" - automountServiceAccountToken: true - containers: - - name: frontend - image: "quay.io/cilium/hubble-ui:v0.13.3@sha256:661d5de7050182d495c6497ff0b007a7a1e379648e60830dd68c4d78ae21761d" - imagePullPolicy: IfNotPresent - ports: - - name: http - containerPort: 8081 - livenessProbe: - httpGet: - path: /healthz - port: 8081 - readinessProbe: - httpGet: - path: / - port: 8081 - volumeMounts: - - name: hubble-ui-nginx-conf - mountPath: /etc/nginx/conf.d/default.conf - subPath: nginx.conf - - name: tmp-dir - mountPath: /tmp - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - allowPrivilegeEscalation: false - - name: backend - image: "quay.io/cilium/hubble-ui-backend:v0.13.3@sha256:db1454e45dc39ca41fbf7cad31eec95d99e5b9949c39daaad0fa81ef29d56953" - imagePullPolicy: IfNotPresent - env: - - name: EVENTS_SERVER_PORT - value: "8090" - - name: FLOWS_API_ADDR - value: "hubble-relay:80" - ports: - - name: grpc - containerPort: 8090 - volumeMounts: - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - volumes: - - configMap: - defaultMode: 420 - name: hubble-ui-nginx - name: hubble-ui-nginx-conf - - emptyDir: {} - name: tmp-dir ---- -# Source: cilium/templates/cilium-bgp-advertisement.yaml -# apiVersion: cilium.io/v2alpha1 -# kind: CiliumBGPAdvertisement -# metadata: -# name: cilium-bgp-advertisements -# namespace: kube-system -# labels: -# app.kubernetes.io/name: cilium-bgp-advertisements -# app.kubernetes.io/instance: cilium -# app.kubernetes.io/part-of: cilium -# spec: -# advertisements: -# - advertisementType: "Service" -# service: -# addresses: -# - ExternalIP -# - LoadBalancerIP -# selector: -# matchExpressions: -# - {key: somekey, operator: NotIn, values: ['never-used-value']} ---- -# Source: cilium/templates/cilium-bgp-cluster-config.yaml -# apiVersion: cilium.io/v2alpha1 -# kind: CiliumBGPClusterConfig -# metadata: -# name: cilium-bgp -# namespace: kube-system -# labels: -# app.kubernetes.io/name: cilium-bgp -# app.kubernetes.io/instance: cilium -# app.kubernetes.io/part-of: cilium -# spec: -# nodeSelector: -# matchLabels: -# node-role.kubernetes.io/bgp: "65020" -# bgpInstances: -# - name: "65020" -# localASN: 65020 -# peers: -# - name: "udm-65000" -# peerASN: 65000 -# peerAddress: 192.168.1.1 -# peerConfigRef: -# name: "cilium-peer" ---- -# Source: cilium/templates/cilium-bgp-peer-config.yaml -# apiVersion: cilium.io/v2alpha1 -# kind: CiliumBGPPeerConfig -# metadata: -# name: cilium-peer -# namespace: kube-system -# labels: -# app.kubernetes.io/name: cilium-peer -# app.kubernetes.io/instance: cilium -# app.kubernetes.io/part-of: cilium -# spec: -# timers: -# holdTimeSeconds: 9 -# keepAliveTimeSeconds: 3 -# ebgpMultihop: 4 -# gracefulRestart: -# enabled: true -# restartTimeSeconds: 15 -# families: -# - afi: ipv4 -# safi: unicast -# advertisements: -# matchLabels: -# app.kubernetes.io/name: cilium-bgp-advertisements ---- -# Source: cilium/templates/gateway.yaml -# apiVersion: gateway.networking.k8s.io/v1 -# kind: Gateway -# metadata: -# name: tls-gateway -# namespace: kube-system -# labels: -# app.kubernetes.io/name: tls-gateway -# app.kubernetes.io/instance: cilium -# app.kubernetes.io/part-of: cilium -# annotations: -# cert-manager.io/cluster-issuer: letsencrypt-issuer -# spec: -# gatewayClassName: cilium -# listeners: -# - allowedRoutes: -# namespaces: -# from: All -# hostname: '*.alexlebens.net' -# name: http -# port: 80 -# protocol: HTTP -# - allowedRoutes: -# namespaces: -# from: All -# hostname: '*.alexlebens.net' -# name: https -# port: 443 -# protocol: HTTPS -# tls: -# certificateRefs: -# - group: '' -# kind: Secret -# name: https-gateway-cert -# namespace: kube-system -# mode: Terminate ---- -# Source: cilium/templates/cilium-load-balancer-ip-pool.yaml -apiVersion: "cilium.io/v2alpha1" -kind: CiliumLoadBalancerIPPool -metadata: - name: default-ip-pool - namespace: kube-system - labels: - app.kubernetes.io/name: default-ip-pool - app.kubernetes.io/instance: cilium - app.kubernetes.io/part-of: cilium -spec: - blocks: - - start: "10.232.1.21" - stop: "10.232.1.23" - - start: "10.232.2.21" - stop: "10.232.2.23" ---- -# Source: cilium/templates/cilium-load-balancer-ip-pool.yaml -apiVersion: "cilium.io/v2alpha1" -kind: CiliumLoadBalancerIPPool -metadata: - name: bgp-ip-pool - namespace: kube-system - labels: - app.kubernetes.io/name: bgp-ip-pool - app.kubernetes.io/instance: cilium - app.kubernetes.io/part-of: cilium -spec: - blocks: - - start: "10.232.2.100" - stop: "10.232.2.200" - disabled: true ---- -# Source: cilium/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-hubble - namespace: kube-system - labels: - app.kubernetes.io/name: http-route-hubble - app.kubernetes.io/instance: cilium - app.kubernetes.io/part-of: cilium -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - hubble.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: hubble-ui - port: 80 - weight: 100 ---- -# Source: cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: cilium-agent - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-agent -spec: - selector: - matchLabels: - app.kubernetes.io/name: cilium-agent - namespaceSelector: - matchNames: - - kube-system - endpoints: - - port: metrics - interval: "10s" - honorLabels: true - path: /metrics - relabelings: - - action: replace - replacement: ${1} - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: node - # If envoy DaemonSet is enabled, we'll create a separate service for it - # If it is not enabled, that means envoy runs inside cilium-agent and we'll monitor using same service - targetLabels: - - k8s-app ---- -# Source: cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: cilium-envoy - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-envoy -spec: - selector: - matchLabels: - k8s-app: cilium-envoy - namespaceSelector: - matchNames: - - kube-system - endpoints: - - port: envoy-metrics - interval: "10s" - honorLabels: true - path: /metrics - relabelings: - - action: replace - replacement: ${1} - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: node - targetLabels: - - k8s-app ---- -# Source: cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: cilium-operator - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-operator -spec: - selector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - namespaceSelector: - matchNames: - - kube-system - endpoints: - - port: metrics - interval: "10s" - honorLabels: true - path: /metrics - targetLabels: - - io.cilium/app diff --git a/clusters/cl01tl/manifests/cloudnative-pg/cloudnative-pg.yaml b/clusters/cl01tl/manifests/cloudnative-pg/cloudnative-pg.yaml deleted file mode 100644 index 450731844..000000000 --- a/clusters/cl01tl/manifests/cloudnative-pg/cloudnative-pg.yaml +++ /dev/null @@ -1,20151 +0,0 @@ ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cloudnative-pg - namespace: cloudnative-pg - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - helm.sh/chart: plugin-barman-cloud-0.3.1 - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "v0.9.0" - app.kubernetes.io/managed-by: Helm - name: cloudnative-pg-plugin-barman-cloud - namespace: cloudnative-pg ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/config.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# -apiVersion: v1 -kind: ConfigMap -metadata: - name: cnpg-controller-manager-config - namespace: cloudnative-pg - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -data: - {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/monitoring-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: cnpg-default-monitoring - namespace: cloudnative-pg - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm - cnpg.io/reload: "" -data: - queries: - | - backends: - query: | - SELECT sa.datname - , sa.usename - , sa.application_name - , states.state - , COALESCE(sa.count, 0) AS total - , COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds - FROM ( VALUES ('active') - , ('idle') - , ('idle in transaction') - , ('idle in transaction (aborted)') - , ('fastpath function call') - , ('disabled') - ) AS states(state) - LEFT JOIN ( - SELECT datname - , state - , usename - , COALESCE(application_name, '') AS application_name - , COUNT(*) - , COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs - FROM pg_catalog.pg_stat_activity - GROUP BY datname, state, usename, application_name - ) sa ON states.state = sa.state - WHERE sa.usename IS NOT NULL - metrics: - - datname: - usage: "LABEL" - description: "Name of the database" - - usename: - usage: "LABEL" - description: "Name of the user" - - application_name: - usage: "LABEL" - description: "Name of the application" - - state: - usage: "LABEL" - description: "State of the backend" - - total: - usage: "GAUGE" - description: "Number of backends" - - max_tx_duration_seconds: - usage: "GAUGE" - description: "Maximum duration of a transaction in seconds" - - backends_waiting: - query: | - SELECT count(*) AS total - FROM pg_catalog.pg_locks blocked_locks - JOIN pg_catalog.pg_locks blocking_locks - ON blocking_locks.locktype = blocked_locks.locktype - AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database - AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation - AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page - AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple - AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid - AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid - AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid - AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid - AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid - AND blocking_locks.pid != blocked_locks.pid - JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid - WHERE NOT blocked_locks.granted - metrics: - - total: - usage: "GAUGE" - description: "Total number of backends that are currently waiting on other queries" - - pg_database: - query: | - SELECT datname - , pg_catalog.pg_database_size(datname) AS size_bytes - , pg_catalog.age(datfrozenxid) AS xid_age - , pg_catalog.mxid_age(datminmxid) AS mxid_age - FROM pg_catalog.pg_database - WHERE datallowconn - metrics: - - datname: - usage: "LABEL" - description: "Name of the database" - - size_bytes: - usage: "GAUGE" - description: "Disk space used by the database" - - xid_age: - usage: "GAUGE" - description: "Number of transactions from the frozen XID to the current one" - - mxid_age: - usage: "GAUGE" - description: "Number of multiple transactions (Multixact) from the frozen XID to the current one" - - pg_postmaster: - query: | - SELECT EXTRACT(EPOCH FROM pg_postmaster_start_time) AS start_time - FROM pg_catalog.pg_postmaster_start_time() - metrics: - - start_time: - usage: "GAUGE" - description: "Time at which postgres started (based on epoch)" - - pg_replication: - query: "SELECT CASE WHEN ( - NOT pg_catalog.pg_is_in_recovery() - OR pg_catalog.pg_last_wal_receive_lsn() = pg_catalog.pg_last_wal_replay_lsn()) - THEN 0 - ELSE GREATEST (0, - EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp()))) - END AS lag, - pg_catalog.pg_is_in_recovery() AS in_recovery, - EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up, - (SELECT count(*) FROM pg_catalog.pg_stat_replication) AS streaming_replicas" - metrics: - - lag: - usage: "GAUGE" - description: "Replication lag behind primary in seconds" - - in_recovery: - usage: "GAUGE" - description: "Whether the instance is in recovery" - - is_wal_receiver_up: - usage: "GAUGE" - description: "Whether the instance wal_receiver is up" - - streaming_replicas: - usage: "GAUGE" - description: "Number of streaming replicas connected to the instance" - - pg_replication_slots: - query: | - SELECT slot_name, - slot_type, - database, - active, - (CASE pg_catalog.pg_is_in_recovery() - WHEN TRUE THEN pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_last_wal_receive_lsn(), restart_lsn) - ELSE pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), restart_lsn) - END) as pg_wal_lsn_diff - FROM pg_catalog.pg_replication_slots - WHERE NOT temporary - metrics: - - slot_name: - usage: "LABEL" - description: "Name of the replication slot" - - slot_type: - usage: "LABEL" - description: "Type of the replication slot" - - database: - usage: "LABEL" - description: "Name of the database" - - active: - usage: "GAUGE" - description: "Flag indicating whether the slot is active" - - pg_wal_lsn_diff: - usage: "GAUGE" - description: "Replication lag in bytes" - - pg_stat_archiver: - query: | - SELECT archived_count - , failed_count - , COALESCE(EXTRACT(EPOCH FROM (now() - last_archived_time)), -1) AS seconds_since_last_archival - , COALESCE(EXTRACT(EPOCH FROM (now() - last_failed_time)), -1) AS seconds_since_last_failure - , COALESCE(EXTRACT(EPOCH FROM last_archived_time), -1) AS last_archived_time - , COALESCE(EXTRACT(EPOCH FROM last_failed_time), -1) AS last_failed_time - , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_archived_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_archived_wal_start_lsn - , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_failed_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_failed_wal_start_lsn - , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time - FROM pg_catalog.pg_stat_archiver - metrics: - - archived_count: - usage: "COUNTER" - description: "Number of WAL files that have been successfully archived" - - failed_count: - usage: "COUNTER" - description: "Number of failed attempts for archiving WAL files" - - seconds_since_last_archival: - usage: "GAUGE" - description: "Seconds since the last successful archival operation" - - seconds_since_last_failure: - usage: "GAUGE" - description: "Seconds since the last failed archival operation" - - last_archived_time: - usage: "GAUGE" - description: "Epoch of the last time WAL archiving succeeded" - - last_failed_time: - usage: "GAUGE" - description: "Epoch of the last time WAL archiving failed" - - last_archived_wal_start_lsn: - usage: "GAUGE" - description: "Archived WAL start LSN" - - last_failed_wal_start_lsn: - usage: "GAUGE" - description: "Last failed WAL LSN" - - stats_reset_time: - usage: "GAUGE" - description: "Time at which these statistics were last reset" - - pg_stat_bgwriter: - runonserver: "<17.0.0" - query: | - SELECT checkpoints_timed - , checkpoints_req - , checkpoint_write_time - , checkpoint_sync_time - , buffers_checkpoint - , buffers_clean - , maxwritten_clean - , buffers_backend - , buffers_backend_fsync - , buffers_alloc - FROM pg_catalog.pg_stat_bgwriter - metrics: - - checkpoints_timed: - usage: "COUNTER" - description: "Number of scheduled checkpoints that have been performed" - - checkpoints_req: - usage: "COUNTER" - description: "Number of requested checkpoints that have been performed" - - checkpoint_write_time: - usage: "COUNTER" - description: "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds" - - checkpoint_sync_time: - usage: "COUNTER" - description: "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds" - - buffers_checkpoint: - usage: "COUNTER" - description: "Number of buffers written during checkpoints" - - buffers_clean: - usage: "COUNTER" - description: "Number of buffers written by the background writer" - - maxwritten_clean: - usage: "COUNTER" - description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers" - - buffers_backend: - usage: "COUNTER" - description: "Number of buffers written directly by a backend" - - buffers_backend_fsync: - usage: "COUNTER" - description: "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)" - - buffers_alloc: - usage: "COUNTER" - description: "Number of buffers allocated" - - pg_stat_bgwriter_17: - runonserver: ">=17.0.0" - name: pg_stat_bgwriter - query: | - SELECT buffers_clean - , maxwritten_clean - , buffers_alloc - , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time - FROM pg_catalog.pg_stat_bgwriter - metrics: - - buffers_clean: - usage: "COUNTER" - description: "Number of buffers written by the background writer" - - maxwritten_clean: - usage: "COUNTER" - description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers" - - buffers_alloc: - usage: "COUNTER" - description: "Number of buffers allocated" - - stats_reset_time: - usage: "GAUGE" - description: "Time at which these statistics were last reset" - - pg_stat_checkpointer: - runonserver: ">=17.0.0" - query: | - SELECT num_timed AS checkpoints_timed - , num_requested AS checkpoints_req - , restartpoints_timed - , restartpoints_req - , restartpoints_done - , write_time - , sync_time - , buffers_written - , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time - FROM pg_catalog.pg_stat_checkpointer - metrics: - - checkpoints_timed: - usage: "COUNTER" - description: "Number of scheduled checkpoints that have been performed" - - checkpoints_req: - usage: "COUNTER" - description: "Number of requested checkpoints that have been performed" - - restartpoints_timed: - usage: "COUNTER" - description: "Number of scheduled restartpoints due to timeout or after a failed attempt to perform it" - - restartpoints_req: - usage: "COUNTER" - description: "Number of requested restartpoints that have been performed" - - restartpoints_done: - usage: "COUNTER" - description: "Number of restartpoints that have been performed" - - write_time: - usage: "COUNTER" - description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are written to disk, in milliseconds" - - sync_time: - usage: "COUNTER" - description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are synchronized to disk, in milliseconds" - - buffers_written: - usage: "COUNTER" - description: "Number of buffers written during checkpoints and restartpoints" - - stats_reset_time: - usage: "GAUGE" - description: "Time at which these statistics were last reset" - - pg_stat_database: - query: | - SELECT datname - , xact_commit - , xact_rollback - , blks_read - , blks_hit - , tup_returned - , tup_fetched - , tup_inserted - , tup_updated - , tup_deleted - , conflicts - , temp_files - , temp_bytes - , deadlocks - , blk_read_time - , blk_write_time - FROM pg_catalog.pg_stat_database - metrics: - - datname: - usage: "LABEL" - description: "Name of this database" - - xact_commit: - usage: "COUNTER" - description: "Number of transactions in this database that have been committed" - - xact_rollback: - usage: "COUNTER" - description: "Number of transactions in this database that have been rolled back" - - blks_read: - usage: "COUNTER" - description: "Number of disk blocks read in this database" - - blks_hit: - usage: "COUNTER" - description: "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache)" - - tup_returned: - usage: "COUNTER" - description: "Number of rows returned by queries in this database" - - tup_fetched: - usage: "COUNTER" - description: "Number of rows fetched by queries in this database" - - tup_inserted: - usage: "COUNTER" - description: "Number of rows inserted by queries in this database" - - tup_updated: - usage: "COUNTER" - description: "Number of rows updated by queries in this database" - - tup_deleted: - usage: "COUNTER" - description: "Number of rows deleted by queries in this database" - - conflicts: - usage: "COUNTER" - description: "Number of queries canceled due to conflicts with recovery in this database" - - temp_files: - usage: "COUNTER" - description: "Number of temporary files created by queries in this database" - - temp_bytes: - usage: "COUNTER" - description: "Total amount of data written to temporary files by queries in this database" - - deadlocks: - usage: "COUNTER" - description: "Number of deadlocks detected in this database" - - blk_read_time: - usage: "COUNTER" - description: "Time spent reading data file blocks by backends in this database, in milliseconds" - - blk_write_time: - usage: "COUNTER" - description: "Time spent writing data file blocks by backends in this database, in milliseconds" - - pg_stat_replication: - primary: true - query: | - SELECT usename - , COALESCE(application_name, '') AS application_name - , COALESCE(client_addr::text, '') AS client_addr - , COALESCE(client_port::text, '') AS client_port - , EXTRACT(EPOCH FROM backend_start) AS backend_start - , COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age - , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes - , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes - , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes - , COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes - , COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds - , COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds - , COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds - FROM pg_catalog.pg_stat_replication - metrics: - - usename: - usage: "LABEL" - description: "Name of the replication user" - - application_name: - usage: "LABEL" - description: "Name of the application" - - client_addr: - usage: "LABEL" - description: "Client IP address" - - client_port: - usage: "LABEL" - description: "Client TCP port" - - backend_start: - usage: "COUNTER" - description: "Time when this process was started" - - backend_xmin_age: - usage: "COUNTER" - description: "The age of this standby's xmin horizon" - - sent_diff_bytes: - usage: "GAUGE" - description: "Difference in bytes from the last write-ahead log location sent on this connection" - - write_diff_bytes: - usage: "GAUGE" - description: "Difference in bytes from the last write-ahead log location written to disk by this standby server" - - flush_diff_bytes: - usage: "GAUGE" - description: "Difference in bytes from the last write-ahead log location flushed to disk by this standby server" - - replay_diff_bytes: - usage: "GAUGE" - description: "Difference in bytes from the last write-ahead log location replayed into the database on this standby server" - - write_lag_seconds: - usage: "GAUGE" - description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written it" - - flush_lag_seconds: - usage: "GAUGE" - description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written and flushed it" - - replay_lag_seconds: - usage: "GAUGE" - description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written, flushed and applied it" - - pg_settings: - query: | - SELECT name, - CASE setting WHEN 'on' THEN '1' WHEN 'off' THEN '0' ELSE setting END AS setting - FROM pg_catalog.pg_settings - WHERE vartype IN ('integer', 'real', 'bool') - ORDER BY 1 - metrics: - - name: - usage: "LABEL" - description: "Name of the setting" - - setting: - usage: "GAUGE" - description: "Setting value" - - pg_extensions: - query: | - SELECT - current_database() as datname, - name as extname, - default_version, - installed_version, - CASE - WHEN default_version = installed_version THEN 0 - ELSE 1 - END AS update_available - FROM pg_catalog.pg_available_extensions - WHERE installed_version IS NOT NULL - metrics: - - datname: - usage: "LABEL" - description: "Name of the database" - - extname: - usage: "LABEL" - description: "Extension name" - - default_version: - usage: "LABEL" - description: "Default version" - - installed_version: - usage: "LABEL" - description: "Installed version" - - update_available: - usage: "GAUGE" - description: "An update is available" - target_databases: - - '*' ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/configmap.yaml -apiVersion: v1 -data: - SIDECAR_IMAGE: "ghcr.io/cloudnative-pg/plugin-barman-cloud-sidecar:v0.9.0" -kind: ConfigMap -metadata: - name: plugin-barman-cloud-config - namespace: cloudnative-pg ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: backups.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: Backup - listKind: BackupList - plural: backups - singular: backup - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.cluster.name - name: Cluster - type: string - - jsonPath: .spec.method - name: Method - type: string - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .status.error - name: Error - type: string - name: v1 - schema: - openAPIV3Schema: - description: A Backup resource is a request for a PostgreSQL backup by the - user. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired behavior of the backup. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - cluster: - description: The cluster to backup - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - method: - default: barmanObjectStore - description: |- - The backup method to be used, possible options are `barmanObjectStore`, - `volumeSnapshot` or `plugin`. Defaults to: `barmanObjectStore`. - enum: - - barmanObjectStore - - volumeSnapshot - - plugin - type: string - online: - description: |- - Whether the default type of backup with volume snapshots is - online/hot (`true`, default) or offline/cold (`false`) - Overrides the default setting specified in the cluster field '.spec.backup.volumeSnapshot.online' - type: boolean - onlineConfiguration: - description: |- - Configuration parameters to control the online/hot backup with volume snapshots - Overrides the default settings specified in the cluster '.backup.volumeSnapshot.onlineConfiguration' stanza - properties: - immediateCheckpoint: - description: |- - Control whether the I/O workload for the backup initial checkpoint will - be limited, according to the `checkpoint_completion_target` setting on - the PostgreSQL server. If set to true, an immediate checkpoint will be - used, meaning PostgreSQL will complete the checkpoint as soon as - possible. `false` by default. - type: boolean - waitForArchive: - default: true - description: |- - If false, the function will return immediately after the backup is completed, - without waiting for WAL to be archived. - This behavior is only useful with backup software that independently monitors WAL archiving. - Otherwise, WAL required to make the backup consistent might be missing and make the backup useless. - By default, or when this parameter is true, pg_backup_stop will wait for WAL to be archived when archiving is - enabled. - On a standby, this means that it will wait only when archive_mode = always. - If write activity on the primary is low, it may be useful to run pg_switch_wal on the primary in order to trigger - an immediate segment switch. - type: boolean - type: object - pluginConfiguration: - description: Configuration parameters passed to the plugin managing - this backup - properties: - name: - description: Name is the name of the plugin managing this backup - type: string - parameters: - additionalProperties: - type: string - description: |- - Parameters are the configuration parameters passed to the backup - plugin for this backup - type: object - required: - - name - type: object - target: - description: |- - The policy to decide which instance should perform this backup. If empty, - it defaults to `cluster.spec.backup.target`. - Available options are empty string, `primary` and `prefer-standby`. - `primary` to have backups run always on primary instances, - `prefer-standby` to have backups run preferably on the most updated - standby, if available. - enum: - - primary - - prefer-standby - type: string - required: - - cluster - type: object - x-kubernetes-validations: - - message: BackupSpec is immutable once set - rule: oldSelf == self - status: - description: |- - Most recently observed status of the backup. This data may not be up to - date. Populated by the system. Read-only. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - azureCredentials: - description: The credentials to use to upload data to Azure Blob Storage - properties: - connectionString: - description: The connection string to be used - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - inheritFromAzureAD: - description: Use the Azure AD based authentication without providing - explicitly the keys. - type: boolean - storageAccount: - description: The storage account where to upload data - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - storageKey: - description: |- - The storage account key to be used in conjunction - with the storage account name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - storageSasToken: - description: |- - A shared-access-signature to be used in conjunction with - the storage account name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: object - backupId: - description: The ID of the Barman backup - type: string - backupLabelFile: - description: Backup label file content as returned by Postgres in - case of online (hot) backups - format: byte - type: string - backupName: - description: The Name of the Barman backup - type: string - beginLSN: - description: The starting xlog - type: string - beginWal: - description: The starting WAL - type: string - commandError: - description: The backup command output in case of error - type: string - commandOutput: - description: Unused. Retained for compatibility with old versions. - type: string - destinationPath: - description: |- - The path where to store the backup (i.e. s3://bucket/path/to/folder) - this path, with different destination folders, will be used for WALs - and for data. This may not be populated in case of errors. - type: string - encryption: - description: Encryption method required to S3 API - type: string - endLSN: - description: The ending xlog - type: string - endWal: - description: The ending WAL - type: string - endpointCA: - description: |- - EndpointCA store the CA bundle of the barman endpoint. - Useful when using self-signed certificates to avoid - errors with certificate issuer and barman-cloud-wal-archive. - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - endpointURL: - description: |- - Endpoint to be used to upload data to the cloud, - overriding the automatic endpoint discovery - type: string - error: - description: The detected error - type: string - googleCredentials: - description: The credentials to use to upload data to Google Cloud - Storage - properties: - applicationCredentials: - description: The secret containing the Google Cloud Storage JSON - file with the credentials - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - gkeEnvironment: - description: |- - If set to true, will presume that it's running inside a GKE environment, - default to false. - type: boolean - type: object - instanceID: - description: Information to identify the instance where the backup - has been taken from - properties: - ContainerID: - description: The container ID - type: string - podName: - description: The pod name - type: string - type: object - majorVersion: - description: |- - The PostgreSQL major version that was running when the - backup was taken. - type: integer - method: - description: The backup method being used - type: string - online: - description: Whether the backup was online/hot (`true`) or offline/cold - (`false`) - type: boolean - phase: - description: The last backup status - type: string - pluginMetadata: - additionalProperties: - type: string - description: A map containing the plugin metadata - type: object - s3Credentials: - description: The credentials to use to upload data to S3 - properties: - accessKeyId: - description: The reference to the access key id - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - inheritFromIAMRole: - description: Use the role based authentication without providing - explicitly the keys. - type: boolean - region: - description: The reference to the secret containing the region - name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - secretAccessKey: - description: The reference to the secret access key - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - sessionToken: - description: The references to the session key - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: object - serverName: - description: |- - The server name on S3, the cluster name is used if this - parameter is omitted - type: string - snapshotBackupStatus: - description: Status of the volumeSnapshot backup - properties: - elements: - description: The elements list, populated with the gathered volume - snapshots - items: - description: BackupSnapshotElementStatus is a volume snapshot - that is part of a volume snapshot method backup - properties: - name: - description: Name is the snapshot resource name - type: string - tablespaceName: - description: |- - TablespaceName is the name of the snapshotted tablespace. Only set - when type is PG_TABLESPACE - type: string - type: - description: Type is tho role of the snapshot in the cluster, - such as PG_DATA, PG_WAL and PG_TABLESPACE - type: string - required: - - name - - type - type: object - type: array - type: object - startedAt: - description: When the backup was started - format: date-time - type: string - stoppedAt: - description: When the backup was terminated - format: date-time - type: string - tablespaceMapFile: - description: Tablespace map file content as returned by Postgres in - case of online (hot) backups - format: byte - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: clusterimagecatalogs.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: ClusterImageCatalog - listKind: ClusterImageCatalogList - plural: clusterimagecatalogs - singular: clusterimagecatalog - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterImageCatalog is the Schema for the clusterimagecatalogs - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired behavior of the ClusterImageCatalog. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - images: - description: List of CatalogImages available in the catalog - items: - description: CatalogImage defines the image and major version - properties: - image: - description: The image reference - type: string - major: - description: The PostgreSQL major version of the image. Must - be unique within the catalog. - minimum: 10 - type: integer - required: - - image - - major - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-validations: - - message: Images must have unique major versions - rule: self.all(e, self.filter(f, f.major==e.major).size() == 1) - required: - - images - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: clusters.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: Cluster - listKind: ClusterList - plural: clusters - singular: cluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Number of instances - jsonPath: .status.instances - name: Instances - type: integer - - description: Number of ready instances - jsonPath: .status.readyInstances - name: Ready - type: integer - - description: Cluster current status - jsonPath: .status.phase - name: Status - type: string - - description: Primary pod - jsonPath: .status.currentPrimary - name: Primary - type: string - name: v1 - schema: - openAPIV3Schema: - description: |- - Cluster defines the API schema for a highly available PostgreSQL database cluster - managed by CloudNativePG. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired behavior of the cluster. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - affinity: - description: Affinity/Anti-affinity rules for Pods - properties: - additionalPodAffinity: - description: AdditionalPodAffinity allows to specify pod affinity - terms to be passed to all the cluster's pods. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - additionalPodAntiAffinity: - description: |- - AdditionalPodAntiAffinity allows to specify pod anti-affinity terms to be added to the ones generated - by the operator if EnablePodAntiAffinity is set to true (default) or to be used exclusively if set to false. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - enablePodAntiAffinity: - description: |- - Activates anti-affinity for the pods. The operator will define pods - anti-affinity unless this field is explicitly set to false - type: boolean - nodeAffinity: - description: |- - NodeAffinity describes node affinity scheduling rules for the pod. - More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is map of key-value pairs used to define the nodes on which - the pods can run. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - podAntiAffinityType: - description: |- - PodAntiAffinityType allows the user to decide whether pod anti-affinity between cluster instance has to be - considered a strong requirement during scheduling or not. Allowed values are: "preferred" (default if empty) or - "required". Setting it to "required", could lead to instances remaining pending until new kubernetes nodes are - added if all the existing nodes don't match the required pod anti-affinity rule. - More info: - https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - type: string - tolerations: - description: |- - Tolerations is a list of Tolerations that should be set for all the pods, in order to allow them to run - on tainted nodes. - More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologyKey: - description: |- - TopologyKey to use for anti-affinity configuration. See k8s documentation - for more info on that - type: string - type: object - backup: - description: The configuration to be used for backups - properties: - barmanObjectStore: - description: The configuration for the barman-cloud tool suite - properties: - azureCredentials: - description: The credentials to use to upload data to Azure - Blob Storage - properties: - connectionString: - description: The connection string to be used - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - inheritFromAzureAD: - description: Use the Azure AD based authentication without - providing explicitly the keys. - type: boolean - storageAccount: - description: The storage account where to upload data - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - storageKey: - description: |- - The storage account key to be used in conjunction - with the storage account name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - storageSasToken: - description: |- - A shared-access-signature to be used in conjunction with - the storage account name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: object - data: - description: |- - The configuration to be used to backup the data files - When not defined, base backups files will be stored uncompressed and may - be unencrypted in the object store, according to the bucket default - policy. - properties: - additionalCommandArgs: - description: |- - AdditionalCommandArgs represents additional arguments that can be appended - to the 'barman-cloud-backup' command-line invocation. These arguments - provide flexibility to customize the backup process further according to - specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-backup' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - compression: - description: |- - Compress a backup file (a tar file per tablespace) while streaming it - to the object store. Available options are empty string (no - compression, default), `gzip`, `bzip2`, and `snappy`. - enum: - - bzip2 - - gzip - - snappy - type: string - encryption: - description: |- - Whenever to force the encryption of files (if the bucket is - not already configured for that). - Allowed options are empty string (use the bucket policy, default), - `AES256` and `aws:kms` - enum: - - AES256 - - aws:kms - type: string - immediateCheckpoint: - description: |- - Control whether the I/O workload for the backup initial checkpoint will - be limited, according to the `checkpoint_completion_target` setting on - the PostgreSQL server. If set to true, an immediate checkpoint will be - used, meaning PostgreSQL will complete the checkpoint as soon as - possible. `false` by default. - type: boolean - jobs: - description: |- - The number of parallel jobs to be used to upload the backup, defaults - to 2 - format: int32 - minimum: 1 - type: integer - type: object - destinationPath: - description: |- - The path where to store the backup (i.e. s3://bucket/path/to/folder) - this path, with different destination folders, will be used for WALs - and for data - minLength: 1 - type: string - endpointCA: - description: |- - EndpointCA store the CA bundle of the barman endpoint. - Useful when using self-signed certificates to avoid - errors with certificate issuer and barman-cloud-wal-archive - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - endpointURL: - description: |- - Endpoint to be used to upload data to the cloud, - overriding the automatic endpoint discovery - type: string - googleCredentials: - description: The credentials to use to upload data to Google - Cloud Storage - properties: - applicationCredentials: - description: The secret containing the Google Cloud Storage - JSON file with the credentials - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - gkeEnvironment: - description: |- - If set to true, will presume that it's running inside a GKE environment, - default to false. - type: boolean - type: object - historyTags: - additionalProperties: - type: string - description: |- - HistoryTags is a list of key value pairs that will be passed to the - Barman --history-tags option. - type: object - s3Credentials: - description: The credentials to use to upload data to S3 - properties: - accessKeyId: - description: The reference to the access key id - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - inheritFromIAMRole: - description: Use the role based authentication without - providing explicitly the keys. - type: boolean - region: - description: The reference to the secret containing the - region name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - secretAccessKey: - description: The reference to the secret access key - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - sessionToken: - description: The references to the session key - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: object - serverName: - description: |- - The server name on S3, the cluster name is used if this - parameter is omitted - type: string - tags: - additionalProperties: - type: string - description: |- - Tags is a list of key value pairs that will be passed to the - Barman --tags option. - type: object - wal: - description: |- - The configuration for the backup of the WAL stream. - When not defined, WAL files will be stored uncompressed and may be - unencrypted in the object store, according to the bucket default policy. - properties: - archiveAdditionalCommandArgs: - description: |- - Additional arguments that can be appended to the 'barman-cloud-wal-archive' - command-line invocation. These arguments provide flexibility to customize - the WAL archive process further, according to specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-wal-archive' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - compression: - description: |- - Compress a WAL file before sending it to the object store. Available - options are empty string (no compression, default), `gzip`, `bzip2`, - `lz4`, `snappy`, `xz`, and `zstd`. - enum: - - bzip2 - - gzip - - lz4 - - snappy - - xz - - zstd - type: string - encryption: - description: |- - Whenever to force the encryption of files (if the bucket is - not already configured for that). - Allowed options are empty string (use the bucket policy, default), - `AES256` and `aws:kms` - enum: - - AES256 - - aws:kms - type: string - maxParallel: - description: |- - Number of WAL files to be either archived in parallel (when the - PostgreSQL instance is archiving to a backup object store) or - restored in parallel (when a PostgreSQL standby is fetching WAL - files from a recovery object store). If not specified, WAL files - will be processed one at a time. It accepts a positive integer as a - value - with 1 being the minimum accepted value. - minimum: 1 - type: integer - restoreAdditionalCommandArgs: - description: |- - Additional arguments that can be appended to the 'barman-cloud-wal-restore' - command-line invocation. These arguments provide flexibility to customize - the WAL restore process further, according to specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-wal-restore' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - type: object - required: - - destinationPath - type: object - retentionPolicy: - description: |- - RetentionPolicy is the retention policy to be used for backups - and WALs (i.e. '60d'). The retention policy is expressed in the form - of `XXu` where `XX` is a positive integer and `u` is in `[dwm]` - - days, weeks, months. - It's currently only applicable when using the BarmanObjectStore method. - pattern: ^[1-9][0-9]*[dwm]$ - type: string - target: - default: prefer-standby - description: |- - The policy to decide which instance should perform backups. Available - options are empty string, which will default to `prefer-standby` policy, - `primary` to have backups run always on primary instances, `prefer-standby` - to have backups run preferably on the most updated standby, if available. - enum: - - primary - - prefer-standby - type: string - volumeSnapshot: - description: VolumeSnapshot provides the configuration for the - execution of volume snapshot backups. - properties: - annotations: - additionalProperties: - type: string - description: Annotations key-value pairs that will be added - to .metadata.annotations snapshot resources. - type: object - className: - description: |- - ClassName specifies the Snapshot Class to be used for PG_DATA PersistentVolumeClaim. - It is the default class for the other types if no specific class is present - type: string - labels: - additionalProperties: - type: string - description: Labels are key-value pairs that will be added - to .metadata.labels snapshot resources. - type: object - online: - default: true - description: |- - Whether the default type of backup with volume snapshots is - online/hot (`true`, default) or offline/cold (`false`) - type: boolean - onlineConfiguration: - default: - immediateCheckpoint: false - waitForArchive: true - description: Configuration parameters to control the online/hot - backup with volume snapshots - properties: - immediateCheckpoint: - description: |- - Control whether the I/O workload for the backup initial checkpoint will - be limited, according to the `checkpoint_completion_target` setting on - the PostgreSQL server. If set to true, an immediate checkpoint will be - used, meaning PostgreSQL will complete the checkpoint as soon as - possible. `false` by default. - type: boolean - waitForArchive: - default: true - description: |- - If false, the function will return immediately after the backup is completed, - without waiting for WAL to be archived. - This behavior is only useful with backup software that independently monitors WAL archiving. - Otherwise, WAL required to make the backup consistent might be missing and make the backup useless. - By default, or when this parameter is true, pg_backup_stop will wait for WAL to be archived when archiving is - enabled. - On a standby, this means that it will wait only when archive_mode = always. - If write activity on the primary is low, it may be useful to run pg_switch_wal on the primary in order to trigger - an immediate segment switch. - type: boolean - type: object - snapshotOwnerReference: - default: none - description: SnapshotOwnerReference indicates the type of - owner reference the snapshot should have - enum: - - none - - cluster - - backup - type: string - tablespaceClassName: - additionalProperties: - type: string - description: |- - TablespaceClassName specifies the Snapshot Class to be used for the tablespaces. - defaults to the PGDATA Snapshot Class, if set - type: object - walClassName: - description: WalClassName specifies the Snapshot Class to - be used for the PG_WAL PersistentVolumeClaim. - type: string - type: object - type: object - bootstrap: - description: Instructions to bootstrap this cluster - properties: - initdb: - description: Bootstrap the cluster via initdb - properties: - builtinLocale: - description: |- - Specifies the locale name when the builtin provider is used. - This option requires `localeProvider` to be set to `builtin`. - Available from PostgreSQL 17. - type: string - dataChecksums: - description: |- - Whether the `-k` option should be passed to initdb, - enabling checksums on data pages (default: `false`) - type: boolean - database: - description: 'Name of the database used by the application. - Default: `app`.' - type: string - encoding: - description: The value to be passed as option `--encoding` - for initdb (default:`UTF8`) - type: string - icuLocale: - description: |- - Specifies the ICU locale when the ICU provider is used. - This option requires `localeProvider` to be set to `icu`. - Available from PostgreSQL 15. - type: string - icuRules: - description: |- - Specifies additional collation rules to customize the behavior of the default collation. - This option requires `localeProvider` to be set to `icu`. - Available from PostgreSQL 16. - type: string - import: - description: |- - Bootstraps the new cluster by importing data from an existing PostgreSQL - instance using logical backup (`pg_dump` and `pg_restore`) - properties: - databases: - description: The databases to import - items: - type: string - type: array - pgDumpExtraOptions: - description: |- - List of custom options to pass to the `pg_dump` command. IMPORTANT: - Use these options with caution and at your own risk, as the operator - does not validate their content. Be aware that certain options may - conflict with the operator's intended functionality or design. - items: - type: string - type: array - pgRestoreExtraOptions: - description: |- - List of custom options to pass to the `pg_restore` command. IMPORTANT: - Use these options with caution and at your own risk, as the operator - does not validate their content. Be aware that certain options may - conflict with the operator's intended functionality or design. - items: - type: string - type: array - postImportApplicationSQL: - description: |- - List of SQL queries to be executed as a superuser in the application - database right after is imported - to be used with extreme care - (by default empty). Only available in microservice type. - items: - type: string - type: array - roles: - description: The roles to import - items: - type: string - type: array - schemaOnly: - description: |- - When set to true, only the `pre-data` and `post-data` sections of - `pg_restore` are invoked, avoiding data import. Default: `false`. - type: boolean - source: - description: The source of the import - properties: - externalCluster: - description: The name of the externalCluster used - for import - type: string - required: - - externalCluster - type: object - type: - description: The import type. Can be `microservice` or - `monolith`. - enum: - - microservice - - monolith - type: string - required: - - databases - - source - - type - type: object - locale: - description: Sets the default collation order and character - classification in the new database. - type: string - localeCType: - description: The value to be passed as option `--lc-ctype` - for initdb (default:`C`) - type: string - localeCollate: - description: The value to be passed as option `--lc-collate` - for initdb (default:`C`) - type: string - localeProvider: - description: |- - This option sets the locale provider for databases created in the new cluster. - Available from PostgreSQL 16. - type: string - options: - description: |- - The list of options that must be passed to initdb when creating the cluster. - Deprecated: This could lead to inconsistent configurations, - please use the explicit provided parameters instead. - If defined, explicit values will be ignored. - items: - type: string - type: array - owner: - description: |- - Name of the owner of the database in the instance to be used - by applications. Defaults to the value of the `database` key. - type: string - postInitApplicationSQL: - description: |- - List of SQL queries to be executed as a superuser in the application - database right after the cluster has been created - to be used with extreme care - (by default empty) - items: - type: string - type: array - postInitApplicationSQLRefs: - description: |- - List of references to ConfigMaps or Secrets containing SQL files - to be executed as a superuser in the application database right after - the cluster has been created. The references are processed in a specific order: - first, all Secrets are processed, followed by all ConfigMaps. - Within each group, the processing order follows the sequence specified - in their respective arrays. - (by default empty) - properties: - configMapRefs: - description: ConfigMapRefs holds a list of references - to ConfigMaps - items: - description: |- - ConfigMapKeySelector contains enough information to let you locate - the key of a ConfigMap - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: array - secretRefs: - description: SecretRefs holds a list of references to - Secrets - items: - description: |- - SecretKeySelector contains enough information to let you locate - the key of a Secret - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: array - type: object - postInitSQL: - description: |- - List of SQL queries to be executed as a superuser in the `postgres` - database right after the cluster has been created - to be used with extreme care - (by default empty) - items: - type: string - type: array - postInitSQLRefs: - description: |- - List of references to ConfigMaps or Secrets containing SQL files - to be executed as a superuser in the `postgres` database right after - the cluster has been created. The references are processed in a specific order: - first, all Secrets are processed, followed by all ConfigMaps. - Within each group, the processing order follows the sequence specified - in their respective arrays. - (by default empty) - properties: - configMapRefs: - description: ConfigMapRefs holds a list of references - to ConfigMaps - items: - description: |- - ConfigMapKeySelector contains enough information to let you locate - the key of a ConfigMap - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: array - secretRefs: - description: SecretRefs holds a list of references to - Secrets - items: - description: |- - SecretKeySelector contains enough information to let you locate - the key of a Secret - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: array - type: object - postInitTemplateSQL: - description: |- - List of SQL queries to be executed as a superuser in the `template1` - database right after the cluster has been created - to be used with extreme care - (by default empty) - items: - type: string - type: array - postInitTemplateSQLRefs: - description: |- - List of references to ConfigMaps or Secrets containing SQL files - to be executed as a superuser in the `template1` database right after - the cluster has been created. The references are processed in a specific order: - first, all Secrets are processed, followed by all ConfigMaps. - Within each group, the processing order follows the sequence specified - in their respective arrays. - (by default empty) - properties: - configMapRefs: - description: ConfigMapRefs holds a list of references - to ConfigMaps - items: - description: |- - ConfigMapKeySelector contains enough information to let you locate - the key of a ConfigMap - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: array - secretRefs: - description: SecretRefs holds a list of references to - Secrets - items: - description: |- - SecretKeySelector contains enough information to let you locate - the key of a Secret - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: array - type: object - secret: - description: |- - Name of the secret containing the initial credentials for the - owner of the user database. If empty a new secret will be - created from scratch - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - walSegmentSize: - description: |- - The value in megabytes (1 to 1024) to be passed to the `--wal-segsize` - option for initdb (default: empty, resulting in PostgreSQL default: 16MB) - maximum: 1024 - minimum: 1 - type: integer - type: object - x-kubernetes-validations: - - message: builtinLocale is only available when localeProvider - is set to `builtin` - rule: '!has(self.builtinLocale) || self.localeProvider == ''builtin''' - - message: icuLocale is only available when localeProvider is - set to `icu` - rule: '!has(self.icuLocale) || self.localeProvider == ''icu''' - - message: icuRules is only available when localeProvider is set - to `icu` - rule: '!has(self.icuRules) || self.localeProvider == ''icu''' - pg_basebackup: - description: |- - Bootstrap the cluster taking a physical backup of another compatible - PostgreSQL instance - properties: - database: - description: 'Name of the database used by the application. - Default: `app`.' - type: string - owner: - description: |- - Name of the owner of the database in the instance to be used - by applications. Defaults to the value of the `database` key. - type: string - secret: - description: |- - Name of the secret containing the initial credentials for the - owner of the user database. If empty a new secret will be - created from scratch - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - source: - description: The name of the server of which we need to take - a physical backup - minLength: 1 - type: string - required: - - source - type: object - recovery: - description: Bootstrap the cluster from a backup - properties: - backup: - description: |- - The backup object containing the physical base backup from which to - initiate the recovery procedure. - Mutually exclusive with `source` and `volumeSnapshots`. - properties: - endpointCA: - description: |- - EndpointCA store the CA bundle of the barman endpoint. - Useful when using self-signed certificates to avoid - errors with certificate issuer and barman-cloud-wal-archive. - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - name: - description: Name of the referent. - type: string - required: - - name - type: object - database: - description: 'Name of the database used by the application. - Default: `app`.' - type: string - owner: - description: |- - Name of the owner of the database in the instance to be used - by applications. Defaults to the value of the `database` key. - type: string - recoveryTarget: - description: |- - By default, the recovery process applies all the available - WAL files in the archive (full recovery). However, you can also - end the recovery as soon as a consistent state is reached or - recover to a point-in-time (PITR) by specifying a `RecoveryTarget` object, - as expected by PostgreSQL (i.e., timestamp, transaction Id, LSN, ...). - More info: https://www.postgresql.org/docs/current/runtime-config-wal.html#RUNTIME-CONFIG-WAL-RECOVERY-TARGET - properties: - backupID: - description: |- - The ID of the backup from which to start the recovery process. - If empty (default) the operator will automatically detect the backup - based on targetTime or targetLSN if specified. Otherwise use the - latest available backup in chronological order. - type: string - exclusive: - description: |- - Set the target to be exclusive. If omitted, defaults to false, so that - in Postgres, `recovery_target_inclusive` will be true - type: boolean - targetImmediate: - description: End recovery as soon as a consistent state - is reached - type: boolean - targetLSN: - description: The target LSN (Log Sequence Number) - type: string - targetName: - description: |- - The target name (to be previously created - with `pg_create_restore_point`) - type: string - targetTLI: - description: The target timeline ("latest" or a positive - integer) - type: string - targetTime: - description: The target time as a timestamp in the RFC3339 - standard - type: string - targetXID: - description: The target transaction ID - type: string - type: object - secret: - description: |- - Name of the secret containing the initial credentials for the - owner of the user database. If empty a new secret will be - created from scratch - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - source: - description: |- - The external cluster whose backup we will restore. This is also - used as the name of the folder under which the backup is stored, - so it must be set to the name of the source cluster - Mutually exclusive with `backup`. - type: string - volumeSnapshots: - description: |- - The static PVC data source(s) from which to initiate the - recovery procedure. Currently supporting `VolumeSnapshot` - and `PersistentVolumeClaim` resources that map an existing - PVC group, compatible with CloudNativePG, and taken with - a cold backup copy on a fenced Postgres instance (limitation - which will be removed in the future when online backup - will be implemented). - Mutually exclusive with `backup`. - properties: - storage: - description: Configuration of the storage of the instances - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - tablespaceStorage: - additionalProperties: - description: |- - TypedLocalObjectReference contains enough information to let you locate the - typed referenced object inside the same namespace. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - description: Configuration of the storage for PostgreSQL - tablespaces - type: object - walStorage: - description: Configuration of the storage for PostgreSQL - WAL (Write-Ahead Log) - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - required: - - storage - type: object - type: object - type: object - certificates: - description: The configuration for the CA and related certificates - properties: - clientCASecret: - description: |- - The secret containing the Client CA certificate. If not defined, a new secret will be created - with a self-signed CA and will be used to generate all the client certificates.
-
- Contains:
-
- - `ca.crt`: CA that should be used to validate the client certificates, - used as `ssl_ca_file` of all the instances.
- - `ca.key`: key used to generate client certificates, if ReplicationTLSSecret is provided, - this can be omitted.
- type: string - replicationTLSSecret: - description: |- - The secret of type kubernetes.io/tls containing the client certificate to authenticate as - the `streaming_replica` user. - If not defined, ClientCASecret must provide also `ca.key`, and a new secret will be - created using the provided CA. - type: string - serverAltDNSNames: - description: The list of the server alternative DNS names to be - added to the generated server TLS certificates, when required. - items: - type: string - type: array - serverCASecret: - description: |- - The secret containing the Server CA certificate. If not defined, a new secret will be created - with a self-signed CA and will be used to generate the TLS certificate ServerTLSSecret.
-
- Contains:
-
- - `ca.crt`: CA that should be used to validate the server certificate, - used as `sslrootcert` in client connection strings.
- - `ca.key`: key used to generate Server SSL certs, if ServerTLSSecret is provided, - this can be omitted.
- type: string - serverTLSSecret: - description: |- - The secret of type kubernetes.io/tls containing the server TLS certificate and key that will be set as - `ssl_cert_file` and `ssl_key_file` so that clients can connect to postgres securely. - If not defined, ServerCASecret must provide also `ca.key` and a new secret will be - created using the provided CA. - type: string - type: object - description: - description: Description of this PostgreSQL cluster - type: string - enablePDB: - default: true - description: |- - Manage the `PodDisruptionBudget` resources within the cluster. When - configured as `true` (default setting), the pod disruption budgets - will safeguard the primary node from being terminated. Conversely, - setting it to `false` will result in the absence of any - `PodDisruptionBudget` resource, permitting the shutdown of all nodes - hosting the PostgreSQL cluster. This latter configuration is - advisable for any PostgreSQL cluster employed for - development/staging purposes. - type: boolean - enableSuperuserAccess: - default: false - description: |- - When this option is enabled, the operator will use the `SuperuserSecret` - to update the `postgres` user password (if the secret is - not present, the operator will automatically create one). When this - option is disabled, the operator will ignore the `SuperuserSecret` content, delete - it when automatically created, and then blank the password of the `postgres` - user by setting it to `NULL`. Disabled by default. - type: boolean - env: - description: |- - Env follows the Env format to pass environment variables - to the pods created in the cluster - items: - description: EnvVar represents an environment variable present in - a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. Cannot - be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath is - written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: |- - EnvFrom follows the EnvFrom format to pass environment variables - sources to the pods to be used by Env - items: - description: EnvFromSource represents the source of a set of ConfigMaps - or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - ephemeralVolumeSource: - description: EphemeralVolumeSource allows the user to configure the - source of ephemeral volumes. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - ephemeralVolumesSizeLimit: - description: |- - EphemeralVolumesSizeLimit allows the user to set the limits for the ephemeral - volumes - properties: - shm: - anyOf: - - type: integer - - type: string - description: Shm is the size limit of the shared memory volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - temporaryData: - anyOf: - - type: integer - - type: string - description: TemporaryData is the size limit of the temporary - data volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - externalClusters: - description: The list of external clusters which are used in the configuration - items: - description: |- - ExternalCluster represents the connection parameters to an - external cluster which is used in the other sections of the configuration - properties: - barmanObjectStore: - description: The configuration for the barman-cloud tool suite - properties: - azureCredentials: - description: The credentials to use to upload data to Azure - Blob Storage - properties: - connectionString: - description: The connection string to be used - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - inheritFromAzureAD: - description: Use the Azure AD based authentication without - providing explicitly the keys. - type: boolean - storageAccount: - description: The storage account where to upload data - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - storageKey: - description: |- - The storage account key to be used in conjunction - with the storage account name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - storageSasToken: - description: |- - A shared-access-signature to be used in conjunction with - the storage account name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: object - data: - description: |- - The configuration to be used to backup the data files - When not defined, base backups files will be stored uncompressed and may - be unencrypted in the object store, according to the bucket default - policy. - properties: - additionalCommandArgs: - description: |- - AdditionalCommandArgs represents additional arguments that can be appended - to the 'barman-cloud-backup' command-line invocation. These arguments - provide flexibility to customize the backup process further according to - specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-backup' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - compression: - description: |- - Compress a backup file (a tar file per tablespace) while streaming it - to the object store. Available options are empty string (no - compression, default), `gzip`, `bzip2`, and `snappy`. - enum: - - bzip2 - - gzip - - snappy - type: string - encryption: - description: |- - Whenever to force the encryption of files (if the bucket is - not already configured for that). - Allowed options are empty string (use the bucket policy, default), - `AES256` and `aws:kms` - enum: - - AES256 - - aws:kms - type: string - immediateCheckpoint: - description: |- - Control whether the I/O workload for the backup initial checkpoint will - be limited, according to the `checkpoint_completion_target` setting on - the PostgreSQL server. If set to true, an immediate checkpoint will be - used, meaning PostgreSQL will complete the checkpoint as soon as - possible. `false` by default. - type: boolean - jobs: - description: |- - The number of parallel jobs to be used to upload the backup, defaults - to 2 - format: int32 - minimum: 1 - type: integer - type: object - destinationPath: - description: |- - The path where to store the backup (i.e. s3://bucket/path/to/folder) - this path, with different destination folders, will be used for WALs - and for data - minLength: 1 - type: string - endpointCA: - description: |- - EndpointCA store the CA bundle of the barman endpoint. - Useful when using self-signed certificates to avoid - errors with certificate issuer and barman-cloud-wal-archive - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - endpointURL: - description: |- - Endpoint to be used to upload data to the cloud, - overriding the automatic endpoint discovery - type: string - googleCredentials: - description: The credentials to use to upload data to Google - Cloud Storage - properties: - applicationCredentials: - description: The secret containing the Google Cloud - Storage JSON file with the credentials - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - gkeEnvironment: - description: |- - If set to true, will presume that it's running inside a GKE environment, - default to false. - type: boolean - type: object - historyTags: - additionalProperties: - type: string - description: |- - HistoryTags is a list of key value pairs that will be passed to the - Barman --history-tags option. - type: object - s3Credentials: - description: The credentials to use to upload data to S3 - properties: - accessKeyId: - description: The reference to the access key id - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - inheritFromIAMRole: - description: Use the role based authentication without - providing explicitly the keys. - type: boolean - region: - description: The reference to the secret containing - the region name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - secretAccessKey: - description: The reference to the secret access key - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - sessionToken: - description: The references to the session key - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: object - serverName: - description: |- - The server name on S3, the cluster name is used if this - parameter is omitted - type: string - tags: - additionalProperties: - type: string - description: |- - Tags is a list of key value pairs that will be passed to the - Barman --tags option. - type: object - wal: - description: |- - The configuration for the backup of the WAL stream. - When not defined, WAL files will be stored uncompressed and may be - unencrypted in the object store, according to the bucket default policy. - properties: - archiveAdditionalCommandArgs: - description: |- - Additional arguments that can be appended to the 'barman-cloud-wal-archive' - command-line invocation. These arguments provide flexibility to customize - the WAL archive process further, according to specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-wal-archive' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - compression: - description: |- - Compress a WAL file before sending it to the object store. Available - options are empty string (no compression, default), `gzip`, `bzip2`, - `lz4`, `snappy`, `xz`, and `zstd`. - enum: - - bzip2 - - gzip - - lz4 - - snappy - - xz - - zstd - type: string - encryption: - description: |- - Whenever to force the encryption of files (if the bucket is - not already configured for that). - Allowed options are empty string (use the bucket policy, default), - `AES256` and `aws:kms` - enum: - - AES256 - - aws:kms - type: string - maxParallel: - description: |- - Number of WAL files to be either archived in parallel (when the - PostgreSQL instance is archiving to a backup object store) or - restored in parallel (when a PostgreSQL standby is fetching WAL - files from a recovery object store). If not specified, WAL files - will be processed one at a time. It accepts a positive integer as a - value - with 1 being the minimum accepted value. - minimum: 1 - type: integer - restoreAdditionalCommandArgs: - description: |- - Additional arguments that can be appended to the 'barman-cloud-wal-restore' - command-line invocation. These arguments provide flexibility to customize - the WAL restore process further, according to specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-wal-restore' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - type: object - required: - - destinationPath - type: object - connectionParameters: - additionalProperties: - type: string - description: The list of connection parameters, such as dbname, - host, username, etc - type: object - name: - description: The server name, required - type: string - password: - description: |- - The reference to the password to be used to connect to the server. - If a password is provided, CloudNativePG creates a PostgreSQL - passfile at `/controller/external/NAME/pass` (where "NAME" is the - cluster's name). This passfile is automatically referenced in the - connection string when establishing a connection to the remote - PostgreSQL server from the current PostgreSQL `Cluster`. This ensures - secure and efficient password management for external clusters. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - plugin: - description: |- - The configuration of the plugin that is taking care - of WAL archiving and backups for this external cluster - properties: - enabled: - default: true - description: Enabled is true if this plugin will be used - type: boolean - isWALArchiver: - default: false - description: |- - Marks the plugin as the WAL archiver. At most one plugin can be - designated as a WAL archiver. This cannot be enabled if the - `.spec.backup.barmanObjectStore` configuration is present. - type: boolean - name: - description: Name is the plugin name - type: string - parameters: - additionalProperties: - type: string - description: Parameters is the configuration of the plugin - type: object - required: - - name - type: object - sslCert: - description: |- - The reference to an SSL certificate to be used to connect to this - instance - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - sslKey: - description: |- - The reference to an SSL private key to be used to connect to this - instance - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - sslRootCert: - description: |- - The reference to an SSL CA public key to be used to connect to this - instance - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - name - type: object - type: array - failoverDelay: - default: 0 - description: |- - The amount of time (in seconds) to wait before triggering a failover - after the primary PostgreSQL instance in the cluster was detected - to be unhealthy - format: int32 - type: integer - imageCatalogRef: - description: Defines the major PostgreSQL version we want to use within - an ImageCatalog - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - major: - description: The major version of PostgreSQL we want to use from - the ImageCatalog - type: integer - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - major - - name - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: Only image catalogs are supported - rule: self.kind == 'ImageCatalog' || self.kind == 'ClusterImageCatalog' - - message: Only image catalogs are supported - rule: self.apiGroup == 'postgresql.cnpg.io' - imageName: - description: |- - Name of the container image, supporting both tags (`:`) - and digests for deterministic and repeatable deployments - (`:@sha256:`) - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of `Always`, `Never` or `IfNotPresent`. - If not defined, it defaults to `IfNotPresent`. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - imagePullSecrets: - description: The list of pull secrets to be used to pull the images - items: - description: |- - LocalObjectReference contains enough information to let you locate a - local object with a known type inside the same namespace - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - type: array - inheritedMetadata: - description: Metadata that will be inherited by all objects related - to the Cluster - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - instances: - default: 1 - description: Number of instances required in the cluster - minimum: 1 - type: integer - livenessProbeTimeout: - description: |- - LivenessProbeTimeout is the time (in seconds) that is allowed for a PostgreSQL instance - to successfully respond to the liveness probe (default 30). - The Liveness probe failure threshold is derived from this value using the formula: - ceiling(livenessProbe / 10). - format: int32 - type: integer - logLevel: - default: info - description: 'The instances'' log level, one of the following values: - error, warning, info (default), debug, trace' - enum: - - error - - warning - - info - - debug - - trace - type: string - managed: - description: The configuration that is used by the portions of PostgreSQL - that are managed by the instance manager - properties: - roles: - description: Database roles managed by the `Cluster` - items: - description: |- - RoleConfiguration is the representation, in Kubernetes, of a PostgreSQL role - with the additional field Ensure specifying whether to ensure the presence or - absence of the role in the database - - The defaults of the CREATE ROLE command are applied - Reference: https://www.postgresql.org/docs/current/sql-createrole.html - properties: - bypassrls: - description: |- - Whether a role bypasses every row-level security (RLS) policy. - Default is `false`. - type: boolean - comment: - description: Description of the role - type: string - connectionLimit: - default: -1 - description: |- - If the role can log in, this specifies how many concurrent - connections the role can make. `-1` (the default) means no limit. - format: int64 - type: integer - createdb: - description: |- - When set to `true`, the role being defined will be allowed to create - new databases. Specifying `false` (default) will deny a role the - ability to create databases. - type: boolean - createrole: - description: |- - Whether the role will be permitted to create, alter, drop, comment - on, change the security label for, and grant or revoke membership in - other roles. Default is `false`. - type: boolean - disablePassword: - description: DisablePassword indicates that a role's password - should be set to NULL in Postgres - type: boolean - ensure: - default: present - description: Ensure the role is `present` or `absent` - - defaults to "present" - enum: - - present - - absent - type: string - inRoles: - description: |- - List of one or more existing roles to which this role will be - immediately added as a new member. Default empty. - items: - type: string - type: array - inherit: - default: true - description: |- - Whether a role "inherits" the privileges of roles it is a member of. - Defaults is `true`. - type: boolean - login: - description: |- - Whether the role is allowed to log in. A role having the `login` - attribute can be thought of as a user. Roles without this attribute - are useful for managing database privileges, but are not users in - the usual sense of the word. Default is `false`. - type: boolean - name: - description: Name of the role - type: string - passwordSecret: - description: |- - Secret containing the password of the role (if present) - If null, the password will be ignored unless DisablePassword is set - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - replication: - description: |- - Whether a role is a replication role. A role must have this - attribute (or be a superuser) in order to be able to connect to the - server in replication mode (physical or logical replication) and in - order to be able to create or drop replication slots. A role having - the `replication` attribute is a very highly privileged role, and - should only be used on roles actually used for replication. Default - is `false`. - type: boolean - superuser: - description: |- - Whether the role is a `superuser` who can override all access - restrictions within the database - superuser status is dangerous and - should be used only when really needed. You must yourself be a - superuser to create a new superuser. Defaults is `false`. - type: boolean - validUntil: - description: |- - Date and time after which the role's password is no longer valid. - When omitted, the password will never expire (default). - format: date-time - type: string - required: - - name - type: object - type: array - services: - description: Services roles managed by the `Cluster` - properties: - additional: - description: Additional is a list of additional managed services - specified by the user. - items: - description: |- - ManagedService represents a specific service managed by the cluster. - It includes the type of service and its associated template specification. - properties: - selectorType: - description: |- - SelectorType specifies the type of selectors that the service will have. - Valid values are "rw", "r", and "ro", representing read-write, read, and read-only services. - enum: - - rw - - r - - ro - type: string - serviceTemplate: - description: ServiceTemplate is the template specification - for the service. - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: http://kubernetes.io/docs/user-guide/annotations - type: object - labels: - additionalProperties: - type: string - description: |- - Map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: http://kubernetes.io/docs/user-guide/labels - type: object - name: - description: The name of the resource. Only - supported for certain types - type: string - type: object - spec: - description: |- - Specification of the desired behavior of the service. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information - on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed - by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains - the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - updateStrategy: - default: patch - description: UpdateStrategy describes how the service - differences should be reconciled - enum: - - patch - - replace - type: string - required: - - selectorType - - serviceTemplate - type: object - type: array - disabledDefaultServices: - description: |- - DisabledDefaultServices is a list of service types that are disabled by default. - Valid values are "r", and "ro", representing read, and read-only services. - items: - description: |- - ServiceSelectorType describes a valid value for generating the service selectors. - It indicates which type of service the selector applies to, such as read-write, read, or read-only - enum: - - rw - - r - - ro - type: string - type: array - type: object - type: object - maxSyncReplicas: - default: 0 - description: |- - The target value for the synchronous replication quorum, that can be - decreased if the number of ready standbys is lower than this. - Undefined or 0 disable synchronous replication. - minimum: 0 - type: integer - minSyncReplicas: - default: 0 - description: |- - Minimum number of instances required in synchronous replication with the - primary. Undefined or 0 allow writes to complete when no standby is - available. - minimum: 0 - type: integer - monitoring: - description: The configuration of the monitoring infrastructure of - this cluster - properties: - customQueriesConfigMap: - description: The list of config maps containing the custom queries - items: - description: |- - ConfigMapKeySelector contains enough information to let you locate - the key of a ConfigMap - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: array - customQueriesSecret: - description: The list of secrets containing the custom queries - items: - description: |- - SecretKeySelector contains enough information to let you locate - the key of a Secret - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: array - disableDefaultQueries: - default: false - description: |- - Whether the default queries should be injected. - Set it to `true` if you don't want to inject default queries into the cluster. - Default: false. - type: boolean - enablePodMonitor: - default: false - description: |- - Enable or disable the `PodMonitor` - - Deprecated: This feature will be removed in an upcoming release. If - you need this functionality, you can create a PodMonitor manually. - type: boolean - podMonitorMetricRelabelings: - description: |- - The list of metric relabelings for the `PodMonitor`. Applied to samples before ingestion. - - Deprecated: This feature will be removed in an upcoming release. If - you need this functionality, you can create a PodMonitor manually. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - podMonitorRelabelings: - description: |- - The list of relabelings for the `PodMonitor`. Applied to samples before scraping. - - Deprecated: This feature will be removed in an upcoming release. If - you need this functionality, you can create a PodMonitor manually. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - tls: - description: |- - Configure TLS communication for the metrics endpoint. - Changing tls.enabled option will force a rollout of all instances. - properties: - enabled: - default: false - description: |- - Enable TLS for the monitoring endpoint. - Changing this option will force a rollout of all instances. - type: boolean - type: object - type: object - nodeMaintenanceWindow: - description: Define a maintenance window for the Kubernetes nodes - properties: - inProgress: - default: false - description: Is there a node maintenance activity in progress? - type: boolean - reusePVC: - default: true - description: |- - Reuse the existing PVC (wait for the node to come - up again) or not (recreate it elsewhere - when `instances` >1) - type: boolean - type: object - plugins: - description: |- - The plugins configuration, containing - any plugin to be loaded with the corresponding configuration - items: - description: |- - PluginConfiguration specifies a plugin that need to be loaded for this - cluster to be reconciled - properties: - enabled: - default: true - description: Enabled is true if this plugin will be used - type: boolean - isWALArchiver: - default: false - description: |- - Marks the plugin as the WAL archiver. At most one plugin can be - designated as a WAL archiver. This cannot be enabled if the - `.spec.backup.barmanObjectStore` configuration is present. - type: boolean - name: - description: Name is the plugin name - type: string - parameters: - additionalProperties: - type: string - description: Parameters is the configuration of the plugin - type: object - required: - - name - type: object - type: array - postgresGID: - default: 26 - description: The GID of the `postgres` user inside the image, defaults - to `26` - format: int64 - type: integer - postgresUID: - default: 26 - description: The UID of the `postgres` user inside the image, defaults - to `26` - format: int64 - type: integer - postgresql: - description: Configuration of the PostgreSQL server - properties: - enableAlterSystem: - description: |- - If this parameter is true, the user will be able to invoke `ALTER SYSTEM` - on this CloudNativePG Cluster. - This should only be used for debugging and troubleshooting. - Defaults to false. - type: boolean - extensions: - description: The configuration of the extensions to be added - items: - description: |- - ExtensionConfiguration is the configuration used to add - PostgreSQL extensions to the Cluster. - properties: - dynamic_library_path: - description: |- - The list of directories inside the image which should be added to dynamic_library_path. - If not defined, defaults to "/lib". - items: - type: string - type: array - extension_control_path: - description: |- - The list of directories inside the image which should be added to extension_control_path. - If not defined, defaults to "/share". - items: - type: string - type: array - image: - description: The image containing the extension, required - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - x-kubernetes-validations: - - message: An image reference is required - rule: has(self.reference) - ld_library_path: - description: The list of directories inside the image which - should be added to ld_library_path. - items: - type: string - type: array - name: - description: The name of the extension, required - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - image - - name - type: object - type: array - ldap: - description: Options to specify LDAP configuration - properties: - bindAsAuth: - description: Bind as authentication configuration - properties: - prefix: - description: Prefix for the bind authentication option - type: string - suffix: - description: Suffix for the bind authentication option - type: string - type: object - bindSearchAuth: - description: Bind+Search authentication configuration - properties: - baseDN: - description: Root DN to begin the user search - type: string - bindDN: - description: DN of the user to bind to the directory - type: string - bindPassword: - description: Secret with the password for the user to - bind to the directory - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - searchAttribute: - description: Attribute to match against the username - type: string - searchFilter: - description: Search filter to use when doing the search+bind - authentication - type: string - type: object - port: - description: LDAP server port - type: integer - scheme: - description: LDAP schema to be used, possible options are - `ldap` and `ldaps` - enum: - - ldap - - ldaps - type: string - server: - description: LDAP hostname or IP address - type: string - tls: - description: Set to 'true' to enable LDAP over TLS. 'false' - is default - type: boolean - type: object - parameters: - additionalProperties: - type: string - description: PostgreSQL configuration options (postgresql.conf) - type: object - pg_hba: - description: |- - PostgreSQL Host Based Authentication rules (lines to be appended - to the pg_hba.conf file) - items: - type: string - type: array - pg_ident: - description: |- - PostgreSQL User Name Maps rules (lines to be appended - to the pg_ident.conf file) - items: - type: string - type: array - promotionTimeout: - description: |- - Specifies the maximum number of seconds to wait when promoting an instance to primary. - Default value is 40000000, greater than one year in seconds, - big enough to simulate an infinite timeout - format: int32 - type: integer - shared_preload_libraries: - description: Lists of shared preload libraries to add to the default - ones - items: - type: string - type: array - syncReplicaElectionConstraint: - description: |- - Requirements to be met by sync replicas. This will affect how the "synchronous_standby_names" parameter will be - set up. - properties: - enabled: - description: This flag enables the constraints for sync replicas - type: boolean - nodeLabelsAntiAffinity: - description: A list of node labels values to extract and compare - to evaluate if the pods reside in the same topology or not - items: - type: string - type: array - required: - - enabled - type: object - synchronous: - description: Configuration of the PostgreSQL synchronous replication - feature - properties: - dataDurability: - description: |- - If set to "required", data durability is strictly enforced. Write operations - with synchronous commit settings (`on`, `remote_write`, or `remote_apply`) will - block if there are insufficient healthy replicas, ensuring data persistence. - If set to "preferred", data durability is maintained when healthy replicas - are available, but the required number of instances will adjust dynamically - if replicas become unavailable. This setting relaxes strict durability enforcement - to allow for operational continuity. This setting is only applicable if both - `standbyNamesPre` and `standbyNamesPost` are unset (empty). - enum: - - required - - preferred - type: string - maxStandbyNamesFromCluster: - description: |- - Specifies the maximum number of local cluster pods that can be - automatically included in the `synchronous_standby_names` option in - PostgreSQL. - type: integer - method: - description: |- - Method to select synchronous replication standbys from the listed - servers, accepting 'any' (quorum-based synchronous replication) or - 'first' (priority-based synchronous replication) as values. - enum: - - any - - first - type: string - number: - description: |- - Specifies the number of synchronous standby servers that - transactions must wait for responses from. - type: integer - x-kubernetes-validations: - - message: The number of synchronous replicas should be greater - than zero - rule: self > 0 - standbyNamesPost: - description: |- - A user-defined list of application names to be added to - `synchronous_standby_names` after local cluster pods (the order is - only useful for priority-based synchronous replication). - items: - type: string - type: array - standbyNamesPre: - description: |- - A user-defined list of application names to be added to - `synchronous_standby_names` before local cluster pods (the order is - only useful for priority-based synchronous replication). - items: - type: string - type: array - required: - - method - - number - type: object - x-kubernetes-validations: - - message: dataDurability set to 'preferred' requires empty 'standbyNamesPre' - and empty 'standbyNamesPost' - rule: self.dataDurability!='preferred' || ((!has(self.standbyNamesPre) - || self.standbyNamesPre.size()==0) && (!has(self.standbyNamesPost) - || self.standbyNamesPost.size()==0)) - type: object - primaryUpdateMethod: - default: restart - description: |- - Method to follow to upgrade the primary server during a rolling - update procedure, after all replicas have been successfully updated: - it can be with a switchover (`switchover`) or in-place (`restart` - default) - enum: - - switchover - - restart - type: string - primaryUpdateStrategy: - default: unsupervised - description: |- - Deployment strategy to follow to upgrade the primary server during a rolling - update procedure, after all replicas have been successfully updated: - it can be automated (`unsupervised` - default) or manual (`supervised`) - enum: - - unsupervised - - supervised - type: string - priorityClassName: - description: |- - Name of the priority class which will be used in every generated Pod, if the PriorityClass - specified does not exist, the pod will not be able to schedule. Please refer to - https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass - for more information - type: string - probes: - description: |- - The configuration of the probes to be injected - in the PostgreSQL Pods. - properties: - liveness: - description: The liveness probe configuration - properties: - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - isolationCheck: - description: |- - Configure the feature that extends the liveness probe for a primary - instance. In addition to the basic checks, this verifies whether the - primary is isolated from the Kubernetes API server and from its - replicas, ensuring that it can be safely shut down if network - partition or API unavailability is detected. Enabled by default. - properties: - connectionTimeout: - default: 1000 - description: Timeout in milliseconds for connections during - the primary isolation check - type: integer - enabled: - default: true - description: Whether primary isolation checking is enabled - for the liveness probe - type: boolean - requestTimeout: - default: 1000 - description: Timeout in milliseconds for requests during - the primary isolation check - type: integer - type: object - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - readiness: - description: The readiness probe configuration - properties: - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - maximumLag: - anyOf: - - type: integer - - type: string - description: Lag limit. Used only for `streaming` strategy - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: - description: The probe strategy - enum: - - pg_isready - - streaming - - query - type: string - type: object - startup: - description: The startup probe configuration - properties: - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - maximumLag: - anyOf: - - type: integer - - type: string - description: Lag limit. Used only for `streaming` strategy - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: - description: The probe strategy - enum: - - pg_isready - - streaming - - query - type: string - type: object - type: object - projectedVolumeTemplate: - description: |- - Template to be used to define projected volumes, projected volumes will be mounted - under `/projected` base folder - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume root to write - the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the configMap data - to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a - volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the downwardAPI - data to project - properties: - items: - description: Items is a list of DownwardAPIVolume file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name, namespace - and uid are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in - the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must not - be absolute or contain the ''..'' path. Must - be utf-8 encoded. The first item of the relative - path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of - the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will be addressed - to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret data to - project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a - volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether the Secret - or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information about the - serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - replica: - description: Replica cluster configuration - properties: - enabled: - description: |- - If replica mode is enabled, this cluster will be a replica of an - existing cluster. Replica cluster can be created from a recovery - object store or via streaming through pg_basebackup. - Refer to the Replica clusters page of the documentation for more information. - type: boolean - minApplyDelay: - description: |- - When replica mode is enabled, this parameter allows you to replay - transactions only when the system time is at least the configured - time past the commit time. This provides an opportunity to correct - data loss errors. Note that when this parameter is set, a promotion - token cannot be used. - type: string - primary: - description: |- - Primary defines which Cluster is defined to be the primary in the distributed PostgreSQL cluster, based on the - topology specified in externalClusters - type: string - promotionToken: - description: |- - A demotion token generated by an external cluster used to - check if the promotion requirements are met. - type: string - self: - description: |- - Self defines the name of this cluster. It is used to determine if this is a primary - or a replica cluster, comparing it with `primary` - type: string - source: - description: The name of the external cluster which is the replication - origin - minLength: 1 - type: string - required: - - source - type: object - replicationSlots: - default: - highAvailability: - enabled: true - description: Replication slots management configuration - properties: - highAvailability: - default: - enabled: true - description: Replication slots for high availability configuration - properties: - enabled: - default: true - description: |- - If enabled (default), the operator will automatically manage replication slots - on the primary instance and use them in streaming replication - connections with all the standby instances that are part of the HA - cluster. If disabled, the operator will not take advantage - of replication slots in streaming connections with the replicas. - This feature also controls replication slots in replica cluster, - from the designated primary to its cascading replicas. - type: boolean - slotPrefix: - default: _cnpg_ - description: |- - Prefix for replication slots managed by the operator for HA. - It may only contain lower case letters, numbers, and the underscore character. - This can only be set at creation time. By default set to `_cnpg_`. - pattern: ^[0-9a-z_]*$ - type: string - synchronizeLogicalDecoding: - description: |- - When enabled, the operator automatically manages synchronization of logical - decoding (replication) slots across high-availability clusters. - - Requires one of the following conditions: - - PostgreSQL version 17 or later - - PostgreSQL version < 17 with pg_failover_slots extension enabled - type: boolean - type: object - synchronizeReplicas: - description: Configures the synchronization of the user defined - physical replication slots - properties: - enabled: - default: true - description: When set to true, every replication slot that - is on the primary is synchronized on each standby - type: boolean - excludePatterns: - description: List of regular expression patterns to match - the names of replication slots to be excluded (by default - empty) - items: - type: string - type: array - required: - - enabled - type: object - updateInterval: - default: 30 - description: |- - Standby will update the status of the local replication slots - every `updateInterval` seconds (default 30). - minimum: 1 - type: integer - type: object - resources: - description: |- - Resources requirements of every generated Pod. Please refer to - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - for more information. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - schedulerName: - description: |- - If specified, the pod will be dispatched by specified Kubernetes - scheduler. If not specified, the pod will be dispatched by the default - scheduler. More info: - https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/ - type: string - seccompProfile: - description: |- - The SeccompProfile applied to every Pod and Container. - Defaults to: `RuntimeDefault` - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - serviceAccountTemplate: - description: Configure the generation of the service account - properties: - metadata: - description: |- - Metadata are the metadata to be used for the generated - service account - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: http://kubernetes.io/docs/user-guide/annotations - type: object - labels: - additionalProperties: - type: string - description: |- - Map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: http://kubernetes.io/docs/user-guide/labels - type: object - name: - description: The name of the resource. Only supported for - certain types - type: string - type: object - required: - - metadata - type: object - smartShutdownTimeout: - default: 180 - description: |- - The time in seconds that controls the window of time reserved for the smart shutdown of Postgres to complete. - Make sure you reserve enough time for the operator to request a fast shutdown of Postgres - (that is: `stopDelay` - `smartShutdownTimeout`). Default is 180 seconds. - format: int32 - type: integer - startDelay: - default: 3600 - description: |- - The time in seconds that is allowed for a PostgreSQL instance to - successfully start up (default 3600). - The startup probe failure threshold is derived from this value using the formula: - ceiling(startDelay / 10). - format: int32 - type: integer - stopDelay: - default: 1800 - description: |- - The time in seconds that is allowed for a PostgreSQL instance to - gracefully shutdown (default 1800) - format: int32 - type: integer - storage: - description: Configuration of the storage of the instances - properties: - pvcTemplate: - description: Template to be used to generate the Persistent Volume - Claim - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume - backing this claim. - type: string - type: object - resizeInUseVolumes: - default: true - description: Resize existent PVCs, defaults to true - type: boolean - size: - description: |- - Size of the storage. Required if not already specified in the PVC template. - Changes to this field are automatically reapplied to the created PVCs. - Size cannot be decreased. - type: string - storageClass: - description: |- - StorageClass to use for PVCs. Applied after - evaluating the PVC template, if available. - If not specified, the generated PVCs will use the - default storage class - type: string - type: object - superuserSecret: - description: |- - The secret containing the superuser password. If not defined a new - secret will be created with a randomly generated password - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - switchoverDelay: - default: 3600 - description: |- - The time in seconds that is allowed for a primary PostgreSQL instance - to gracefully shutdown during a switchover. - Default value is 3600 seconds (1 hour). - format: int32 - type: integer - tablespaces: - description: The tablespaces configuration - items: - description: |- - TablespaceConfiguration is the configuration of a tablespace, and includes - the storage specification for the tablespace - properties: - name: - description: The name of the tablespace - type: string - owner: - description: Owner is the PostgreSQL user owning the tablespace - properties: - name: - type: string - type: object - storage: - description: The storage configuration for the tablespace - properties: - pvcTemplate: - description: Template to be used to generate the Persistent - Volume Claim - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - resizeInUseVolumes: - default: true - description: Resize existent PVCs, defaults to true - type: boolean - size: - description: |- - Size of the storage. Required if not already specified in the PVC template. - Changes to this field are automatically reapplied to the created PVCs. - Size cannot be decreased. - type: string - storageClass: - description: |- - StorageClass to use for PVCs. Applied after - evaluating the PVC template, if available. - If not specified, the generated PVCs will use the - default storage class - type: string - type: object - temporary: - default: false - description: |- - When set to true, the tablespace will be added as a `temp_tablespaces` - entry in PostgreSQL, and will be available to automatically house temp - database objects, or other temporary files. Please refer to PostgreSQL - documentation for more information on the `temp_tablespaces` GUC. - type: boolean - required: - - name - - storage - type: object - type: array - topologySpreadConstraints: - description: |- - TopologySpreadConstraints specifies how to spread matching pods among the given topology. - More info: - https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ - items: - description: TopologySpreadConstraint specifies how to spread matching - pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - walStorage: - description: Configuration of the storage for PostgreSQL WAL (Write-Ahead - Log) - properties: - pvcTemplate: - description: Template to be used to generate the Persistent Volume - Claim - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume - backing this claim. - type: string - type: object - resizeInUseVolumes: - default: true - description: Resize existent PVCs, defaults to true - type: boolean - size: - description: |- - Size of the storage. Required if not already specified in the PVC template. - Changes to this field are automatically reapplied to the created PVCs. - Size cannot be decreased. - type: string - storageClass: - description: |- - StorageClass to use for PVCs. Applied after - evaluating the PVC template, if available. - If not specified, the generated PVCs will use the - default storage class - type: string - type: object - required: - - instances - type: object - x-kubernetes-validations: - - message: imageName and imageCatalogRef are mutually exclusive - rule: '!(has(self.imageCatalogRef) && has(self.imageName))' - status: - description: |- - Most recently observed status of the cluster. This data may not be up - to date. Populated by the system. Read-only. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - availableArchitectures: - description: AvailableArchitectures reports the available architectures - of a cluster - items: - description: AvailableArchitecture represents the state of a cluster's - architecture - properties: - goArch: - description: GoArch is the name of the executable architecture - type: string - hash: - description: Hash is the hash of the executable - type: string - required: - - goArch - - hash - type: object - type: array - certificates: - description: The configuration for the CA and related certificates, - initialized with defaults. - properties: - clientCASecret: - description: |- - The secret containing the Client CA certificate. If not defined, a new secret will be created - with a self-signed CA and will be used to generate all the client certificates.
-
- Contains:
-
- - `ca.crt`: CA that should be used to validate the client certificates, - used as `ssl_ca_file` of all the instances.
- - `ca.key`: key used to generate client certificates, if ReplicationTLSSecret is provided, - this can be omitted.
- type: string - expirations: - additionalProperties: - type: string - description: Expiration dates for all certificates. - type: object - replicationTLSSecret: - description: |- - The secret of type kubernetes.io/tls containing the client certificate to authenticate as - the `streaming_replica` user. - If not defined, ClientCASecret must provide also `ca.key`, and a new secret will be - created using the provided CA. - type: string - serverAltDNSNames: - description: The list of the server alternative DNS names to be - added to the generated server TLS certificates, when required. - items: - type: string - type: array - serverCASecret: - description: |- - The secret containing the Server CA certificate. If not defined, a new secret will be created - with a self-signed CA and will be used to generate the TLS certificate ServerTLSSecret.
-
- Contains:
-
- - `ca.crt`: CA that should be used to validate the server certificate, - used as `sslrootcert` in client connection strings.
- - `ca.key`: key used to generate Server SSL certs, if ServerTLSSecret is provided, - this can be omitted.
- type: string - serverTLSSecret: - description: |- - The secret of type kubernetes.io/tls containing the server TLS certificate and key that will be set as - `ssl_cert_file` and `ssl_key_file` so that clients can connect to postgres securely. - If not defined, ServerCASecret must provide also `ca.key` and a new secret will be - created using the provided CA. - type: string - type: object - cloudNativePGCommitHash: - description: The commit hash number of which this operator running - type: string - cloudNativePGOperatorHash: - description: The hash of the binary of the operator - type: string - conditions: - description: Conditions for cluster object - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - configMapResourceVersion: - description: |- - The list of resource versions of the configmaps, - managed by the operator. Every change here is done in the - interest of the instance manager, which will refresh the - configmap data - properties: - metrics: - additionalProperties: - type: string - description: |- - A map with the versions of all the config maps used to pass metrics. - Map keys are the config map names, map values are the versions - type: object - type: object - currentPrimary: - description: Current primary instance - type: string - currentPrimaryFailingSinceTimestamp: - description: |- - The timestamp when the primary was detected to be unhealthy - This field is reported when `.spec.failoverDelay` is populated or during online upgrades - type: string - currentPrimaryTimestamp: - description: The timestamp when the last actual promotion to primary - has occurred - type: string - danglingPVC: - description: |- - List of all the PVCs created by this cluster and still available - which are not attached to a Pod - items: - type: string - type: array - demotionToken: - description: |- - DemotionToken is a JSON token containing the information - from pg_controldata such as Database system identifier, Latest checkpoint's - TimeLineID, Latest checkpoint's REDO location, Latest checkpoint's REDO - WAL file, and Time of latest checkpoint - type: string - firstRecoverabilityPoint: - description: |- - The first recoverability point, stored as a date in RFC3339 format. - This field is calculated from the content of FirstRecoverabilityPointByMethod. - - Deprecated: the field is not set for backup plugins. - type: string - firstRecoverabilityPointByMethod: - additionalProperties: - format: date-time - type: string - description: |- - The first recoverability point, stored as a date in RFC3339 format, per backup method type. - - Deprecated: the field is not set for backup plugins. - type: object - healthyPVC: - description: List of all the PVCs not dangling nor initializing - items: - type: string - type: array - image: - description: Image contains the image name used by the pods - type: string - initializingPVC: - description: List of all the PVCs that are being initialized by this - cluster - items: - type: string - type: array - instanceNames: - description: List of instance names in the cluster - items: - type: string - type: array - instances: - description: The total number of PVC Groups detected in the cluster. - It may differ from the number of existing instance pods. - type: integer - instancesReportedState: - additionalProperties: - description: InstanceReportedState describes the last reported state - of an instance during a reconciliation loop - properties: - ip: - description: IP address of the instance - type: string - isPrimary: - description: indicates if an instance is the primary one - type: boolean - timeLineID: - description: indicates on which TimelineId the instance is - type: integer - required: - - isPrimary - type: object - description: The reported state of the instances during the last reconciliation - loop - type: object - instancesStatus: - additionalProperties: - items: - type: string - type: array - description: InstancesStatus indicates in which status the instances - are - type: object - jobCount: - description: How many Jobs have been created by this cluster - format: int32 - type: integer - lastFailedBackup: - description: |- - Last failed backup, stored as a date in RFC3339 format. - - Deprecated: the field is not set for backup plugins. - type: string - lastPromotionToken: - description: |- - LastPromotionToken is the last verified promotion token that - was used to promote a replica cluster - type: string - lastSuccessfulBackup: - description: |- - Last successful backup, stored as a date in RFC3339 format. - This field is calculated from the content of LastSuccessfulBackupByMethod. - - Deprecated: the field is not set for backup plugins. - type: string - lastSuccessfulBackupByMethod: - additionalProperties: - format: date-time - type: string - description: |- - Last successful backup, stored as a date in RFC3339 format, per backup method type. - - Deprecated: the field is not set for backup plugins. - type: object - latestGeneratedNode: - description: ID of the latest generated node (used to avoid node name - clashing) - type: integer - managedRolesStatus: - description: ManagedRolesStatus reports the state of the managed roles - in the cluster - properties: - byStatus: - additionalProperties: - items: - type: string - type: array - description: ByStatus gives the list of roles in each state - type: object - cannotReconcile: - additionalProperties: - items: - type: string - type: array - description: |- - CannotReconcile lists roles that cannot be reconciled in PostgreSQL, - with an explanation of the cause - type: object - passwordStatus: - additionalProperties: - description: PasswordState represents the state of the password - of a managed RoleConfiguration - properties: - resourceVersion: - description: the resource version of the password secret - type: string - transactionID: - description: the last transaction ID to affect the role - definition in PostgreSQL - format: int64 - type: integer - type: object - description: PasswordStatus gives the last transaction id and - password secret version for each managed role - type: object - type: object - onlineUpdateEnabled: - description: OnlineUpdateEnabled shows if the online upgrade is enabled - inside the cluster - type: boolean - pgDataImageInfo: - description: PGDataImageInfo contains the details of the latest image - that has run on the current data directory. - properties: - image: - description: Image is the image name - type: string - majorVersion: - description: MajorVersion is the major version of the image - type: integer - required: - - image - - majorVersion - type: object - phase: - description: Current phase of the cluster - type: string - phaseReason: - description: Reason for the current phase - type: string - pluginStatus: - description: PluginStatus is the status of the loaded plugins - items: - description: PluginStatus is the status of a loaded plugin - properties: - backupCapabilities: - description: |- - BackupCapabilities are the list of capabilities of the - plugin regarding the Backup management - items: - type: string - type: array - capabilities: - description: |- - Capabilities are the list of capabilities of the - plugin - items: - type: string - type: array - name: - description: Name is the name of the plugin - type: string - operatorCapabilities: - description: |- - OperatorCapabilities are the list of capabilities of the - plugin regarding the reconciler - items: - type: string - type: array - restoreJobHookCapabilities: - description: |- - RestoreJobHookCapabilities are the list of capabilities of the - plugin regarding the RestoreJobHook management - items: - type: string - type: array - status: - description: Status contain the status reported by the plugin - through the SetStatusInCluster interface - type: string - version: - description: |- - Version is the version of the plugin loaded by the - latest reconciliation loop - type: string - walCapabilities: - description: |- - WALCapabilities are the list of capabilities of the - plugin regarding the WAL management - items: - type: string - type: array - required: - - name - - version - type: object - type: array - poolerIntegrations: - description: The integration needed by poolers referencing the cluster - properties: - pgBouncerIntegration: - description: PgBouncerIntegrationStatus encapsulates the needed - integration for the pgbouncer poolers referencing the cluster - properties: - secrets: - items: - type: string - type: array - type: object - type: object - pvcCount: - description: How many PVCs have been created by this cluster - format: int32 - type: integer - readService: - description: Current list of read pods - type: string - readyInstances: - description: The total number of ready instances in the cluster. It - is equal to the number of ready instance pods. - type: integer - resizingPVC: - description: List of all the PVCs that have ResizingPVC condition. - items: - type: string - type: array - secretsResourceVersion: - description: |- - The list of resource versions of the secrets - managed by the operator. Every change here is done in the - interest of the instance manager, which will refresh the - secret data - properties: - applicationSecretVersion: - description: The resource version of the "app" user secret - type: string - barmanEndpointCA: - description: The resource version of the Barman Endpoint CA if - provided - type: string - caSecretVersion: - description: Unused. Retained for compatibility with old versions. - type: string - clientCaSecretVersion: - description: The resource version of the PostgreSQL client-side - CA secret version - type: string - externalClusterSecretVersion: - additionalProperties: - type: string - description: The resource versions of the external cluster secrets - type: object - managedRoleSecretVersion: - additionalProperties: - type: string - description: The resource versions of the managed roles secrets - type: object - metrics: - additionalProperties: - type: string - description: |- - A map with the versions of all the secrets used to pass metrics. - Map keys are the secret names, map values are the versions - type: object - replicationSecretVersion: - description: The resource version of the "streaming_replica" user - secret - type: string - serverCaSecretVersion: - description: The resource version of the PostgreSQL server-side - CA secret version - type: string - serverSecretVersion: - description: The resource version of the PostgreSQL server-side - secret version - type: string - superuserSecretVersion: - description: The resource version of the "postgres" user secret - type: string - type: object - switchReplicaClusterStatus: - description: SwitchReplicaClusterStatus is the status of the switch - to replica cluster - properties: - inProgress: - description: InProgress indicates if there is an ongoing procedure - of switching a cluster to a replica cluster. - type: boolean - type: object - systemID: - description: SystemID is the latest detected PostgreSQL SystemID - type: string - tablespacesStatus: - description: TablespacesStatus reports the state of the declarative - tablespaces in the cluster - items: - description: TablespaceState represents the state of a tablespace - in a cluster - properties: - error: - description: Error is the reconciliation error, if any - type: string - name: - description: Name is the name of the tablespace - type: string - owner: - description: Owner is the PostgreSQL user owning the tablespace - type: string - state: - description: State is the latest reconciliation state - type: string - required: - - name - - state - type: object - type: array - targetPrimary: - description: |- - Target primary instance, this is different from the previous one - during a switchover or a failover - type: string - targetPrimaryTimestamp: - description: The timestamp when the last request for a new primary - has occurred - type: string - timelineID: - description: The timeline of the Postgres cluster - type: integer - topology: - description: Instances topology. - properties: - instances: - additionalProperties: - additionalProperties: - type: string - description: PodTopologyLabels represent the topology of a Pod. - map[labelName]labelValue - type: object - description: Instances contains the pod topology of the instances - type: object - nodesUsed: - description: |- - NodesUsed represents the count of distinct nodes accommodating the instances. - A value of '1' suggests that all instances are hosted on a single node, - implying the absence of High Availability (HA). Ideally, this value should - be the same as the number of instances in the Postgres HA cluster, implying - shared nothing architecture on the compute side. - format: int32 - type: integer - successfullyExtracted: - description: |- - SuccessfullyExtracted indicates if the topology data was extract. It is useful to enact fallback behaviors - in synchronous replica election in case of failures - type: boolean - type: object - unusablePVC: - description: List of all the PVCs that are unusable because another - PVC is missing - items: - type: string - type: array - writeService: - description: Current write pod - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - scale: - specReplicasPath: .spec.instances - statusReplicasPath: .status.instances - status: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: databases.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: Database - listKind: DatabaseList - plural: databases - singular: database - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.cluster.name - name: Cluster - type: string - - jsonPath: .spec.name - name: PG Name - type: string - - jsonPath: .status.applied - name: Applied - type: boolean - - description: Latest reconciliation message - jsonPath: .status.message - name: Message - type: string - name: v1 - schema: - openAPIV3Schema: - description: Database is the Schema for the databases API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired Database. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - allowConnections: - description: |- - Maps to the `ALLOW_CONNECTIONS` parameter of `CREATE DATABASE` and - `ALTER DATABASE`. If false then no one can connect to this database. - type: boolean - builtinLocale: - description: |- - Maps to the `BUILTIN_LOCALE` parameter of `CREATE DATABASE`. This - setting cannot be changed. Specifies the locale name when the - builtin provider is used. This option requires `localeProvider` to - be set to `builtin`. Available from PostgreSQL 17. - type: string - x-kubernetes-validations: - - message: builtinLocale is immutable - rule: self == oldSelf - cluster: - description: The name of the PostgreSQL cluster hosting the database. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - collationVersion: - description: |- - Maps to the `COLLATION_VERSION` parameter of `CREATE DATABASE`. This - setting cannot be changed. - type: string - x-kubernetes-validations: - - message: collationVersion is immutable - rule: self == oldSelf - connectionLimit: - description: |- - Maps to the `CONNECTION LIMIT` clause of `CREATE DATABASE` and - `ALTER DATABASE`. How many concurrent connections can be made to - this database. -1 (the default) means no limit. - type: integer - databaseReclaimPolicy: - default: retain - description: The policy for end-of-life maintenance of this database. - enum: - - delete - - retain - type: string - encoding: - description: |- - Maps to the `ENCODING` parameter of `CREATE DATABASE`. This setting - cannot be changed. Character set encoding to use in the database. - type: string - x-kubernetes-validations: - - message: encoding is immutable - rule: self == oldSelf - ensure: - default: present - description: Ensure the PostgreSQL database is `present` or `absent` - - defaults to "present". - enum: - - present - - absent - type: string - extensions: - description: The list of extensions to be managed in the database - items: - description: ExtensionSpec configures an extension in a database - properties: - ensure: - default: present - description: |- - Specifies whether an extension/schema should be present or absent in - the database. If set to `present`, the extension/schema will be - created if it does not exist. If set to `absent`, the - extension/schema will be removed if it exists. - enum: - - present - - absent - type: string - name: - description: Name of the extension/schema - type: string - schema: - description: |- - The name of the schema in which to install the extension's objects, - in case the extension allows its contents to be relocated. If not - specified (default), and the extension's control file does not - specify a schema either, the current default object creation schema - is used. - type: string - version: - description: |- - The version of the extension to install. If empty, the operator will - install the default version (whatever is specified in the - extension's control file) - type: string - required: - - name - type: object - type: array - icuLocale: - description: |- - Maps to the `ICU_LOCALE` parameter of `CREATE DATABASE`. This - setting cannot be changed. Specifies the ICU locale when the ICU - provider is used. This option requires `localeProvider` to be set to - `icu`. Available from PostgreSQL 15. - type: string - x-kubernetes-validations: - - message: icuLocale is immutable - rule: self == oldSelf - icuRules: - description: |- - Maps to the `ICU_RULES` parameter of `CREATE DATABASE`. This setting - cannot be changed. Specifies additional collation rules to customize - the behavior of the default collation. This option requires - `localeProvider` to be set to `icu`. Available from PostgreSQL 16. - type: string - x-kubernetes-validations: - - message: icuRules is immutable - rule: self == oldSelf - isTemplate: - description: |- - Maps to the `IS_TEMPLATE` parameter of `CREATE DATABASE` and `ALTER - DATABASE`. If true, this database is considered a template and can - be cloned by any user with `CREATEDB` privileges. - type: boolean - locale: - description: |- - Maps to the `LOCALE` parameter of `CREATE DATABASE`. This setting - cannot be changed. Sets the default collation order and character - classification in the new database. - type: string - x-kubernetes-validations: - - message: locale is immutable - rule: self == oldSelf - localeCType: - description: |- - Maps to the `LC_CTYPE` parameter of `CREATE DATABASE`. This setting - cannot be changed. - type: string - x-kubernetes-validations: - - message: localeCType is immutable - rule: self == oldSelf - localeCollate: - description: |- - Maps to the `LC_COLLATE` parameter of `CREATE DATABASE`. This - setting cannot be changed. - type: string - x-kubernetes-validations: - - message: localeCollate is immutable - rule: self == oldSelf - localeProvider: - description: |- - Maps to the `LOCALE_PROVIDER` parameter of `CREATE DATABASE`. This - setting cannot be changed. This option sets the locale provider for - databases created in the new cluster. Available from PostgreSQL 16. - type: string - x-kubernetes-validations: - - message: localeProvider is immutable - rule: self == oldSelf - name: - description: The name of the database to create inside PostgreSQL. - This setting cannot be changed. - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: the name postgres is reserved - rule: self != 'postgres' - - message: the name template0 is reserved - rule: self != 'template0' - - message: the name template1 is reserved - rule: self != 'template1' - owner: - description: |- - Maps to the `OWNER` parameter of `CREATE DATABASE`. - Maps to the `OWNER TO` command of `ALTER DATABASE`. - The role name of the user who owns the database inside PostgreSQL. - type: string - schemas: - description: The list of schemas to be managed in the database - items: - description: SchemaSpec configures a schema in a database - properties: - ensure: - default: present - description: |- - Specifies whether an extension/schema should be present or absent in - the database. If set to `present`, the extension/schema will be - created if it does not exist. If set to `absent`, the - extension/schema will be removed if it exists. - enum: - - present - - absent - type: string - name: - description: Name of the extension/schema - type: string - owner: - description: |- - The role name of the user who owns the schema inside PostgreSQL. - It maps to the `AUTHORIZATION` parameter of `CREATE SCHEMA` and the - `OWNER TO` command of `ALTER SCHEMA`. - type: string - required: - - name - type: object - type: array - tablespace: - description: |- - Maps to the `TABLESPACE` parameter of `CREATE DATABASE`. - Maps to the `SET TABLESPACE` command of `ALTER DATABASE`. - The name of the tablespace (in PostgreSQL) that will be associated - with the new database. This tablespace will be the default - tablespace used for objects created in this database. - type: string - template: - description: |- - Maps to the `TEMPLATE` parameter of `CREATE DATABASE`. This setting - cannot be changed. The name of the template from which to create - this database. - type: string - x-kubernetes-validations: - - message: template is immutable - rule: self == oldSelf - required: - - cluster - - name - - owner - type: object - x-kubernetes-validations: - - message: builtinLocale is only available when localeProvider is set - to `builtin` - rule: '!has(self.builtinLocale) || self.localeProvider == ''builtin''' - - message: icuLocale is only available when localeProvider is set to `icu` - rule: '!has(self.icuLocale) || self.localeProvider == ''icu''' - - message: icuRules is only available when localeProvider is set to `icu` - rule: '!has(self.icuRules) || self.localeProvider == ''icu''' - status: - description: |- - Most recently observed status of the Database. This data may not be up to - date. Populated by the system. Read-only. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - applied: - description: Applied is true if the database was reconciled correctly - type: boolean - extensions: - description: Extensions is the status of the managed extensions - items: - description: DatabaseObjectStatus is the status of the managed database - objects - properties: - applied: - description: |- - True of the object has been installed successfully in - the database - type: boolean - message: - description: Message is the object reconciliation message - type: string - name: - description: The name of the object - type: string - required: - - applied - - name - type: object - type: array - message: - description: Message is the reconciliation output message - type: string - observedGeneration: - description: |- - A sequence number representing the latest - desired state that was synchronized - format: int64 - type: integer - schemas: - description: Schemas is the status of the managed schemas - items: - description: DatabaseObjectStatus is the status of the managed database - objects - properties: - applied: - description: |- - True of the object has been installed successfully in - the database - type: boolean - message: - description: Message is the object reconciliation message - type: string - name: - description: The name of the object - type: string - required: - - applied - - name - type: object - type: array - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: failoverquorums.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: FailoverQuorum - listKind: FailoverQuorumList - plural: failoverquorums - singular: failoverquorum - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - FailoverQuorum contains the information about the current failover - quorum status of a PG cluster. It is updated by the instance manager - of the primary node and reset to zero by the operator to trigger - an update. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - status: - description: Most recently observed status of the failover quorum. - properties: - method: - description: Contains the latest reported Method value. - type: string - primary: - description: |- - Primary is the name of the primary instance that updated - this object the latest time. - type: string - standbyNames: - description: |- - StandbyNames is the list of potentially synchronous - instance names. - items: - type: string - type: array - standbyNumber: - description: |- - StandbyNumber is the number of synchronous standbys that transactions - need to wait for replies from. - type: integer - type: object - required: - - metadata - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: imagecatalogs.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: ImageCatalog - listKind: ImageCatalogList - plural: imagecatalogs - singular: imagecatalog - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ImageCatalog is the Schema for the imagecatalogs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired behavior of the ImageCatalog. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - images: - description: List of CatalogImages available in the catalog - items: - description: CatalogImage defines the image and major version - properties: - image: - description: The image reference - type: string - major: - description: The PostgreSQL major version of the image. Must - be unique within the catalog. - minimum: 10 - type: integer - required: - - image - - major - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-validations: - - message: Images must have unique major versions - rule: self.all(e, self.filter(f, f.major==e.major).size() == 1) - required: - - images - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: poolers.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: Pooler - listKind: PoolerList - plural: poolers - singular: pooler - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.cluster.name - name: Cluster - type: string - - jsonPath: .spec.type - name: Type - type: string - name: v1 - schema: - openAPIV3Schema: - description: Pooler is the Schema for the poolers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired behavior of the Pooler. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - cluster: - description: |- - This is the cluster reference on which the Pooler will work. - Pooler name should never match with any cluster name within the same namespace. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - deploymentStrategy: - description: The deployment strategy to use for pgbouncer to replace - existing pods with new ones - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". - Default is RollingUpdate. - type: string - type: object - instances: - default: 1 - description: 'The number of replicas we want. Default: 1.' - format: int32 - type: integer - monitoring: - description: |- - The configuration of the monitoring infrastructure of this pooler. - - Deprecated: This feature will be removed in an upcoming release. If - you need this functionality, you can create a PodMonitor manually. - properties: - enablePodMonitor: - default: false - description: Enable or disable the `PodMonitor` - type: boolean - podMonitorMetricRelabelings: - description: The list of metric relabelings for the `PodMonitor`. - Applied to samples before ingestion. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - podMonitorRelabelings: - description: The list of relabelings for the `PodMonitor`. Applied - to samples before scraping. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - type: object - pgbouncer: - description: The PgBouncer configuration - properties: - authQuery: - description: |- - The query that will be used to download the hash of the password - of a certain user. Default: "SELECT usename, passwd FROM public.user_search($1)". - In case it is specified, also an AuthQuerySecret has to be specified and - no automatic CNPG Cluster integration will be triggered. - type: string - authQuerySecret: - description: |- - The credentials of the user that need to be used for the authentication - query. In case it is specified, also an AuthQuery - (e.g. "SELECT usename, passwd FROM pg_catalog.pg_shadow WHERE usename=$1") - has to be specified and no automatic CNPG Cluster integration will be triggered. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - parameters: - additionalProperties: - type: string - description: |- - Additional parameters to be passed to PgBouncer - please check - the CNPG documentation for a list of options you can configure - type: object - paused: - default: false - description: |- - When set to `true`, PgBouncer will disconnect from the PostgreSQL - server, first waiting for all queries to complete, and pause all new - client connections until this value is set to `false` (default). Internally, - the operator calls PgBouncer's `PAUSE` and `RESUME` commands. - type: boolean - pg_hba: - description: |- - PostgreSQL Host Based Authentication rules (lines to be appended - to the pg_hba.conf file) - items: - type: string - type: array - poolMode: - default: session - description: 'The pool mode. Default: `session`.' - enum: - - session - - transaction - type: string - type: object - serviceTemplate: - description: Template for the Service to be created - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: http://kubernetes.io/docs/user-guide/annotations - type: object - labels: - additionalProperties: - type: string - description: |- - Map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: http://kubernetes.io/docs/user-guide/labels - type: object - name: - description: The name of the resource. Only supported for - certain types - type: string - type: object - spec: - description: |- - Specification of the desired behavior of the service. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client - IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - template: - description: The template of the Pod to be created - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: http://kubernetes.io/docs/user-guide/annotations - type: object - labels: - additionalProperties: - type: string - description: |- - Map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: http://kubernetes.io/docs/user-guide/labels - type: object - name: - description: The name of the resource. Only supported for - certain types - type: string - type: object - spec: - description: |- - Specification of the desired behavior of the pod. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - activeDeadlineSeconds: - description: |- - Optional duration in seconds the pod may be active on the node relative to - StartTime before the system will actively try to mark it failed and kill associated containers. - Value must be a positive integer. - format: int64 - type: integer - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, - etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether - a service account token should be automatically mounted. - type: boolean - containers: - description: |- - List of containers belonging to the pod. - Containers cannot currently be added or removed. - There must be at least one container in a Pod. - Cannot be updated. - items: - description: A single application container that you want - to run within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount - containing the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in - the pod's namespace - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of - a set of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must - be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that - the container should sleep. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that - the container should sleep. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port - in a single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external - port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource - resize policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a - container exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check - on container exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that - applies to the container. - type: string - role: - description: Role is a SELinux role label that - applies to the container. - type: string - type: - description: Type is a SELinux type label that - applies to the container. - type: string - user: - description: User is a SELinux user label that - applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. - items: - description: volumeDevice describes a mapping of a - raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a - Volume within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - dnsConfig: - description: |- - Specifies the DNS parameters of a pod. - Parameters specified here will be merged to the generated DNS - configuration based on DNSPolicy. - properties: - nameservers: - description: |- - A list of DNS name server IP addresses. - This will be appended to the base nameservers generated from DNSPolicy. - Duplicated nameservers will be removed. - items: - type: string - type: array - x-kubernetes-list-type: atomic - options: - description: |- - A list of DNS resolver options. - This will be merged with the base options generated from DNSPolicy. - Duplicated entries will be removed. Resolution options given in Options - will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver - options of a pod. - properties: - name: - description: |- - Name is this DNS resolver option's name. - Required. - type: string - value: - description: Value is this DNS resolver option's - value. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - searches: - description: |- - A list of DNS search domains for host-name lookup. - This will be appended to the base search paths generated from DNSPolicy. - Duplicated search paths will be removed. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - dnsPolicy: - description: |- - Set DNS policy for the pod. - Defaults to "ClusterFirst". - Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. - DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. - To have DNS options set along with hostNetwork, you have to specify DNS policy - explicitly to 'ClusterFirstWithHostNet'. - type: string - enableServiceLinks: - description: |- - EnableServiceLinks indicates whether information about services should be injected into pod's - environment variables, matching the syntax of Docker links. - Optional: Defaults to true. - type: boolean - ephemeralContainers: - description: |- - List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing - pod to perform user-initiated actions such as debugging. This list cannot be specified when - creating a pod, and it cannot be modified by updating the pod spec. In order to add an - ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - items: - description: |- - An EphemeralContainer is a temporary container that you may add to an existing Pod for - user-initiated activities such as debugging. Ephemeral containers have no resource or - scheduling guarantees, and they will not be restarted when they exit or when a Pod is - removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the - Pod to exceed its resource allocation. - - To add an ephemeral container, use the ephemeralcontainers subresource of an existing - Pod. Ephemeral containers may not be removed or restarted. - properties: - args: - description: |- - Arguments to the entrypoint. - The image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount - containing the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in - the pod's namespace - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of - a set of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must - be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: Lifecycle is not allowed for ephemeral - containers. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that - the container should sleep. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that - the container should sleep. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the ephemeral container specified as a DNS_LABEL. - This name must be unique among all containers, init containers and ephemeral containers. - type: string - ports: - description: Ports are not allowed for ephemeral containers. - items: - description: ContainerPort represents a network port - in a single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external - port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource - resize policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources - already allocated to the pod. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - Restart policy for the container to manage the restart behavior of each - container within a pod. - You cannot set this field on ephemeral containers. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. You cannot set this field on - ephemeral containers. - items: - description: ContainerRestartRule describes how a - container exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check - on container exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - Optional: SecurityContext defines the security options the ephemeral container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that - applies to the container. - type: string - role: - description: Role is a SELinux role label that - applies to the container. - type: string - type: - description: Type is a SELinux type label that - applies to the container. - type: string - user: - description: User is a SELinux user label that - applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - targetContainerName: - description: |- - If set, the name of the container from PodSpec that this ephemeral container targets. - The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. - If not set then the ephemeral container uses the namespaces configured in the Pod spec. - - The container runtime must implement support for this feature. If the runtime does not - support namespace targeting then the result of setting this field is undefined. - type: string - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. - items: - description: volumeDevice describes a mapping of a - raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a - Volume within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - hostAliases: - description: |- - HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts - file if specified. - items: - description: |- - HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the - pod's hosts file. - properties: - hostnames: - description: Hostnames for the above IP address. - items: - type: string - type: array - x-kubernetes-list-type: atomic - ip: - description: IP address of the host file entry. - type: string - required: - - ip - type: object - type: array - x-kubernetes-list-map-keys: - - ip - x-kubernetes-list-type: map - hostIPC: - description: |- - Use the host's ipc namespace. - Optional: Default to false. - type: boolean - hostNetwork: - description: |- - Host networking requested for this pod. Use the host's network namespace. - When using HostNetwork you should specify ports so the scheduler is aware. - When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`, - and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`. - Default to false. - type: boolean - hostPID: - description: |- - Use the host's pid namespace. - Optional: Default to false. - type: boolean - hostUsers: - description: |- - Use the host's user namespace. - Optional: Default to true. - If set to true or not present, the pod will be run in the host user namespace, useful - for when the pod needs a feature only available to the host user namespace, such as - loading a kernel module with CAP_SYS_MODULE. - When set to false, a new userns is created for the pod. Setting false is useful for - mitigating container breakout vulnerabilities even allowing users to run their - containers as root without actually having root privileges on the host. - This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature. - type: boolean - hostname: - description: |- - Specifies the hostname of the Pod - If not specified, the pod's hostname will be set to a system-defined value. - type: string - hostnameOverride: - description: |- - HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod. - This field only specifies the pod's hostname and does not affect its DNS records. - When this field is set to a non-empty string: - - It takes precedence over the values set in `hostname` and `subdomain`. - - The Pod's hostname will be set to this value. - - `setHostnameAsFQDN` must be nil or set to false. - - `hostNetwork` must be set to false. - - This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters. - Requires the HostnameOverride feature gate to be enabled. - type: string - imagePullSecrets: - description: |- - ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. - If specified, these secrets will be passed to individual puller implementations for them to use. - More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - initContainers: - description: |- - List of initialization containers belonging to the pod. - Init containers are executed in order prior to containers being started. If any - init container fails, the pod is considered to have failed and is handled according - to its restartPolicy. The name for an init container or normal container must be - unique among all containers. - Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. - The resourceRequirements of an init container are taken into account during scheduling - by finding the highest request/limit for each resource type, and then using the max of - that value or the sum of the normal containers. Limits are applied to init containers - in a similar fashion. - Init containers cannot currently be added or removed. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - items: - description: A single application container that you want - to run within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount - containing the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in - the pod's namespace - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of - a set of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must - be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that - the container should sleep. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that - the container should sleep. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port - in a single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external - port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource - resize policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a - container exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check - on container exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that - applies to the container. - type: string - role: - description: Role is a SELinux role label that - applies to the container. - type: string - type: - description: Type is a SELinux type label that - applies to the container. - type: string - user: - description: User is a SELinux user label that - applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute - in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. - items: - description: volumeDevice describes a mapping of a - raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a - Volume within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - nodeName: - description: |- - NodeName indicates in which node this pod is scheduled. - If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName. - Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod. - This field should not be used to express a desire for the pod to be scheduled on a specific node. - https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename - type: string - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the pod to fit on a node. - Selector which must match a node's labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - x-kubernetes-map-type: atomic - os: - description: |- - Specifies the OS of the containers in the pod. - Some pod and container fields are restricted if this is set. - - If the OS field is set to linux, the following fields must be unset: - -securityContext.windowsOptions - - If the OS field is set to windows, following fields must be unset: - - spec.hostPID - - spec.hostIPC - - spec.hostUsers - - spec.resources - - spec.securityContext.appArmorProfile - - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - - spec.shareProcessNamespace - - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - - spec.securityContext.supplementalGroupsPolicy - - spec.containers[*].securityContext.appArmorProfile - - spec.containers[*].securityContext.seLinuxOptions - - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup - properties: - name: - description: |- - Name is the name of the operating system. The currently supported values are linux and windows. - Additional value may be defined in future and can be one of: - https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration - Clients should expect to handle additional values and treat unrecognized values in this field as os: null - type: string - required: - - name - type: object - overhead: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. - This field will be autopopulated at admission time by the RuntimeClass admission controller. If - the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. - The RuntimeClass admission controller will reject Pod create requests which have the overhead already - set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value - defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md - type: object - preemptionPolicy: - description: |- - PreemptionPolicy is the Policy for preempting pods with lower priority. - One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. - type: string - priority: - description: |- - The priority value. Various system components use this field to find the - priority of the pod. When Priority Admission Controller is enabled, it - prevents users from setting this field. The admission controller populates - this field from PriorityClassName. - The higher the value, the higher the priority. - format: int32 - type: integer - priorityClassName: - description: |- - If specified, indicates the pod's priority. "system-node-critical" and - "system-cluster-critical" are two special keywords which indicate the - highest priorities with the former being the highest priority. Any other - name must be defined by creating a PriorityClass object with that name. - If not specified, the pod priority will be default or zero if there is no - default. - type: string - readinessGates: - description: |- - If specified, all readiness gates will be evaluated for pod readiness. - A pod is ready when all its containers are ready AND - all conditions specified in the readiness gates have status equal to "True" - More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates - items: - description: PodReadinessGate contains the reference to - a pod condition - properties: - conditionType: - description: ConditionType refers to a condition in - the pod's condition list with matching type. - type: string - required: - - conditionType - type: object - type: array - x-kubernetes-list-type: atomic - resourceClaims: - description: |- - ResourceClaims defines which ResourceClaims must be allocated - and reserved before the Pod is allowed to start. The resources - will be made available to those containers which consume them - by name. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. - items: - description: |- - PodResourceClaim references exactly one ResourceClaim, either directly - or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim - for the pod. - - It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. - Containers that need access to the ResourceClaim reference it with this name. - properties: - name: - description: |- - Name uniquely identifies this resource claim inside the pod. - This must be a DNS_LABEL. - type: string - resourceClaimName: - description: |- - ResourceClaimName is the name of a ResourceClaim object in the same - namespace as this pod. - - Exactly one of ResourceClaimName and ResourceClaimTemplateName must - be set. - type: string - resourceClaimTemplateName: - description: |- - ResourceClaimTemplateName is the name of a ResourceClaimTemplate - object in the same namespace as this pod. - - The template will be used to create a new ResourceClaim, which will - be bound to this pod. When this pod is deleted, the ResourceClaim - will also be deleted. The pod name and resource name, along with a - generated component, will be used to form a unique name for the - ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. - - This field is immutable and no changes will be made to the - corresponding ResourceClaim by the control plane after creating the - ResourceClaim. - - Exactly one of ResourceClaimName and ResourceClaimTemplateName must - be set. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - resources: - description: |- - Resources is the total amount of CPU and Memory resources required by all - containers in the pod. It supports specifying Requests and Limits for - "cpu", "memory" and "hugepages-" resource names only. ResourceClaims are not supported. - - This field enables fine-grained control over resource allocation for the - entire pod, allowing resource sharing among containers in a pod. - - This is an alpha field and requires enabling the PodLevelResources feature - gate. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - Restart policy for all containers within the pod. - One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. - Default to Always. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy - type: string - runtimeClassName: - description: |- - RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used - to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. - If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an - empty definition that uses the default runtime handler. - More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class - type: string - schedulerName: - description: |- - If specified, the pod will be dispatched by specified scheduler. - If not specified, the pod will be dispatched by default scheduler. - type: string - schedulingGates: - description: |- - SchedulingGates is an opaque list of values that if specified will block scheduling the pod. - If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the - scheduler will not attempt to schedule the pod. - - SchedulingGates can only be set at pod creation time, and be removed only afterwards. - items: - description: PodSchedulingGate is associated to a Pod to - guard its scheduling. - properties: - name: - description: |- - Name of the scheduling gate. - Each scheduling gate must have a unique name field. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - securityContext: - description: |- - SecurityContext holds pod-level security attributes and common container settings. - Optional: Defaults to empty. See type description for default values of each field. - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be - set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of - the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccount: - description: |- - DeprecatedServiceAccount is a deprecated alias for ServiceAccountName. - Deprecated: Use serviceAccountName instead. - type: string - serviceAccountName: - description: |- - ServiceAccountName is the name of the ServiceAccount to use to run this pod. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - type: string - setHostnameAsFQDN: - description: |- - If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). - In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). - In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN. - If a pod does not have FQDN, this has no effect. - Default to false. - type: boolean - shareProcessNamespace: - description: |- - Share a single process namespace between all of the containers in a pod. - When this is set containers will be able to view and signal processes from other containers - in the same pod, and the first process in each container will not be assigned PID 1. - HostPID and ShareProcessNamespace cannot both be set. - Optional: Default to false. - type: boolean - subdomain: - description: |- - If specified, the fully qualified Pod hostname will be "...svc.". - If not specified, the pod will not have a domainname at all. - type: string - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - If this value is nil, the default grace period will be used instead. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - Defaults to 30 seconds. - format: int64 - type: integer - tolerations: - description: If specified, the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - topologySpreadConstraints: - description: |- - TopologySpreadConstraints describes how a group of pods ought to spread across topology - domains. Scheduler will schedule pods in a way which abides by the constraints. - All topologySpreadConstraints are ANDed. - items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - x-kubernetes-list-map-keys: - - topologyKey - - whenUnsatisfiable - x-kubernetes-list-type: map - volumes: - description: |- - List of volumes that can be mounted by containers belonging to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure - managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field - properties: - fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name, - namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to - use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that - details Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs - will be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - containers - type: object - type: object - type: - default: rw - description: 'Type of service to forward traffic to. Default: `rw`.' - enum: - - rw - - ro - - r - type: string - required: - - cluster - - pgbouncer - type: object - status: - description: |- - Most recently observed status of the Pooler. This data may not be up to - date. Populated by the system. Read-only. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - instances: - description: The number of pods trying to be scheduled - format: int32 - type: integer - secrets: - description: The resource version of the config object - properties: - clientCA: - description: The client CA secret version - properties: - name: - description: The name of the secret - type: string - version: - description: The ResourceVersion of the secret - type: string - type: object - pgBouncerSecrets: - description: The version of the secrets used by PgBouncer - properties: - authQuery: - description: The auth query secret version - properties: - name: - description: The name of the secret - type: string - version: - description: The ResourceVersion of the secret - type: string - type: object - type: object - serverCA: - description: The server CA secret version - properties: - name: - description: The name of the secret - type: string - version: - description: The ResourceVersion of the secret - type: string - type: object - serverTLS: - description: The server TLS secret version - properties: - name: - description: The name of the secret - type: string - version: - description: The ResourceVersion of the secret - type: string - type: object - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - scale: - specReplicasPath: .spec.instances - statusReplicasPath: .status.instances - status: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: publications.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: Publication - listKind: PublicationList - plural: publications - singular: publication - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.cluster.name - name: Cluster - type: string - - jsonPath: .spec.name - name: PG Name - type: string - - jsonPath: .status.applied - name: Applied - type: boolean - - description: Latest reconciliation message - jsonPath: .status.message - name: Message - type: string - name: v1 - schema: - openAPIV3Schema: - description: Publication is the Schema for the publications API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PublicationSpec defines the desired state of Publication - properties: - cluster: - description: The name of the PostgreSQL cluster that identifies the - "publisher" - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - dbname: - description: |- - The name of the database where the publication will be installed in - the "publisher" cluster - type: string - x-kubernetes-validations: - - message: dbname is immutable - rule: self == oldSelf - name: - description: The name of the publication inside PostgreSQL - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - parameters: - additionalProperties: - type: string - description: |- - Publication parameters part of the `WITH` clause as expected by - PostgreSQL `CREATE PUBLICATION` command - type: object - publicationReclaimPolicy: - default: retain - description: The policy for end-of-life maintenance of this publication - enum: - - delete - - retain - type: string - target: - description: Target of the publication as expected by PostgreSQL `CREATE - PUBLICATION` command - properties: - allTables: - description: |- - Marks the publication as one that replicates changes for all tables - in the database, including tables created in the future. - Corresponding to `FOR ALL TABLES` in PostgreSQL. - type: boolean - x-kubernetes-validations: - - message: allTables is immutable - rule: self == oldSelf - objects: - description: Just the following schema objects - items: - description: PublicationTargetObject is an object to publish - properties: - table: - description: |- - Specifies a list of tables to add to the publication. Corresponding - to `FOR TABLE` in PostgreSQL. - properties: - columns: - description: The columns to publish - items: - type: string - type: array - name: - description: The table name - type: string - only: - description: Whether to limit to the table only or include - all its descendants - type: boolean - schema: - description: The schema name - type: string - required: - - name - type: object - tablesInSchema: - description: |- - Marks the publication as one that replicates changes for all tables - in the specified list of schemas, including tables created in the - future. Corresponding to `FOR TABLES IN SCHEMA` in PostgreSQL. - type: string - type: object - x-kubernetes-validations: - - message: tablesInSchema and table are mutually exclusive - rule: (has(self.tablesInSchema) && !has(self.table)) || (!has(self.tablesInSchema) - && has(self.table)) - maxItems: 100000 - type: array - x-kubernetes-validations: - - message: specifying a column list when the publication also - publishes tablesInSchema is not supported - rule: '!(self.exists(o, has(o.table) && has(o.table.columns)) - && self.exists(o, has(o.tablesInSchema)))' - type: object - x-kubernetes-validations: - - message: allTables and objects are mutually exclusive - rule: (has(self.allTables) && !has(self.objects)) || (!has(self.allTables) - && has(self.objects)) - required: - - cluster - - dbname - - name - - target - type: object - status: - description: PublicationStatus defines the observed state of Publication - properties: - applied: - description: Applied is true if the publication was reconciled correctly - type: boolean - message: - description: Message is the reconciliation output message - type: string - observedGeneration: - description: |- - A sequence number representing the latest - desired state that was synchronized - format: int64 - type: integer - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: scheduledbackups.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: ScheduledBackup - listKind: ScheduledBackupList - plural: scheduledbackups - singular: scheduledbackup - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.cluster.name - name: Cluster - type: string - - jsonPath: .status.lastScheduleTime - name: Last Backup - type: date - name: v1 - schema: - openAPIV3Schema: - description: ScheduledBackup is the Schema for the scheduledbackups API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired behavior of the ScheduledBackup. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - backupOwnerReference: - default: none - description: |- - Indicates which ownerReference should be put inside the created backup resources.
- - none: no owner reference for created backup objects (same behavior as before the field was introduced)
- - self: sets the Scheduled backup object as owner of the backup
- - cluster: set the cluster as owner of the backup
- enum: - - none - - self - - cluster - type: string - cluster: - description: The cluster to backup - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - immediate: - description: If the first backup has to be immediately start after - creation or not - type: boolean - method: - default: barmanObjectStore - description: |- - The backup method to be used, possible options are `barmanObjectStore`, - `volumeSnapshot` or `plugin`. Defaults to: `barmanObjectStore`. - enum: - - barmanObjectStore - - volumeSnapshot - - plugin - type: string - online: - description: |- - Whether the default type of backup with volume snapshots is - online/hot (`true`, default) or offline/cold (`false`) - Overrides the default setting specified in the cluster field '.spec.backup.volumeSnapshot.online' - type: boolean - onlineConfiguration: - description: |- - Configuration parameters to control the online/hot backup with volume snapshots - Overrides the default settings specified in the cluster '.backup.volumeSnapshot.onlineConfiguration' stanza - properties: - immediateCheckpoint: - description: |- - Control whether the I/O workload for the backup initial checkpoint will - be limited, according to the `checkpoint_completion_target` setting on - the PostgreSQL server. If set to true, an immediate checkpoint will be - used, meaning PostgreSQL will complete the checkpoint as soon as - possible. `false` by default. - type: boolean - waitForArchive: - default: true - description: |- - If false, the function will return immediately after the backup is completed, - without waiting for WAL to be archived. - This behavior is only useful with backup software that independently monitors WAL archiving. - Otherwise, WAL required to make the backup consistent might be missing and make the backup useless. - By default, or when this parameter is true, pg_backup_stop will wait for WAL to be archived when archiving is - enabled. - On a standby, this means that it will wait only when archive_mode = always. - If write activity on the primary is low, it may be useful to run pg_switch_wal on the primary in order to trigger - an immediate segment switch. - type: boolean - type: object - pluginConfiguration: - description: Configuration parameters passed to the plugin managing - this backup - properties: - name: - description: Name is the name of the plugin managing this backup - type: string - parameters: - additionalProperties: - type: string - description: |- - Parameters are the configuration parameters passed to the backup - plugin for this backup - type: object - required: - - name - type: object - schedule: - description: |- - The schedule does not follow the same format used in Kubernetes CronJobs - as it includes an additional seconds specifier, - see https://pkg.go.dev/github.com/robfig/cron#hdr-CRON_Expression_Format - type: string - suspend: - description: If this backup is suspended or not - type: boolean - target: - description: |- - The policy to decide which instance should perform this backup. If empty, - it defaults to `cluster.spec.backup.target`. - Available options are empty string, `primary` and `prefer-standby`. - `primary` to have backups run always on primary instances, - `prefer-standby` to have backups run preferably on the most updated - standby, if available. - enum: - - primary - - prefer-standby - type: string - required: - - cluster - - schedule - type: object - status: - description: |- - Most recently observed status of the ScheduledBackup. This data may not be up - to date. Populated by the system. Read-only. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - lastCheckTime: - description: The latest time the schedule - format: date-time - type: string - lastScheduleTime: - description: Information when was the last time that backup was successfully - scheduled. - format: date-time - type: string - nextScheduleTime: - description: Next time we will run a backup - format: date-time - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: subscriptions.postgresql.cnpg.io -spec: - group: postgresql.cnpg.io - names: - kind: Subscription - listKind: SubscriptionList - plural: subscriptions - singular: subscription - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.cluster.name - name: Cluster - type: string - - jsonPath: .spec.name - name: PG Name - type: string - - jsonPath: .status.applied - name: Applied - type: boolean - - description: Latest reconciliation message - jsonPath: .status.message - name: Message - type: string - name: v1 - schema: - openAPIV3Schema: - description: Subscription is the Schema for the subscriptions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SubscriptionSpec defines the desired state of Subscription - properties: - cluster: - description: The name of the PostgreSQL cluster that identifies the - "subscriber" - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - dbname: - description: |- - The name of the database where the publication will be installed in - the "subscriber" cluster - type: string - x-kubernetes-validations: - - message: dbname is immutable - rule: self == oldSelf - externalClusterName: - description: The name of the external cluster with the publication - ("publisher") - type: string - name: - description: The name of the subscription inside PostgreSQL - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - parameters: - additionalProperties: - type: string - description: |- - Subscription parameters included in the `WITH` clause of the PostgreSQL - `CREATE SUBSCRIPTION` command. Most parameters cannot be changed - after the subscription is created and will be ignored if modified - later, except for a limited set documented at: - https://www.postgresql.org/docs/current/sql-altersubscription.html#SQL-ALTERSUBSCRIPTION-PARAMS-SET - type: object - publicationDBName: - description: |- - The name of the database containing the publication on the external - cluster. Defaults to the one in the external cluster definition. - type: string - publicationName: - description: |- - The name of the publication inside the PostgreSQL database in the - "publisher" - type: string - subscriptionReclaimPolicy: - default: retain - description: The policy for end-of-life maintenance of this subscription - enum: - - delete - - retain - type: string - required: - - cluster - - dbname - - externalClusterName - - name - - publicationName - type: object - status: - description: SubscriptionStatus defines the observed state of Subscription - properties: - applied: - description: Applied is true if the subscription was reconciled correctly - type: boolean - message: - description: Message is the reconciliation output message - type: string - observedGeneration: - description: |- - A sequence number representing the latest - desired state that was synchronized - format: int64 - type: integer - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: objectstores.barmancloud.cnpg.io -spec: - group: barmancloud.cnpg.io - names: - kind: ObjectStore - listKind: ObjectStoreList - plural: objectstores - singular: objectstore - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ObjectStore is the Schema for the objectstores API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired behavior of the ObjectStore. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - configuration: - description: The configuration for the barman-cloud tool suite - properties: - azureCredentials: - description: The credentials to use to upload data to Azure Blob - Storage - properties: - connectionString: - description: The connection string to be used - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - inheritFromAzureAD: - description: Use the Azure AD based authentication without - providing explicitly the keys. - type: boolean - storageAccount: - description: The storage account where to upload data - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - storageKey: - description: |- - The storage account key to be used in conjunction - with the storage account name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - storageSasToken: - description: |- - A shared-access-signature to be used in conjunction with - the storage account name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: object - data: - description: |- - The configuration to be used to backup the data files - When not defined, base backups files will be stored uncompressed and may - be unencrypted in the object store, according to the bucket default - policy. - properties: - additionalCommandArgs: - description: |- - AdditionalCommandArgs represents additional arguments that can be appended - to the 'barman-cloud-backup' command-line invocation. These arguments - provide flexibility to customize the backup process further according to - specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-backup' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - compression: - description: |- - Compress a backup file (a tar file per tablespace) while streaming it - to the object store. Available options are empty string (no - compression, default), `gzip`, `bzip2`, and `snappy`. - enum: - - bzip2 - - gzip - - snappy - type: string - encryption: - description: |- - Whenever to force the encryption of files (if the bucket is - not already configured for that). - Allowed options are empty string (use the bucket policy, default), - `AES256` and `aws:kms` - enum: - - AES256 - - aws:kms - type: string - immediateCheckpoint: - description: |- - Control whether the I/O workload for the backup initial checkpoint will - be limited, according to the `checkpoint_completion_target` setting on - the PostgreSQL server. If set to true, an immediate checkpoint will be - used, meaning PostgreSQL will complete the checkpoint as soon as - possible. `false` by default. - type: boolean - jobs: - description: |- - The number of parallel jobs to be used to upload the backup, defaults - to 2 - format: int32 - minimum: 1 - type: integer - type: object - destinationPath: - description: |- - The path where to store the backup (i.e. s3://bucket/path/to/folder) - this path, with different destination folders, will be used for WALs - and for data - minLength: 1 - type: string - endpointCA: - description: |- - EndpointCA store the CA bundle of the barman endpoint. - Useful when using self-signed certificates to avoid - errors with certificate issuer and barman-cloud-wal-archive - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - endpointURL: - description: |- - Endpoint to be used to upload data to the cloud, - overriding the automatic endpoint discovery - type: string - googleCredentials: - description: The credentials to use to upload data to Google Cloud - Storage - properties: - applicationCredentials: - description: The secret containing the Google Cloud Storage - JSON file with the credentials - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - gkeEnvironment: - description: |- - If set to true, will presume that it's running inside a GKE environment, - default to false. - type: boolean - type: object - historyTags: - additionalProperties: - type: string - description: |- - HistoryTags is a list of key value pairs that will be passed to the - Barman --history-tags option. - type: object - s3Credentials: - description: The credentials to use to upload data to S3 - properties: - accessKeyId: - description: The reference to the access key id - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - inheritFromIAMRole: - description: Use the role based authentication without providing - explicitly the keys. - type: boolean - region: - description: The reference to the secret containing the region - name - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - secretAccessKey: - description: The reference to the secret access key - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - sessionToken: - description: The references to the session key - properties: - key: - description: The key to select - type: string - name: - description: Name of the referent. - type: string - required: - - key - - name - type: object - type: object - serverName: - description: |- - The server name on S3, the cluster name is used if this - parameter is omitted - type: string - tags: - additionalProperties: - type: string - description: |- - Tags is a list of key value pairs that will be passed to the - Barman --tags option. - type: object - wal: - description: |- - The configuration for the backup of the WAL stream. - When not defined, WAL files will be stored uncompressed and may be - unencrypted in the object store, according to the bucket default policy. - properties: - archiveAdditionalCommandArgs: - description: |- - Additional arguments that can be appended to the 'barman-cloud-wal-archive' - command-line invocation. These arguments provide flexibility to customize - the WAL archive process further, according to specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-wal-archive' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - compression: - description: |- - Compress a WAL file before sending it to the object store. Available - options are empty string (no compression, default), `gzip`, `bzip2`, - `lz4`, `snappy`, `xz`, and `zstd`. - enum: - - bzip2 - - gzip - - lz4 - - snappy - - xz - - zstd - type: string - encryption: - description: |- - Whenever to force the encryption of files (if the bucket is - not already configured for that). - Allowed options are empty string (use the bucket policy, default), - `AES256` and `aws:kms` - enum: - - AES256 - - aws:kms - type: string - maxParallel: - description: |- - Number of WAL files to be either archived in parallel (when the - PostgreSQL instance is archiving to a backup object store) or - restored in parallel (when a PostgreSQL standby is fetching WAL - files from a recovery object store). If not specified, WAL files - will be processed one at a time. It accepts a positive integer as a - value - with 1 being the minimum accepted value. - minimum: 1 - type: integer - restoreAdditionalCommandArgs: - description: |- - Additional arguments that can be appended to the 'barman-cloud-wal-restore' - command-line invocation. These arguments provide flexibility to customize - the WAL restore process further, according to specific requirements or configurations. - - Example: - In a scenario where specialized backup options are required, such as setting - a specific timeout or defining custom behavior, users can use this field - to specify additional command arguments. - - Note: - It's essential to ensure that the provided arguments are valid and supported - by the 'barman-cloud-wal-restore' command, to avoid potential errors or unintended - behavior during execution. - items: - type: string - type: array - type: object - required: - - destinationPath - type: object - x-kubernetes-validations: - - fieldPath: .serverName - message: use the 'serverName' plugin parameter in the Cluster resource - reason: FieldValueForbidden - rule: '!has(self.serverName)' - instanceSidecarConfiguration: - description: The configuration for the sidecar that runs in the instance - pods - properties: - additionalContainerArgs: - description: |- - AdditionalContainerArgs is an optional list of command-line arguments - to be passed to the sidecar container when it starts. - The provided arguments are appended to the container’s default arguments. - items: - type: string - type: array - x-kubernetes-validations: - - message: do not set --log-level in additionalContainerArgs; - use spec.instanceSidecarConfiguration.logLevel - reason: FieldValueForbidden - rule: '!self.exists(a, a.startsWith(''--log-level''))' - env: - description: The environment to be explicitly passed to the sidecar - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - logLevel: - default: info - description: 'The log level for PostgreSQL instances. Valid values - are: `error`, `warning`, `info` (default), `debug`, `trace`' - enum: - - error - - warning - - info - - debug - - trace - type: string - resources: - description: Resources define cpu/memory requests and limits for - the sidecar that runs in the instance pods. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - retentionPolicyIntervalSeconds: - default: 1800 - description: |- - The retentionCheckInterval defines the frequency at which the - system checks and enforces retention policies. - type: integer - type: object - retentionPolicy: - description: |- - RetentionPolicy is the retention policy to be used for backups - and WALs (i.e. '60d'). The retention policy is expressed in the form - of `XXu` where `XX` is a positive integer and `u` is in `[dwm]` - - days, weeks, months. - pattern: ^[1-9][0-9]*[dwm]$ - type: string - required: - - configuration - type: object - status: - description: |- - Most recently observed status of the ObjectStore. This data may not be up to - date. Populated by the system. Read-only. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - serverRecoveryWindow: - additionalProperties: - description: |- - RecoveryWindow represents the time span between the first - recoverability point and the last successful backup of a PostgreSQL - server, defining the period during which data can be restored. - properties: - firstRecoverabilityPoint: - description: |- - The first recoverability point in a PostgreSQL server refers to - the earliest point in time to which the database can be - restored. - format: date-time - type: string - lastFailedBackupTime: - description: The last failed backup time - format: date-time - type: string - lastSuccessfulBackupTime: - description: The last successful backup time - format: date-time - type: string - type: object - description: ServerRecoveryWindow maps each server to its recovery - window - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cloudnative-pg - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - patch -- apiGroups: - - postgresql.cnpg.io - resources: - - clusterimagecatalogs - verbs: - - get - - list - - watch - -- apiGroups: - - "" - resources: - - configmaps - - secrets - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - configmaps/status - - secrets/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - - pods - - pods/exec - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - pods/status - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update -- apiGroups: - - monitoring.coreos.com - resources: - - podmonitors - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - backups - - clusters - - databases - - poolers - - publications - - scheduledbackups - - subscriptions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - failoverquorums - verbs: - - create - - delete - - get - - list - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - backups/status - - databases/status - - publications/status - - scheduledbackups/status - - subscriptions/status - verbs: - - get - - patch - - update -- apiGroups: - - postgresql.cnpg.io - resources: - - imagecatalogs - verbs: - - get - - list - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - clusters/finalizers - - poolers/finalizers - verbs: - - update -- apiGroups: - - postgresql.cnpg.io - resources: - - clusters/status - - poolers/status - - failoverquorums/status - verbs: - - get - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - create - - get - - list - - patch - - watch ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cloudnative-pg-view - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - postgresql.cnpg.io - resources: - - backups - - clusters - - clusters/status - - databases - - failoverquorums - - poolers - - publications - - scheduledbackups - - imagecatalogs - - clusterimagecatalogs - - subscriptions - verbs: - - get - - list - - watch ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cloudnative-pg-edit - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - postgresql.cnpg.io - resources: - - backups - - clusters - - clusters/status - - databases - - failoverquorums - - poolers - - publications - - scheduledbackups - - imagecatalogs - - clusterimagecatalogs - - subscriptions - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cloudnative-pg-plugin-barman-cloud -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - watch -- apiGroups: - - barmancloud.cnpg.io - resources: - - objectstores - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - barmancloud.cnpg.io - resources: - - objectstores/finalizers - verbs: - - update -- apiGroups: - - barmancloud.cnpg.io - resources: - - objectstores/status - verbs: - - get - - patch - - update -- apiGroups: - - postgresql.cnpg.io - resources: - - backups - verbs: - - get - - list - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - clusters/finalizers - verbs: - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - get - - list - - patch - - update - - watch ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cloudnative-pg - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cloudnative-pg -subjects: -- kind: ServiceAccount - name: cloudnative-pg - namespace: cloudnative-pg ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: plugin-barman-cloud-0.3.1 - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "v0.9.0" - app.kubernetes.io/managed-by: Helm - name: cloudnative-pg-plugin-barman-cloud-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cloudnative-pg-plugin-barman-cloud -subjects: -- kind: ServiceAccount - name: cloudnative-pg-plugin-barman-cloud - namespace: cloudnative-pg ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/additional-rbac/leader_election.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - helm.sh/chart: plugin-barman-cloud-0.3.1 - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "v0.9.0" - app.kubernetes.io/managed-by: Helm - name: cloudnative-pg-plugin-barman-cloud-leader-election-role - namespace: cloudnative-pg -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/additional-rbac/leader_election.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - helm.sh/chart: plugin-barman-cloud-0.3.1 - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "v0.9.0" - app.kubernetes.io/managed-by: Helm - name: cloudnative-pg-plugin-barman-cloud-leader-election-rolebinding - namespace: cloudnative-pg -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cloudnative-pg-plugin-barman-cloud-leader-election-role -subjects: -- kind: ServiceAccount - name: cloudnative-pg-plugin-barman-cloud - namespace: cloudnative-pg ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: cnpg-webhook-service - namespace: cloudnative-pg - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: webhook-server - name: webhook-server - selector: - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: plugin-barman-cloud-0.3.1 - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "v0.9.0" - app.kubernetes.io/managed-by: Helm - cnpg.io/pluginName: barman-cloud.cloudnative-pg.io - annotations: - cnpg.io/pluginClientSecret: barman-cloud-client-tls - cnpg.io/pluginPort: "9090" - cnpg.io/pluginServerSecret: barman-cloud-server-tls - name: barman-cloud - namespace: cloudnative-pg -spec: - ports: - - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cloudnative-pg - namespace: cloudnative-pg - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - template: - metadata: - annotations: - checksum/rbac: ecc7ac52a42c48513234accf4bd785afb5889e77f0672f57c00b875960e3497a - checksum/config: c9268d2e1b50fbad8b125b152e51e44e51e393aef15b37b31b8ef35e60c039ec - checksum/monitoring-config: 5b7dc0c42a24b297d6f659777324c4105b8ce5e022ee55e973a2f3697f4e7702 - labels: - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - spec: - containers: - - args: - - controller - - --leader-elect - - --max-concurrent-reconciles=10 - - --config-map-name=cnpg-controller-manager-config - - --webhook-port=9443 - command: - - /manager - env: - - name: OPERATOR_IMAGE_NAME - value: "ghcr.io/cloudnative-pg/cloudnative-pg:1.27.1" - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MONITORING_QUERIES_CONFIGMAP - value: "cnpg-default-monitoring" - image: "ghcr.io/cloudnative-pg/cloudnative-pg:1.27.1" - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /readyz - port: 9443 - scheme: HTTPS - initialDelaySeconds: 3 - name: manager - ports: - - containerPort: 8080 - name: metrics - protocol: TCP - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 9443 - scheme: HTTPS - initialDelaySeconds: 3 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 10001 - runAsUser: 10001 - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: 9443 - scheme: HTTPS - periodSeconds: 5 - volumeMounts: - - mountPath: /controller - name: scratch-data - - mountPath: /run/secrets/cnpg.io/webhook - name: webhook-certificates - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: cloudnative-pg - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: scratch-data - - name: webhook-certificates - secret: - defaultMode: 420 - optional: true - secretName: cnpg-webhook-cert ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - helm.sh/chart: plugin-barman-cloud-0.3.1 - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "v0.9.0" - app.kubernetes.io/managed-by: Helm - name: cloudnative-pg-plugin-barman-cloud - namespace: cloudnative-pg -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg - # RollingUpdate strategy is not supported by the operator yet, so it can only use the Recreate strategy. - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: plugin-barman-cloud - app.kubernetes.io/instance: cloudnative-pg - spec: - containers: - - args: - - operator - - --server-cert=/server/tls.crt - - --server-key=/server/tls.key - - --client-cert=/client/tls.crt - - --server-address=:9090 - - --leader-elect - - --log-level=debug - env: - - name: SIDECAR_IMAGE - valueFrom: - configMapKeyRef: - key: SIDECAR_IMAGE - name: plugin-barman-cloud-config - image: "ghcr.io/cloudnative-pg/plugin-barman-cloud:v0.9.0" - name: barman-cloud - ports: - - containerPort: 9090 - protocol: TCP - readinessProbe: - initialDelaySeconds: 10 - periodSeconds: 10 - tcpSocket: - port: 9090 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 10001 - runAsUser: 10001 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /server - name: server - - mountPath: /client - name: client - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: cloudnative-pg-plugin-barman-cloud - volumes: - - name: server - secret: - secretName: barman-cloud-server-tls - - name: client - secret: - secretName: barman-cloud-client-tls ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/deployment.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/monitoring-configmap.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/mutatingwebhookconfiguration.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/rbac.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/service.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/validatingwebhookconfiguration.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/additional-rbac/leader_election.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# -# permissions to do leader election. ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/certificate-issuer.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/client-certificate.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/configmap.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/deployment.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/rbac.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/server-certificate.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/service.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/client-certificate.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: barman-cloud-client - namespace: cloudnative-pg -spec: - commonName: barman-cloud-client - duration: 2160h - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: cloudnative-pg-plugin-barman-cloud-selfsigned-issuer - renewBefore: 360h - secretName: barman-cloud-client-tls - usages: - - client auth - privateKey: - rotationPolicy: Always ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/server-certificate.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: barman-cloud-server - namespace: cloudnative-pg -spec: - commonName: barman-cloud - dnsNames: - - barman-cloud - duration: 2160h - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: cloudnative-pg-plugin-barman-cloud-selfsigned-issuer - renewBefore: 360h - secretName: barman-cloud-server-tls - usages: - - server auth - privateKey: - rotationPolicy: Always ---- -# Source: cloudnative-pg/charts/plugin-barman-cloud/templates/certificate-issuer.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: cloudnative-pg-plugin-barman-cloud-selfsigned-issuer - namespace: cloudnative-pg -spec: - selfSigned: {} ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/mutatingwebhookconfiguration.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: cnpg-mutating-webhook-configuration - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /mutate-postgresql-cnpg-io-v1-backup - port: 443 - failurePolicy: Fail - name: mbackup.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - backups - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /mutate-postgresql-cnpg-io-v1-cluster - port: 443 - failurePolicy: Fail - name: mcluster.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clusters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /mutate-postgresql-cnpg-io-v1-database - port: 443 - failurePolicy: Fail - name: mdatabase.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - databases - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /mutate-postgresql-cnpg-io-v1-scheduledbackup - port: 443 - failurePolicy: Fail - name: mscheduledbackup.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - scheduledbackups - sideEffects: None ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/podmonitor.yaml -# -# Copyright © contributors to CloudNativePG, established as -# CloudNativePG a Series of LF Projects, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: cloudnative-pg - namespace: cloudnative-pg - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - podMetricsEndpoints: - - port: metrics ---- -# Source: cloudnative-pg/charts/cloudnative-pg/templates/validatingwebhookconfiguration.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: cnpg-validating-webhook-configuration - labels: - helm.sh/chart: cloudnative-pg-0.26.1 - app.kubernetes.io/name: cloudnative-pg - app.kubernetes.io/instance: cloudnative-pg - app.kubernetes.io/version: "1.27.1" - app.kubernetes.io/managed-by: Helm -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /validate-postgresql-cnpg-io-v1-backup - port: 443 - failurePolicy: Fail - name: vbackup.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - backups - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /validate-postgresql-cnpg-io-v1-cluster - port: 443 - failurePolicy: Fail - name: vcluster.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clusters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /validate-postgresql-cnpg-io-v1-scheduledbackup - port: 443 - failurePolicy: Fail - name: vscheduledbackup.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - scheduledbackups - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /validate-postgresql-cnpg-io-v1-database - port: 443 - failurePolicy: Fail - name: vdatabase.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - databases - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: cnpg-webhook-service - namespace: cloudnative-pg - path: /validate-postgresql-cnpg-io-v1-pooler - port: 443 - failurePolicy: Fail - name: vpooler.cnpg.io - rules: - - apiGroups: - - postgresql.cnpg.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - poolers - sideEffects: None diff --git a/clusters/cl01tl/manifests/code-server/code-server.yaml b/clusters/cl01tl/manifests/code-server/code-server.yaml deleted file mode 100644 index 06716d7f1..000000000 --- a/clusters/cl01tl/manifests/code-server/code-server.yaml +++ /dev/null @@ -1,251 +0,0 @@ ---- -# Source: code-server/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: code-server-nfs-storage - namespace: code-server - labels: - app.kubernetes.io/name: code-server-nfs-storage - app.kubernetes.io/instance: code-server - app.kubernetes.io/part-of: code-server -spec: - volumeMode: Filesystem - storageClassName: nfs-client - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -# Source: code-server/charts/code-server/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: code-server - labels: - app.kubernetes.io/instance: code-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: code-server - app.kubernetes.io/service: code-server - helm.sh/chart: code-server-4.4.0 - namespace: code-server -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: code-server - app.kubernetes.io/name: code-server ---- -# Source: code-server/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: code-server-cloudflared - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: code-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: code-server -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: code-server - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: code-server - app.kubernetes.io/name: cloudflared - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: code-server-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: code-server/charts/code-server/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: code-server - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: code-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: code-server - helm.sh/chart: code-server-4.4.0 - namespace: code-server -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: code-server - app.kubernetes.io/instance: code-server - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: code-server - app.kubernetes.io/name: code-server - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - - name: DEFAULT_WORKSPACE - value: /config - envFrom: - - secretRef: - name: codeserver-password-secret - image: ghcr.io/linuxserver/code-server:4.106.3@sha256:aab9520fe923b2d93dccc2c806f3dc60649c2f4a2847fcd40c942227d0f1ae8f - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - volumes: - - name: config - persistentVolumeClaim: - claimName: code-server-nfs-storage ---- -# Source: code-server/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: codeserver-password-secret - namespace: code-server - labels: - app.kubernetes.io/name: codeserver-password-secret - app.kubernetes.io/instance: code-server - app.kubernetes.io/part-of: code-server -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/code-server/auth - metadataPolicy: None - property: PASSWORD - - secretKey: SUDO_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/code-server/auth - metadataPolicy: None - property: SUDO_PASSWORD ---- -# Source: code-server/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: code-server-cloudflared-secret - namespace: code-server - labels: - app.kubernetes.io/name: code-server-cloudflared-secret - app.kubernetes.io/instance: code-server - app.kubernetes.io/part-of: code-server -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/codeserver - metadataPolicy: None - property: token ---- -# Source: code-server/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-code-server - namespace: code-server - labels: - app.kubernetes.io/name: http-route-code-server - app.kubernetes.io/instance: code-server - app.kubernetes.io/part-of: code-server -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - code-server.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: code-server - port: 8443 - weight: 100 diff --git a/clusters/cl01tl/manifests/coredns/coredns.yaml b/clusters/cl01tl/manifests/coredns/coredns.yaml deleted file mode 100644 index 74cf3f594..000000000 --- a/clusters/cl01tl/manifests/coredns/coredns.yaml +++ /dev/null @@ -1,300 +0,0 @@ ---- -# Source: coredns/charts/coredns/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: coredns - namespace: kube-system - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "coredns" - helm.sh/chart: "coredns-1.45.0" - k8s-app: coredns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - app.kubernetes.io/name: coredns ---- -# Source: coredns/charts/coredns/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: coredns - namespace: kube-system - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "coredns" - helm.sh/chart: "coredns-1.45.0" - k8s-app: coredns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - app.kubernetes.io/name: coredns -data: - Corefile: |- - dns://.:53 { - errors - health { - lameduck 5s - } - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - ttl 30 - } - prometheus :9153 - forward . /etc/resolv.conf - cache 30 - loop - reload - loadbalance - } - dns://alexlebens.net:53 { - errors - cache 30 - forward . 10.111.232.172 - } - dns://ts.net:53 { - errors - cache 30 - forward . 10.97.20.219 - } ---- -# Source: coredns/charts/coredns/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: coredns - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "coredns" - helm.sh/chart: "coredns-1.45.0" - k8s-app: coredns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - app.kubernetes.io/name: coredns -rules: -- apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch ---- -# Source: coredns/charts/coredns/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: coredns - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "coredns" - helm.sh/chart: "coredns-1.45.0" - k8s-app: coredns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - app.kubernetes.io/name: coredns -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: coredns -subjects: -- kind: ServiceAccount - name: coredns - namespace: kube-system ---- -# Source: coredns/charts/coredns/templates/service-metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: coredns-metrics - namespace: kube-system - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "coredns" - helm.sh/chart: "coredns-1.45.0" - k8s-app: coredns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - app.kubernetes.io/name: coredns - app.kubernetes.io/component: metrics - annotations: - prometheus.io/port: "9153" - prometheus.io/scrape: "true" -spec: - selector: - app.kubernetes.io/instance: "coredns" - k8s-app: coredns - app.kubernetes.io/name: coredns - ports: - - name: metrics - port: 9153 - targetPort: 9153 ---- -# Source: coredns/charts/coredns/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-dns - namespace: kube-system - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "coredns" - helm.sh/chart: "coredns-1.45.0" - k8s-app: coredns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - app.kubernetes.io/name: coredns -spec: - selector: - app.kubernetes.io/instance: "coredns" - k8s-app: coredns - app.kubernetes.io/name: coredns - clusterIP: 10.96.0.10 - clusterIPs: - - - 10.96.0.10 - ports: - - {"name":"udp-53","port":53,"protocol":"UDP","targetPort":53} - - {"name":"tcp-53","port":53,"protocol":"TCP","targetPort":53} - type: ClusterIP ---- -# Source: coredns/charts/coredns/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: coredns - namespace: kube-system - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "coredns" - helm.sh/chart: "coredns-1.45.0" - k8s-app: coredns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - app.kubernetes.io/name: coredns - app.kubernetes.io/version: "v1.13.1" -spec: - replicas: 3 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - maxSurge: 25% - selector: - matchLabels: - app.kubernetes.io/instance: "coredns" - k8s-app: coredns - app.kubernetes.io/name: coredns - template: - metadata: - labels: - k8s-app: coredns - app.kubernetes.io/name: coredns - app.kubernetes.io/instance: "coredns" - annotations: - checksum/config: 6f07144a3d5dc8ad880e010546e8deee6bb3a150eb089529d925c21f2a78a7d0 - scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]' - spec: - terminationGracePeriodSeconds: 30 - serviceAccountName: coredns - priorityClassName: "system-cluster-critical" - dnsPolicy: Default - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - effect: NoSchedule - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - nodeSelector: - kubernetes.io/os: linux - containers: - - name: "coredns" - image: "registry.k8s.io/coredns/coredns:v1.13.1" - imagePullPolicy: IfNotPresent - args: [ "-conf", "/etc/coredns/Corefile" ] - volumeMounts: - - name: config-volume - mountPath: /etc/coredns - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 50m - memory: 128Mi - ports: - - {"containerPort":53,"name":"udp-53","protocol":"UDP"} - - {"containerPort":53,"name":"tcp-53","protocol":"TCP"} - - {"containerPort":9153,"name":"tcp-9153","protocol":"TCP"} - - livenessProbe: - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: true - volumes: - - name: config-volume - configMap: - name: coredns - items: - - key: Corefile - path: Corefile ---- -# Source: coredns/charts/coredns/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: coredns - namespace: kube-system - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "coredns" - helm.sh/chart: "coredns-1.45.0" - k8s-app: coredns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - app.kubernetes.io/name: coredns -spec: - selector: - matchLabels: - app.kubernetes.io/instance: "coredns" - k8s-app: coredns - app.kubernetes.io/name: coredns - app.kubernetes.io/component: metrics - endpoints: - - port: metrics diff --git a/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/democratic-csi-synology-iscsi.yaml b/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/democratic-csi-synology-iscsi.yaml deleted file mode 100644 index a550e952d..000000000 --- a/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/democratic-csi-synology-iscsi.yaml +++ /dev/null @@ -1,720 +0,0 @@ ---- -# Source: democratic-csi-synology-iscsi/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: democratic-csi-synology-iscsi - labels: - app.kubernetes.io/name: democratic-csi-synology-iscsi - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/part-of: democratic-csi-synology-iscsi - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/controller-rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: democratic-csi-synology-iscsi-controller-sa - namespace: democratic-csi-synology-iscsi - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/node-rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: democratic-csi-synology-iscsi-node-sa - namespace: democratic-csi-synology-iscsi - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: democratic-csi-synology-iscsi - namespace: democratic-csi-synology-iscsi - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm -data: - extra-ca-certs: "" ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/storage-classes.yaml -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: synology-iscsi-delete - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm -provisioner: org.democratic-csi.iscsi-synology -reclaimPolicy: Delete -allowVolumeExpansion: true -volumeBindingMode: Immediate - -parameters: - fsType: "ext4" - -# this loop is deeply connected to the loop for Secret creation below ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/storage-classes.yaml -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: synology-iscsi-retain - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm -provisioner: org.democratic-csi.iscsi-synology -reclaimPolicy: Retain -allowVolumeExpansion: true -volumeBindingMode: Immediate - -parameters: - fsType: "ext4" - -# this loop is deeply connected to the loop for Secret creation below - - -# this loop is deeply connected to the loop for secret parameter settings above ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/controller-rbac.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: democratic-csi-synology-iscsi-controller-cr - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm -rules: - # Allow listing and creating CRDs - - apiGroups: ['apiextensions.k8s.io'] - resources: ['customresourcedefinitions'] - verbs: ['list', 'create'] - - apiGroups: [''] - resources: ['persistentvolumes'] - verbs: ['create', 'delete', 'get', 'list', 'watch', 'update', 'patch'] - - apiGroups: [''] - resources: ['secrets'] - verbs: ['get', 'list'] - - apiGroups: [''] - resources: ['pods'] - verbs: ['get', 'list', 'watch'] - - apiGroups: [''] - resources: ['persistentvolumeclaims'] - verbs: ['get', 'list', 'watch', 'update', 'patch'] - - apiGroups: [''] - resources: ['persistentvolumeclaims/status'] - verbs: ['get', 'list', 'watch', 'update', 'patch'] - - apiGroups: [''] - resources: ['nodes'] - verbs: ['get', 'list', 'watch'] - - apiGroups: ['storage.k8s.io'] - resources: ['volumeattachments'] - verbs: ['get', 'list', 'watch', 'update', 'patch'] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments/status"] - verbs: ["patch"] - - apiGroups: ['storage.k8s.io'] - resources: ['storageclasses'] - verbs: ['get', 'list', 'watch'] - - apiGroups: ['csi.storage.k8s.io'] - resources: ['csidrivers'] - verbs: ['get', 'list', 'watch', 'update', 'create'] - - apiGroups: [''] - resources: ['events'] - verbs: ['list', 'watch', 'create', 'update', 'patch'] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ['snapshot.storage.k8s.io'] - resources: ['volumesnapshots/status'] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - # capacity rbac - - apiGroups: ["storage.k8s.io"] - resources: ["csistoragecapacities"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - - apiGroups: ["apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["get"] ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/node-rbac.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: democratic-csi-synology-iscsi-node-cr - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm -rules: - # Allow listing and creating CRDs - - apiGroups: ['apiextensions.k8s.io'] - resources: ['customresourcedefinitions'] - verbs: ['list', 'create'] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/controller-rbac.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: democratic-csi-synology-iscsi-controller-rb - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: democratic-csi-synology-iscsi-controller-cr -subjects: -- kind: ServiceAccount - name: democratic-csi-synology-iscsi-controller-sa - namespace: democratic-csi-synology-iscsi ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/node-rbac.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: democratic-csi-synology-iscsi-node-rb - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: democratic-csi-synology-iscsi-node-cr -subjects: -- kind: ServiceAccount - name: democratic-csi-synology-iscsi-node-sa - namespace: democratic-csi-synology-iscsi ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/node.yaml -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: democratic-csi-synology-iscsi-node - namespace: democratic-csi-synology-iscsi - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/csi-role: "node" - app.kubernetes.io/component: "node-linux" -spec: - selector: - matchLabels: - app.kubernetes.io/name: democratic-csi - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/csi-role: "node" - app.kubernetes.io/component: "node-linux" - template: - metadata: - annotations: - checksum/configmap: 263840c3436d67b6e25f68fabb84f358c3df828bc15d9ec327e733b38cabd1d7 - labels: - app.kubernetes.io/name: democratic-csi - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/csi-role: "node" - app.kubernetes.io/component: "node-linux" - spec: - serviceAccount: democratic-csi-synology-iscsi-node-sa - priorityClassName: "system-node-critical" - # Required by iSCSI - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - hostAliases: [] - # Required by multipath detach - hostIPC: true - hostPID: true - containers: - - name: csi-driver - image: "docker.io/democraticcsi/democratic-csi:latest" - args: - - --csi-version=1.5.0 - - --csi-name=org.democratic-csi.iscsi-synology - - --driver-config-file=/config/driver-config-file.yaml - - --log-level=info - - --csi-mode=node - - --server-socket=/csi-data/csi.sock.internal - - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - privileged: true - env: - - name: CSI_NODE_ID - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: NODE_EXTRA_CA_CERTS - value: "/tmp/certs/extra-ca-certs.crt" - - name: ISCSIADM_HOST_STRATEGY - value: nsenter - - name: ISCSIADM_HOST_PATH - value: /usr/local/sbin/iscsiadm - - # prevent crazy error messages due to the /dev host mount - terminationMessagePath: /tmp/termination-log - terminationMessagePolicy: File - livenessProbe: - failureThreshold: 3 - exec: - command: - - bin/liveness-probe - - --csi-version=1.5.0 - - --csi-address=/csi-data/csi.sock.internal - initialDelaySeconds: 10 - timeoutSeconds: 15 - periodSeconds: 60 - - volumeMounts: - - name: socket-dir - mountPath: /csi-data - - name: kubelet-dir - mountPath: /var/lib/kubelet - mountPropagation: Bidirectional - - name: iscsi-dir - mountPath: /var/iscsi - mountPropagation: Bidirectional - - name: iscsi-info - mountPath: /var/lib/iscsi - mountPropagation: Bidirectional - - name: modules-dir - mountPath: /lib/modules - readOnly: true - - name: localtime - mountPath: /etc/localtime - readOnly: true - - name: udev-data - mountPath: /run/udev - - name: host-dir - mountPath: /host - mountPropagation: Bidirectional - - mountPath: /sys - name: sys-dir - - name: dev-dir - mountPath: /dev - - name: config - mountPath: /config - - name: extra-ca-certs - mountPath: /tmp/certs - - name: csi-proxy - image: "docker.io/democraticcsi/csi-grpc-proxy:v0.5.6" - env: - - name: BIND_TO - value: "unix:///csi-data/csi.sock" - - name: PROXY_TO - value: "unix:///csi-data/csi.sock.internal" - volumeMounts: - - mountPath: /csi-data - name: socket-dir - - name: driver-registrar - image: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0" - args: - - --v=5 - - --csi-address=/csi-data/csi.sock - - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock - env: - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - livenessProbe: - exec: - command: - - /csi-node-driver-registrar - - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock - - --mode=kubelet-registration-probe - - volumeMounts: - - mountPath: /csi-data - name: socket-dir - - name: registration-dir - mountPath: /registration - - name: kubelet-dir - mountPath: /var/lib/kubelet - - - name: cleanup - image: "docker.io/busybox:1.37.0" - command: - - "/bin/sh" - - "-c" - - "--" - args: [ "while true; do sleep 2; done;" ] - lifecycle: - # note this runs *before* other containers are terminated - preStop: - exec: - command: ["/bin/sh", "-c", "rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock"] - - volumeMounts: - - name: plugins-dir - mountPath: /plugins - - name: registration-dir - mountPath: /registration - - volumes: - - name: socket-dir - hostPath: - path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology - type: DirectoryOrCreate - - name: plugins-dir - hostPath: - path: /var/lib/kubelet/plugins - type: Directory - - name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory - - name: kubelet-dir - hostPath: - path: /var/lib/kubelet - type: Directory - - name: iscsi-dir - hostPath: - path: /var/iscsi - type: - - name: iscsi-info - hostPath: - path: /var/lib/iscsi - - name: dev-dir - hostPath: - path: /dev - type: Directory - - name: modules-dir - hostPath: - path: /lib/modules - - name: localtime - hostPath: - path: /etc/localtime - - name: udev-data - hostPath: - path: /run/udev - - name: sys-dir - hostPath: - path: /sys - type: Directory - - name: host-dir - hostPath: - path: / - type: Directory - - name: config - secret: - secretName: synology-iscsi-config-secret - - name: extra-ca-certs - configMap: - name: democratic-csi-synology-iscsi - items: - - key: extra-ca-certs - path: extra-ca-certs.crt - nodeSelector: - kubernetes.io/os: linux ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/controller.yaml -kind: Deployment -apiVersion: apps/v1 -metadata: - name: democratic-csi-synology-iscsi-controller - namespace: democratic-csi-synology-iscsi - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/csi-role: "controller" - app.kubernetes.io/component: "controller-linux" -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: democratic-csi - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/csi-role: "controller" - app.kubernetes.io/component: "controller-linux" - template: - metadata: - annotations: - checksum/configmap: 263840c3436d67b6e25f68fabb84f358c3df828bc15d9ec327e733b38cabd1d7 - labels: - app.kubernetes.io/name: democratic-csi - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/csi-role: "controller" - app.kubernetes.io/component: "controller-linux" - spec: - serviceAccount: democratic-csi-synology-iscsi-controller-sa - priorityClassName: "system-cluster-critical" - hostNetwork: false - dnsPolicy: ClusterFirst - hostAliases: [] - hostIPC: false - containers: - # https://github.com/kubernetes-csi/external-attacher - - name: external-attacher - image: "registry.k8s.io/sig-storage/csi-attacher:v4.4.0" - args: - - --v=5 - - --leader-election - - --leader-election-namespace=democratic-csi-synology-iscsi - - --timeout=90s - - --worker-threads=10 - - --csi-address=/csi-data/csi.sock - volumeMounts: - - mountPath: /csi-data - name: socket-dir - # https://github.com/kubernetes-csi/external-provisioner - - name: external-provisioner - image: "registry.k8s.io/sig-storage/csi-provisioner:v3.6.0" - args: - - --v=5 - - --leader-election - - --leader-election-namespace=democratic-csi-synology-iscsi - - --timeout=90s - - --worker-threads=10 - - --extra-create-metadata - - --csi-address=/csi-data/csi.sock - volumeMounts: - - mountPath: /csi-data - name: socket-dir - env: - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - # https://github.com/kubernetes-csi/external-resizer - - name: external-resizer - image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0" - args: - - --v=5 - - --leader-election - - --leader-election-namespace=democratic-csi-synology-iscsi - - --timeout=90s - - --workers=10 - - --csi-address=/csi-data/csi.sock - volumeMounts: - - mountPath: /csi-data - name: socket-dir - env: - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - # https://github.com/kubernetes-csi/external-snapshotter - # beware upgrading version: - # - https://github.com/rook/rook/issues/4178 - # - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310 - - name: external-snapshotter - image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1" - args: - - --v=5 - - --leader-election - - --leader-election-namespace=democratic-csi-synology-iscsi - - --timeout=90s - - --worker-threads=10 - - --csi-address=/csi-data/csi.sock - volumeMounts: - - mountPath: /csi-data - name: socket-dir - env: - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: csi-driver - image: "docker.io/democraticcsi/democratic-csi:latest" - args: - - --csi-version=1.5.0 - - --csi-name=org.democratic-csi.iscsi-synology - - --driver-config-file=/config/driver-config-file.yaml - - --log-level=info - - --csi-mode=controller - - --server-socket=/csi-data/csi.sock.internal - - env: - - name: NODE_EXTRA_CA_CERTS - value: "/tmp/certs/extra-ca-certs.crt" - livenessProbe: - failureThreshold: 3 - exec: - command: - - bin/liveness-probe - - --csi-version=1.5.0 - - --csi-address=/csi-data/csi.sock.internal - initialDelaySeconds: 10 - timeoutSeconds: 15 - periodSeconds: 60 - volumeMounts: - - name: socket-dir - mountPath: /csi-data - - name: config - mountPath: /config - - name: extra-ca-certs - mountPath: /tmp/certs - - name: csi-proxy - image: "docker.io/democraticcsi/csi-grpc-proxy:v0.5.6" - env: - - name: BIND_TO - value: "unix:///csi-data/csi.sock" - - name: PROXY_TO - value: "unix:///csi-data/csi.sock.internal" - volumeMounts: - - mountPath: /csi-data - name: socket-dir - - volumes: - - name: socket-dir - emptyDir: {} - - name: config - secret: - secretName: synology-iscsi-config-secret - - name: extra-ca-certs - configMap: - name: democratic-csi-synology-iscsi - items: - - key: extra-ca-certs - path: extra-ca-certs.crt - nodeSelector: - kubernetes.io/os: linux ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/required.yaml -# 199b143b7f9f4df4dc97d9410c2fbe7aadb38e42729f08d92d12db1af0863fdf -# 1f4dc096d58f7d21e3875671aee6f29b120ab84218fa47db2cb53bc9eb5b4dac -# 9d8b3506156467be4bcf723a74d85e92d6ff851508e112fadfae94fd3a57e699 ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/snapshot-classes.yaml -# this loop is deeply connected to the loop for secret parameter settings above ---- -# Source: democratic-csi-synology-iscsi/charts/democratic-csi/templates/driver.yaml -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: org.democratic-csi.iscsi-synology - labels: - app.kubernetes.io/name: democratic-csi - helm.sh/chart: democratic-csi-0.15.0 - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/managed-by: Helm -spec: - attachRequired: true - podInfoOnMount: true - # https://kubernetes.io/blog/2020/12/14/kubernetes-release-1.20-fsgroupchangepolicy-fsgrouppolicy/ - # added in Kubernetes 1.16 - # volumeLifecycleModes: - # - Persistent - # - Ephemeral ---- -# Source: democratic-csi-synology-iscsi/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: synology-iscsi-config-secret - namespace: democratic-csi-synology-iscsi - labels: - app.kubernetes.io/name: synology-iscsi-config-secret - app.kubernetes.io/instance: democratic-csi-synology-iscsi - app.kubernetes.io/part-of: democratic-csi-synology-iscsi -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: driver-config-file.yaml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/democratic-csi-synology-iscsi/config - metadataPolicy: None - property: driver-config-file.yaml diff --git a/clusters/cl01tl/manifests/descheduler/descheduler.yaml b/clusters/cl01tl/manifests/descheduler/descheduler.yaml deleted file mode 100644 index 200bf43ec..000000000 --- a/clusters/cl01tl/manifests/descheduler/descheduler.yaml +++ /dev/null @@ -1,247 +0,0 @@ ---- -# Source: descheduler/charts/descheduler/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: descheduler - namespace: descheduler - labels: - app.kubernetes.io/name: descheduler - helm.sh/chart: descheduler-0.34.0 - app.kubernetes.io/instance: descheduler - app.kubernetes.io/version: "0.34.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: descheduler/charts/descheduler/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: descheduler - namespace: descheduler - labels: - app.kubernetes.io/name: descheduler - helm.sh/chart: descheduler-0.34.0 - app.kubernetes.io/instance: descheduler - app.kubernetes.io/version: "0.34.0" - app.kubernetes.io/managed-by: Helm -data: - policy.yaml: | - apiVersion: "descheduler/v1alpha2" - kind: "DeschedulerPolicy" - profiles: - - name: default - pluginConfig: - - args: - evictDaemonSetPods: false - evictLocalStoragePods: false - ignorePvcPods: true - name: DefaultEvictor - - name: RemoveDuplicates - - args: - nodeAffinityType: - - requiredDuringSchedulingIgnoredDuringExecution - name: RemovePodsViolatingNodeAffinity - - name: RemovePodsViolatingNodeTaints - - name: RemovePodsViolatingInterPodAntiAffinity - - name: RemovePodsViolatingTopologySpreadConstraint - - args: - targetThresholds: - cpu: 60 - memory: 60 - pods: 60 - thresholds: - cpu: 20 - memory: 20 - pods: 20 - name: LowNodeUtilization - plugins: - balance: - enabled: - - RemoveDuplicates - - RemovePodsViolatingTopologySpreadConstraint - - LowNodeUtilization - deschedule: - enabled: - - RemovePodsViolatingNodeTaints - - RemovePodsViolatingNodeAffinity - - RemovePodsViolatingInterPodAntiAffinity ---- -# Source: descheduler/charts/descheduler/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: descheduler - labels: - app.kubernetes.io/name: descheduler - helm.sh/chart: descheduler-0.34.0 - app.kubernetes.io/instance: descheduler - app.kubernetes.io/version: "0.34.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["create", "update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list", "delete"] -- apiGroups: [""] - resources: ["pods/eviction"] - verbs: ["create"] -- apiGroups: ["scheduling.k8s.io"] - resources: ["priorityclasses"] - verbs: ["get", "watch", "list"] -- apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["get", "watch", "list"] ---- -# Source: descheduler/charts/descheduler/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: descheduler - labels: - app.kubernetes.io/name: descheduler - helm.sh/chart: descheduler-0.34.0 - app.kubernetes.io/instance: descheduler - app.kubernetes.io/version: "0.34.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: descheduler -subjects: - - kind: ServiceAccount - name: descheduler - namespace: descheduler ---- -# Source: descheduler/charts/descheduler/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: descheduler - helm.sh/chart: descheduler-0.34.0 - app.kubernetes.io/instance: descheduler - app.kubernetes.io/version: "0.34.0" - app.kubernetes.io/managed-by: Helm - name: descheduler - namespace: descheduler -spec: - clusterIP: None - ports: - - name: http-metrics - port: 10258 - protocol: TCP - targetPort: 10258 - selector: - app.kubernetes.io/name: descheduler - app.kubernetes.io/instance: descheduler - type: ClusterIP ---- -# Source: descheduler/charts/descheduler/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: descheduler - namespace: descheduler - labels: - app.kubernetes.io/name: descheduler - helm.sh/chart: descheduler-0.34.0 - app.kubernetes.io/instance: descheduler - app.kubernetes.io/version: "0.34.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: descheduler - app.kubernetes.io/instance: descheduler - template: - metadata: - labels: - app.kubernetes.io/name: descheduler - app.kubernetes.io/instance: descheduler - annotations: - checksum/config: 827e11ad319ee1e4c515e25bf575e74c44a0a9fdac5317e6caf8798b1d282036 - spec: - priorityClassName: system-cluster-critical - serviceAccountName: descheduler - containers: - - name: descheduler - image: "registry.k8s.io/descheduler/descheduler:v0.34.0" - imagePullPolicy: IfNotPresent - command: - - /bin/descheduler - args: - - --policy-config-file=/policy-dir/policy.yaml - - --descheduling-interval=5m - - --v=3 - ports: - - containerPort: 10258 - protocol: TCP - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10258 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 20 - timeoutSeconds: 5 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /policy-dir - name: policy-volume - volumes: - - name: policy-volume - configMap: - name: descheduler ---- -# Source: descheduler/charts/descheduler/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: descheduler-servicemonitor - namespace: descheduler - labels: - app.kubernetes.io/name: descheduler - helm.sh/chart: descheduler-0.34.0 - app.kubernetes.io/instance: descheduler - app.kubernetes.io/version: "0.34.0" - app.kubernetes.io/managed-by: Helm -spec: - jobLabel: jobLabel - namespaceSelector: - matchNames: - - descheduler - selector: - matchLabels: - app.kubernetes.io/name: descheduler - app.kubernetes.io/instance: descheduler - endpoints: - - honorLabels: true - port: http-metrics - scheme: https - tlsConfig: - insecureSkipVerify: true diff --git a/clusters/cl01tl/manifests/directus/directus.yaml b/clusters/cl01tl/manifests/directus/directus.yaml deleted file mode 100644 index a3bc2e9d3..000000000 --- a/clusters/cl01tl/manifests/directus/directus.yaml +++ /dev/null @@ -1,1136 +0,0 @@ ---- -# Source: directus/charts/directus/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: directus - labels: - app.kubernetes.io/instance: directus - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: directus - app.kubernetes.io/service: directus - helm.sh/chart: directus-4.4.0 - namespace: directus -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8055 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: directus - app.kubernetes.io/name: directus ---- -# Source: directus/charts/cloudflared-directus/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: directus-cloudflared-directus - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: directus - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared-directus - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-directus-1.23.1 - namespace: directus -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared-directus - app.kubernetes.io/instance: directus - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: directus - app.kubernetes.io/name: cloudflared-directus - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: directus-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: directus/charts/directus/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: directus - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: directus - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: directus - helm.sh/chart: directus-4.4.0 - namespace: directus -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: directus - app.kubernetes.io/instance: directus - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: directus - app.kubernetes.io/name: directus - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: PUBLIC_URL - value: https://directus.alexlebens.dev - - name: WEBSOCKETS_ENABLED - value: "true" - - name: ADMIN_EMAIL - valueFrom: - secretKeyRef: - key: admin-email - name: directus-config - - name: ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: admin-password - name: directus-config - - name: SECRET - valueFrom: - secretKeyRef: - key: secret - name: directus-config - - name: KEY - valueFrom: - secretKeyRef: - key: key - name: directus-config - - name: DB_CLIENT - value: postgres - - name: DB_HOST - valueFrom: - secretKeyRef: - key: host - name: directus-postgresql-17-cluster-app - - name: DB_DATABASE - valueFrom: - secretKeyRef: - key: dbname - name: directus-postgresql-17-cluster-app - - name: DB_PORT - valueFrom: - secretKeyRef: - key: port - name: directus-postgresql-17-cluster-app - - name: DB_USER - valueFrom: - secretKeyRef: - key: user - name: directus-postgresql-17-cluster-app - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: directus-postgresql-17-cluster-app - - name: SYNCHRONIZATION_STORE - value: redis - - name: CACHE_ENABLED - value: "true" - - name: CACHE_STORE - value: redis - - name: REDIS_ENABLED - value: "true" - - name: REDIS_HOST - value: redis-replication-directus-master - - name: REDIS_USERNAME - valueFrom: - secretKeyRef: - key: user - name: directus-redis-config - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: directus-redis-config - - name: STORAGE_LOCATIONS - value: s3 - - name: STORAGE_S3_DRIVER - value: s3 - - name: STORAGE_S3_KEY - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: ceph-bucket-directus - - name: STORAGE_S3_SECRET - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: ceph-bucket-directus - - name: STORAGE_S3_BUCKET - valueFrom: - configMapKeyRef: - key: BUCKET_NAME - name: ceph-bucket-directus - - name: STORAGE_S3_REGION - value: us-east-1 - - name: STORAGE_S3_ENDPOINT - value: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80 - - name: STORAGE_S3_FORCE_PATH_STYLE - value: "true" - - name: AUTH_PROVIDERS - value: AUTHENTIK - - name: AUTH_AUTHENTIK_DRIVER - value: openid - - name: AUTH_AUTHENTIK_CLIENT_ID - valueFrom: - secretKeyRef: - key: OIDC_CLIENT_ID - name: directus-oidc-secret - - name: AUTH_AUTHENTIK_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: OIDC_CLIENT_SECRET - name: directus-oidc-secret - - name: AUTH_AUTHENTIK_SCOPE - value: openid profile email - - name: AUTH_AUTHENTIK_ISSUER_URL - value: https://auth.alexlebens.dev/application/o/directus/.well-known/openid-configuration - - name: AUTH_AUTHENTIK_IDENTIFIER_KEY - value: email - - name: AUTH_AUTHENTIK_ALLOW_PUBLIC_REGISTRATION - value: "true" - - name: AUTH_AUTHENTIK_LABEL - value: Authentik - - name: TELEMETRY - value: "false" - - name: METRICS_ENABLED - value: "true" - - name: METRICS_TOKENS - valueFrom: - secretKeyRef: - key: metric-token - name: directus-metric-token - image: directus/directus:11.13.4 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi ---- -# Source: directus/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: directus-postgresql-17-cluster - namespace: directus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: directus-postgresql-17 - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "directus-postgresql-17-external-backup" - serverName: "directus-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "directus-postgresql-17-garage-local-backup" - serverName: "directus-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "directus-postgresql-17-recovery" - serverName: directus-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: directus-postgresql-17-backup-1 - - externalClusters: - - name: directus-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "directus-postgresql-17-recovery" - serverName: directus-postgresql-17-backup-1 ---- -# Source: directus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: directus-config - namespace: directus - labels: - app.kubernetes.io/name: directus-config - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: admin-email - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/config - metadataPolicy: None - property: admin-email - - secretKey: admin-password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/config - metadataPolicy: None - property: admin-password - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/config - metadataPolicy: None - property: secret - - secretKey: key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/config - metadataPolicy: None - property: key ---- -# Source: directus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: directus-metric-token - namespace: directus - labels: - app.kubernetes.io/name: directus-metric-token - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: metric-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/metrics - metadataPolicy: None - property: metric-token ---- -# Source: directus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: directus-redis-config - namespace: directus - labels: - app.kubernetes.io/name: directus-redis-config - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: user - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/redis - metadataPolicy: None - property: user - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/redis - metadataPolicy: None - property: password ---- -# Source: directus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: directus-oidc-secret - namespace: directus - labels: - app.kubernetes.io/name: directus-oidc-secret - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: OIDC_CLIENT_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/directus - metadataPolicy: None - property: client - - secretKey: OIDC_CLIENT_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/directus - metadataPolicy: None - property: secret ---- -# Source: directus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: directus-cloudflared-secret - namespace: directus - labels: - app.kubernetes.io/name: directus-cloudflared-secret - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/directus - metadataPolicy: None - property: token ---- -# Source: directus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: directus-postgresql-17-cluster-backup-secret - namespace: directus - labels: - app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: directus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: directus-postgresql-17-cluster-backup-secret-weekly - namespace: directus - labels: - app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-weekly - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY ---- -# Source: directus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: directus-postgresql-17-cluster-backup-secret-garage - namespace: directus - labels: - app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: directus/templates/object-bucket-claim.yaml -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - name: ceph-bucket-directus - labels: - app.kubernetes.io/name: ceph-bucket-directus - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - generateBucketName: bucket-directus - storageClassName: ceph-bucket ---- -# Source: directus/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "directus-postgresql-17-external-backup" - namespace: directus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: directus-postgresql-17 - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: directus-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: directus-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: directus/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "directus-postgresql-17-garage-local-backup" - namespace: directus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: directus-postgresql-17 - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: directus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: directus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: directus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: directus/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "directus-postgresql-17-recovery" - namespace: directus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: directus-postgresql-17 - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: directus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: directus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: directus/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: directus-postgresql-17-alert-rules - namespace: directus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: directus-postgresql-17 - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/directus-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="directus"} - cnpg_pg_replication_is_wal_receiver_up{namespace="directus"}) < 1 - for: 5m - labels: - severity: critical - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="directus"} - cnpg_pg_replication_is_wal_receiver_up{namespace="directus"}) < 2 - for: 5m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "directus/directus-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="directus", pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="directus", pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "directus/directus-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="directus", pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="directus", pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "directus/directus-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="directus",pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "directus/directus-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="directus", pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "directus/directus-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "directus/directus-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="directus", persistentvolumeclaim=~"directus-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "directus/directus-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="directus",pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "directus/directus-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="directus", pod=~"directus-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: directus - cnpg_cluster: directus-postgresql-17-cluster ---- -# Source: directus/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-directus - namespace: directus - labels: - app.kubernetes.io/name: redis-replication-directus - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.2.1 - imagePullPolicy: IfNotPresent - redisSecret: - name: directus-redis-config - key: password - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.76.0 ---- -# Source: directus/templates/redis-sentinel.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisSentinel -metadata: - name: redis-sentinel-directus - namespace: directus - labels: - app.kubernetes.io/name: redis-sentinel-directus - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - redisSentinelConfig: - redisReplicationName: redis-replication-directus - redisReplicationPassword: - secretKeyRef: - name: directus-redis-config - key: password - kubernetesConfig: - image: quay.io/opstree/redis-sentinel:v7.0.15 - imagePullPolicy: IfNotPresent - redisSecret: - name: directus-redis-config - key: password - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: directus/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "directus-postgresql-17-daily-backup-scheduled-backup" - namespace: directus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: directus-postgresql-17 - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: directus-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "directus-postgresql-17-external-backup" ---- -# Source: directus/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "directus-postgresql-17-live-backup-scheduled-backup" - namespace: directus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: directus-postgresql-17 - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: directus-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "directus-postgresql-17-garage-local-backup" ---- -# Source: directus/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: directus - namespace: directus - labels: - app.kubernetes.io/name: directus - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus -spec: - selector: - matchLabels: - app.kubernetes.io/name: directus - app.kubernetes.io/instance: directus - endpoints: - - port: http - interval: 30s - scrapeTimeout: 15s - path: /metrics - bearerTokenSecret: - name: directus-metric-token - key: metric-token ---- -# Source: directus/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-directus - namespace: directus - labels: - app.kubernetes.io/name: redis-replication-directus - app.kubernetes.io/instance: directus - app.kubernetes.io/part-of: directus - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/elastic-operator/elastic-operator.yaml b/clusters/cl01tl/manifests/elastic-operator/elastic-operator.yaml deleted file mode 100644 index 0977eda3a..000000000 --- a/clusters/cl01tl/manifests/elastic-operator/elastic-operator.yaml +++ /dev/null @@ -1,11594 +0,0 @@ ---- -# Source: elastic-operator/charts/eck-operator/templates/service-account.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: elastic-operator - namespace: elastic-operator - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm ---- -# Source: elastic-operator/charts/eck-operator/templates/webhook.yaml -apiVersion: v1 -kind: Secret -metadata: - name: elastic-operator-webhook-cert - namespace: elastic-operator - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm ---- -# Source: elastic-operator/charts/eck-operator/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: elastic-operator - namespace: elastic-operator - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -data: - eck.yaml: |- - log-verbosity: 0 - metrics-port: 9000 - metrics-secure: false - container-registry: docker.elastic.co - max-concurrent-reconciles: 3 - ca-cert-validity: 8760h - ca-cert-rotate-before: 24h - cert-validity: 8760h - cert-rotate-before: 24h - disable-config-watch: false - exposed-node-labels: [topology.kubernetes.io/.*,failure-domain.beta.kubernetes.io/.*] - set-default-security-context: auto-detect - kube-client-timeout: 60s - elasticsearch-client-timeout: 180s - disable-telemetry: true - distribution-channel: helm - validate-storage-class: true - enable-webhook: true - webhook-name: elastic-operator.elastic-operator.k8s.elastic.co - webhook-port: 9443 - namespaces: [tubearchivist,stalwart] - operator-namespace: elastic-operator - enable-leader-election: true - elasticsearch-observation-interval: 10s - ubi-only: false ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: agents.agent.k8s.elastic.co -spec: - group: agent.k8s.elastic.co - names: - categories: - - elastic - kind: Agent - listKind: AgentList - plural: agents - shortNames: - - agent - singular: agent - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: available - type: integer - - description: Expected nodes - jsonPath: .status.expectedNodes - name: expected - type: integer - - description: Agent version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: Agent is the Schema for the Agents API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AgentSpec defines the desired state of the Agent - properties: - config: - description: Config holds the Agent configuration. At most one of - [`Config`, `ConfigRef`] can be specified. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Agent configuration. - Agent settings must be specified as yaml, under a single "agent.yml" entry. At most one of [`Config`, `ConfigRef`] - can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - daemonSet: - description: |- - DaemonSet specifies the Agent should be deployed as a DaemonSet, and allows providing its spec. - Cannot be used along with `deployment` or `statefulSet`. - properties: - podTemplate: - description: PodTemplateSpec describes the data a pod should have - when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - updateStrategy: - description: DaemonSetUpdateStrategy is a struct used to control - the update strategy for a DaemonSet. - properties: - rollingUpdate: - description: Rolling update config params. Present only if - type = "RollingUpdate". - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of nodes with an existing available DaemonSet pod that - can have an updated DaemonSet pod during during an update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up to a minimum of 1. - Default value is 0. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked as deleted. - The update starts by launching new pods on 30% of nodes. Once an updated - pod is available (Ready for at least minReadySeconds) the old DaemonSet pod - on that node is marked deleted. If the old pod becomes unavailable for any - reason (Ready transitions to false, is evicted, or is drained) an updated - pod is immediately created on that node without considering surge limits. - Allowing surge implies the possibility that the resources consumed by the - daemonset on any given node can double if the readiness check fails, and - so resource intensive daemonsets should take into account that they may - cause evictions during disruption. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of DaemonSet pods that can be unavailable during the - update. Value can be an absolute number (ex: 5) or a percentage of total - number of DaemonSet pods at the start of the update (ex: 10%). Absolute - number is calculated from percentage by rounding up. - This cannot be 0 if MaxSurge is 0 - Default value is 1. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet pods and then brings - up new DaemonSet pods in their place. Once the new pods are available, - it then proceeds onto other DaemonSet pods, thus ensuring that at least - 70% of original number of DaemonSet pods are available at all times during - the update. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" - or "OnDelete". Default is RollingUpdate. - type: string - type: object - type: object - deployment: - description: |- - Deployment specifies the Agent should be deployed as a Deployment, and allows providing its spec. - Cannot be used along with `daemonSet` or `statefulSet`. - properties: - podTemplate: - description: PodTemplateSpec describes the data a pod should have - when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - replicas: - format: int32 - type: integer - strategy: - description: DeploymentStrategy describes how to replace existing - pods with new ones. - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". - Default is RollingUpdate. - type: string - type: object - type: object - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single ES cluster is currently supported. - items: - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - outputName: - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - fleetServerEnabled: - description: FleetServerEnabled determines whether this Agent will - launch Fleet Server. Don't set unless `mode` is set to `fleet`. - type: boolean - fleetServerRef: - description: |- - FleetServerRef is a reference to Fleet Server that this Agent should connect to to obtain it's configuration. - Don't set unless `mode` is set to `fleet`. - References to Fleet servers running outside the Kubernetes cluster via the `secretName` attribute are not supported. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for the Agent - in Fleet mode with Fleet Server enabled. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Agent Docker image to deploy. Version has - to match the Agent in the image. - type: string - kibanaRef: - description: |- - KibanaRef is a reference to Kibana where Fleet should be set up and this Agent should be enrolled. Don't set - unless `mode` is set to `fleet`. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - mode: - description: |- - Mode specifies the runtime mode for the Agent. The configuration can be specified locally through - `config` or `configRef` (`standalone` mode), or come from Fleet during runtime (`fleet` mode). Starting with - version 8.13.0 Fleet-managed agents support advanced configuration via a local configuration file. - See https://www.elastic.co/docs/reference/fleet/advanced-kubernetes-managed-by-fleet - Defaults to `standalone` mode. - enum: - - standalone - - fleet - type: string - policyID: - description: |- - PolicyID determines into which Agent Policy this Agent will be enrolled. - This field will become mandatory in a future release, default policies are deprecated since 8.1.0. - type: string - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain - to allow rollback in the underlying DaemonSet or Deployment or StatefulSet. - format: int32 - type: integer - secureSettings: - description: |- - SecureSettings is a list of references to Kubernetes Secrets containing sensitive configuration options for the Agent. - Secrets data can be then referenced in the Agent config using the Secret's keys or as specified in `Entries` field of - each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to an Elasticsearch resource in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - statefulSet: - description: |- - StatefulSet specifies the Agent should be deployed as a StatefulSet, and allows providing its spec. - Cannot be used along with `daemonSet` or `deployment`. - properties: - podManagementPolicy: - default: Parallel - description: |- - PodManagementPolicy controls how pods are created during initial scale up, - when replacing pods on nodes, or when scaling down. The default policy is - `Parallel`, where pods are created in parallel to match the desired scale - without waiting, and on scale down will delete all pods at once. - The alternative policy is `OrderedReady`, the default for vanilla kubernetes - StatefulSets, where pods are created in increasing order in increasing order - (pod-0, then pod-1, etc.) and the controller will wait until each pod is ready before - continuing. When scaling down, the pods are removed in the opposite order. - enum: - - OrderedReady - - Parallel - type: string - podTemplate: - description: PodTemplateSpec describes the data a pod should have - when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - replicas: - format: int32 - type: integer - serviceName: - type: string - volumeClaimTemplates: - description: |- - VolumeClaimTemplates is a list of persistent volume claims to be used by each Pod. - Every claim in this list must have a matching volumeMount in one of the containers defined in the PodTemplate. - Items defined here take precedence over any default claims added by the operator with the same name. - items: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - type: object - version: - description: Version of the Agent. - type: string - required: - - version - type: object - status: - description: AgentStatus defines the observed state of the Agent - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationsStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: |- - AssociationStatusMap is the map of association's namespaced name string to its AssociationStatus. For resources that - have a single Association of a given type (for ex. single ES reference), this map contains a single entry. - type: object - expectedNodes: - format: int32 - type: integer - fleetServerAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - health: - type: string - kibanaAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Elastic Agent. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Elastic - Agent controller has not yet processed the changes contained in the Elastic Agent specification. - format: int64 - type: integer - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: apmservers.apm.k8s.elastic.co -spec: - group: apm.k8s.elastic.co - names: - categories: - - elastic - kind: ApmServer - listKind: ApmServerList - plural: apmservers - shortNames: - - apm - singular: apmserver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: APM version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ApmServer represents an APM Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ApmServerSpec holds the specification of an APM Server. - properties: - config: - description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count of APM Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the output Elasticsearch - cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for the APM Server - resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the APM Server Docker image to deploy. - type: string - kibanaRef: - description: |- - KibanaRef is a reference to a Kibana instance running in the same Kubernetes cluster. - It allows APM agent central configuration management in Kibana. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the APM Server - pods. - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain - to allow rollback in the underlying Deployment. - format: int32 - type: integer - secureSettings: - description: SecureSettings is a list of references to Kubernetes - secrets containing sensitive configuration options for APM Server. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of the APM Server. - type: string - required: - - version - type: object - status: - description: ApmServerStatus defines the observed state of ApmServer - properties: - availableNodes: - description: AvailableNodes is the number of available replicas in - the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is - the actual number of observed instances of the scaled object. - format: int32 - type: integer - elasticsearchAssociationStatus: - description: ElasticsearchAssociationStatus is the status of any auto-linking - to Elasticsearch clusters. - type: string - health: - description: Health of the deployment. - type: string - kibanaAssociationStatus: - description: KibanaAssociationStatus is the status of any auto-linking - to Kibana. - type: string - observedGeneration: - description: |- - ObservedGeneration represents the .metadata.generation that the status is based upon. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the APM Server - controller has not yet processed the changes contained in the APM Server specification. - format: int64 - type: integer - secretTokenSecret: - description: SecretTokenSecretName is the name of the Secret that - contains the secret token - type: string - selector: - description: Selector is the label selector used to find all pods. - type: string - service: - description: ExternalService is the name of the service the agents - should connect to. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.count - status: {} - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: APM version - jsonPath: .spec.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: ApmServer represents an APM Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ApmServerSpec holds the specification of an APM Server. - properties: - config: - description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count of APM Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the output Elasticsearch - cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for the APM Server - resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the APM Server Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the APM Server - pods. - type: object - x-kubernetes-preserve-unknown-fields: true - secureSettings: - description: SecureSettings is a list of references to Kubernetes - secrets containing sensitive configuration options for APM Server. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - version: - description: Version of the APM Server. - type: string - type: object - status: - description: ApmServerStatus defines the observed state of ApmServer - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch - clusters. - type: string - availableNodes: - format: int32 - type: integer - health: - description: ApmServerHealth expresses the status of the Apm Server - instances. - type: string - secretTokenSecret: - description: SecretTokenSecretName is the name of the Secret that - contains the secret token - type: string - service: - description: ExternalService is the name of the service the agents - should connect to. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: to not break compatibility when upgrading from previous versions - of the CRD - type: object - served: false - storage: false ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: beats.beat.k8s.elastic.co -spec: - group: beat.k8s.elastic.co - names: - categories: - - elastic - kind: Beat - listKind: BeatList - plural: beats - shortNames: - - beat - singular: beat - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: available - type: integer - - description: Expected nodes - jsonPath: .status.expectedNodes - name: expected - type: integer - - description: Beat type - jsonPath: .spec.type - name: type - type: string - - description: Beat version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Beat is the Schema for the Beats API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BeatSpec defines the desired state of a Beat. - properties: - config: - description: Config holds the Beat configuration. At most one of [`Config`, - `ConfigRef`] can be specified. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Beat configuration. - Beat settings must be specified as yaml, under a single "beat.yml" entry. At most one of [`Config`, `ConfigRef`] - can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - daemonSet: - description: |- - DaemonSet specifies the Beat should be deployed as a DaemonSet, and allows providing its spec. - Cannot be used along with `deployment`. If both are absent a default for the Type is used. - properties: - podTemplate: - description: PodTemplateSpec describes the data a pod should have - when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - updateStrategy: - description: DaemonSetUpdateStrategy is a struct used to control - the update strategy for a DaemonSet. - properties: - rollingUpdate: - description: Rolling update config params. Present only if - type = "RollingUpdate". - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of nodes with an existing available DaemonSet pod that - can have an updated DaemonSet pod during during an update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up to a minimum of 1. - Default value is 0. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked as deleted. - The update starts by launching new pods on 30% of nodes. Once an updated - pod is available (Ready for at least minReadySeconds) the old DaemonSet pod - on that node is marked deleted. If the old pod becomes unavailable for any - reason (Ready transitions to false, is evicted, or is drained) an updated - pod is immediately created on that node without considering surge limits. - Allowing surge implies the possibility that the resources consumed by the - daemonset on any given node can double if the readiness check fails, and - so resource intensive daemonsets should take into account that they may - cause evictions during disruption. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of DaemonSet pods that can be unavailable during the - update. Value can be an absolute number (ex: 5) or a percentage of total - number of DaemonSet pods at the start of the update (ex: 10%). Absolute - number is calculated from percentage by rounding up. - This cannot be 0 if MaxSurge is 0 - Default value is 1. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet pods and then brings - up new DaemonSet pods in their place. Once the new pods are available, - it then proceeds onto other DaemonSet pods, thus ensuring that at least - 70% of original number of DaemonSet pods are available at all times during - the update. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" - or "OnDelete". Default is RollingUpdate. - type: string - type: object - type: object - deployment: - description: |- - Deployment specifies the Beat should be deployed as a Deployment, and allows providing its spec. - Cannot be used along with `daemonSet`. If both are absent a default for the Type is used. - properties: - podTemplate: - description: PodTemplateSpec describes the data a pod should have - when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - replicas: - format: int32 - type: integer - strategy: - description: DeploymentStrategy describes how to replace existing - pods with new ones. - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". - Default is RollingUpdate. - type: string - type: object - type: object - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - image: - description: Image is the Beat Docker image to deploy. Version and - Type have to match the Beat in the image. - type: string - kibanaRef: - description: |- - KibanaRef is a reference to a Kibana instance running in the same Kubernetes cluster. - It allows automatic setup of dashboards and visualizations. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - monitoring: - description: |- - Monitoring enables you to collect and ship logs and metrics for this Beat. - Metricbeat and/or Filebeat sidecars are configured and send monitoring data to an - Elasticsearch monitoring cluster running in the same Kubernetes cluster. - properties: - logs: - description: Logs holds references to Elasticsearch clusters which - receive log data from an associated resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If - empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - metrics: - description: Metrics holds references to Elasticsearch clusters - which receive monitoring data from this resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If - empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - type: object - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain - to allow rollback in the underlying DaemonSet or Deployment. - format: int32 - type: integer - secureSettings: - description: |- - SecureSettings is a list of references to Kubernetes Secrets containing sensitive configuration options for the Beat. - Secrets data can be then referenced in the Beat config using the Secret's keys or as specified in `Entries` field of - each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to Elasticsearch resource in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - type: - description: |- - Type is the type of the Beat to deploy (filebeat, metricbeat, heartbeat, auditbeat, journalbeat, packetbeat, and so on). - Any string can be used, but well-known types will have the image field defaulted and have the appropriate - Elasticsearch roles created automatically. It also allows for dashboard setup when combined with a `KibanaRef`. - maxLength: 20 - pattern: '[a-zA-Z0-9-]+' - type: string - version: - description: Version of the Beat. - type: string - required: - - type - - version - type: object - status: - description: BeatStatus defines the observed state of a Beat. - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - expectedNodes: - format: int32 - type: integer - health: - type: string - kibanaAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - monitoringAssociationStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: |- - AssociationStatusMap is the map of association's namespaced name string to its AssociationStatus. For resources that - have a single Association of a given type (for ex. single ES reference), this map contains a single entry. - type: object - observedGeneration: - description: |- - ObservedGeneration represents the .metadata.generation that the status is based upon. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Beats - controller has not yet processed the changes contained in the Beats specification. - format: int64 - type: integer - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: elasticmapsservers.maps.k8s.elastic.co -spec: - group: maps.k8s.elastic.co - names: - categories: - - elastic - kind: ElasticMapsServer - listKind: ElasticMapsServerList - plural: elasticmapsservers - shortNames: - - ems - singular: elasticmapsserver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: ElasticMapsServer version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ElasticMapsServer represents an Elastic Map Server resource in - a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: MapsSpec holds the specification of an Elastic Maps Server - instance. - properties: - config: - description: 'Config holds the ElasticMapsServer configuration. See: - https://www.elastic.co/guide/en/kibana/current/maps-connect-to-ems.html#elastic-maps-server-configuration' - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Elastic Maps Server configuration. - Configuration settings are merged and have precedence over settings specified in `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Elastic Maps Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for Elastic Maps - Server. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elastic Maps Server Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Elastic Maps - Server pods - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain - to allow rollback in the underlying Deployment. - format: int32 - type: integer - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Elastic Maps Server. - type: string - required: - - version - type: object - status: - description: MapsStatus defines the observed state of Elastic Maps Server - properties: - associationStatus: - description: AssociationStatus is the status of an association resource. - type: string - availableNodes: - description: AvailableNodes is the number of available replicas in - the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is - the actual number of observed instances of the scaled object. - format: int32 - type: integer - health: - description: Health of the deployment. - type: string - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Elastic Maps Server. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Elastic - Maps controller has not yet processed the changes contained in the Elastic Maps specification. - format: int64 - type: integer - selector: - description: Selector is the label selector used to find all pods. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.count - status: {} ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: elasticsearchautoscalers.autoscaling.k8s.elastic.co -spec: - group: autoscaling.k8s.elastic.co - names: - categories: - - elastic - kind: ElasticsearchAutoscaler - listKind: ElasticsearchAutoscalerList - plural: elasticsearchautoscalers - shortNames: - - esa - singular: elasticsearchautoscaler - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.elasticsearchRef.name - name: Target - type: string - - jsonPath: .status.conditions[?(@.type=='Active')].status - name: Active - type: string - - jsonPath: .status.conditions[?(@.type=='Healthy')].status - name: Healthy - type: string - - jsonPath: .status.conditions[?(@.type=='Limited')].status - name: Limited - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ElasticsearchAutoscaler represents an ElasticsearchAutoscaler - resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ElasticsearchAutoscalerSpec holds the specification of an - Elasticsearch autoscaler resource. - properties: - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - that exists in the same namespace. - properties: - name: - description: Name is the name of the Elasticsearch resource to - scale automatically. - minLength: 1 - type: string - type: object - policies: - items: - description: AutoscalingPolicySpec holds a named autoscaling policy - and the associated resources limits (cpu, memory, storage). - properties: - deciders: - additionalProperties: - additionalProperties: - type: string - description: |- - DeciderSettings allow the user to tweak autoscaling deciders. - The map data structure complies with the format expected by Elasticsearch. - type: object - description: Deciders allow the user to override default settings - for autoscaling deciders. - type: object - name: - description: Name identifies the autoscaling policy in the autoscaling - specification. - type: string - resources: - description: |- - AutoscalingResources model the limits, submitted by the user, for the supported resources in an autoscaling policy. - Only the node count range is mandatory. For other resources, a limit range is required only - if the Elasticsearch autoscaling capacity API returns a requirement for a given resource. - For example, the memory limit range is only required if the autoscaling API response contains a memory requirement. - If there is no limit range for a resource, and if that resource is not mandatory, then the resources in the NodeSets - managed by the autoscaling policy are left untouched. - properties: - cpu: - description: QuantityRange models a resource limit range - for resources which can be expressed with resource.Quantity. - properties: - max: - anyOf: - - type: integer - - type: string - description: Max represents the upper limit for the - resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - min: - anyOf: - - type: integer - - type: string - description: Min represents the lower limit for the - resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - requestsToLimitsRatio: - anyOf: - - type: integer - - type: string - description: RequestsToLimitsRatio allows to customize - Kubernetes resource Limit based on the Request. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - max - - min - type: object - memory: - description: QuantityRange models a resource limit range - for resources which can be expressed with resource.Quantity. - properties: - max: - anyOf: - - type: integer - - type: string - description: Max represents the upper limit for the - resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - min: - anyOf: - - type: integer - - type: string - description: Min represents the lower limit for the - resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - requestsToLimitsRatio: - anyOf: - - type: integer - - type: string - description: RequestsToLimitsRatio allows to customize - Kubernetes resource Limit based on the Request. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - max - - min - type: object - nodeCount: - description: NodeCountRange is used to model the minimum - and the maximum number of nodes over all the NodeSets - managed by the same autoscaling policy. - properties: - max: - description: Max represents the maximum number of nodes - in a tier. - format: int32 - type: integer - min: - description: Min represents the minimum number of nodes - in a tier. - format: int32 - type: integer - required: - - max - - min - type: object - storage: - description: QuantityRange models a resource limit range - for resources which can be expressed with resource.Quantity. - properties: - max: - anyOf: - - type: integer - - type: string - description: Max represents the upper limit for the - resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - min: - anyOf: - - type: integer - - type: string - description: Min represents the lower limit for the - resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - requestsToLimitsRatio: - anyOf: - - type: integer - - type: string - description: RequestsToLimitsRatio allows to customize - Kubernetes resource Limit based on the Request. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - max - - min - type: object - required: - - nodeCount - type: object - roles: - description: An autoscaling policy must target a unique set - of roles. - items: - type: string - type: array - required: - - resources - type: object - type: array - pollingPeriod: - description: PollingPeriod is the period at which to synchronize with - the Elasticsearch autoscaling API. - type: string - required: - - elasticsearchRef - - policies - type: object - status: - properties: - conditions: - description: Conditions holds the current service state of the autoscaling - controller. - items: - description: |- - Condition represents Elasticsearch resource's condition. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - status: - type: string - type: - description: ConditionType defines the condition of an Elasticsearch - resource. - type: string - required: - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation by - the controller. - format: int64 - type: integer - policies: - description: AutoscalingPolicyStatuses is used to expose state messages - to user or external system. - items: - properties: - lastModificationTime: - description: LastModificationTime is the last time the resources - have been updated, used by the cooldown algorithm. - format: date-time - type: string - name: - description: Name is the name of the autoscaling policy - type: string - nodeSets: - description: NodeSetNodeCount holds the number of nodes for - each nodeSet. - items: - description: NodeSetNodeCount models the number of nodes expected - in a given NodeSet. - properties: - name: - description: Name of the Nodeset. - type: string - nodeCount: - description: NodeCount is the number of nodes, as computed - by the autoscaler, expected in this NodeSet. - format: int32 - type: integer - required: - - name - - nodeCount - type: object - type: array - resources: - description: |- - ResourcesSpecification holds the resource values common to all the nodeSets managed by a same autoscaling policy. - Only the resources managed by the autoscaling controller are saved in the Status. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - state: - description: PolicyStates may contain various messages regarding - the current state of this autoscaling policy. - items: - properties: - messages: - items: - type: string - type: array - type: - type: string - required: - - messages - - type - type: object - type: array - required: - - name - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: elasticsearches.elasticsearch.k8s.elastic.co -spec: - group: elasticsearch.k8s.elastic.co - names: - categories: - - elastic - kind: Elasticsearch - listKind: ElasticsearchList - plural: elasticsearches - shortNames: - - es - singular: elasticsearch - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Elasticsearch version - jsonPath: .status.version - name: version - type: string - - jsonPath: .status.phase - name: phase - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Elasticsearch represents an Elasticsearch resource in a Kubernetes - cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ElasticsearchSpec holds the specification of an Elasticsearch - cluster. - properties: - auth: - description: Auth contains user authentication and authorization security - settings for Elasticsearch. - properties: - disableElasticUser: - description: DisableElasticUser disables the default elastic user - that is created by ECK. - type: boolean - fileRealm: - description: FileRealm to propagate to the Elasticsearch cluster. - items: - description: FileRealmSource references users to create in the - Elasticsearch cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - roles: - description: Roles to propagate to the Elasticsearch cluster. - items: - description: RoleSource references roles to create in the Elasticsearch - cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - type: object - http: - description: HTTP holds HTTP layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elasticsearch Docker image to deploy. - type: string - monitoring: - description: |- - Monitoring enables you to collect and ship log and monitoring data of this Elasticsearch cluster. - See https://www.elastic.co/guide/en/elasticsearch/reference/current/monitor-elasticsearch-cluster.html. - Metricbeat and Filebeat are deployed in the same Pod as sidecars and each one sends data to one or two different - Elasticsearch monitoring clusters running in the same Kubernetes cluster. - properties: - logs: - description: Logs holds references to Elasticsearch clusters which - receive log data from an associated resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If - empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - metrics: - description: Metrics holds references to Elasticsearch clusters - which receive monitoring data from this resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If - empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - type: object - nodeSets: - description: NodeSets allow specifying groups of Elasticsearch nodes - sharing the same configuration and Pod templates. - items: - description: NodeSet is the specification for a group of Elasticsearch - nodes sharing the same configuration and a Pod template. - properties: - config: - description: Config holds the Elasticsearch configuration. - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: |- - Count of Elasticsearch nodes to deploy. - If the node set is managed by an autoscaling policy the initial value is automatically set by the autoscaling controller. - format: int32 - type: integer - name: - description: Name of this set of nodes. Becomes a part of the - Elasticsearch node.name setting. - maxLength: 23 - pattern: '[a-zA-Z0-9-]+' - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, - annotations, affinity rules, resource requests, and so on) - for the Pods belonging to this NodeSet. - type: object - x-kubernetes-preserve-unknown-fields: true - volumeClaimTemplates: - description: |- - VolumeClaimTemplates is a list of persistent volume claims to be used by each Pod in this NodeSet. - Every claim in this list must have a matching volumeMount in one of the containers defined in the PodTemplate. - Items defined here take precedence over any default claims added by the operator with the same name. - items: - description: PersistentVolumeClaim is a user's request for - and claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - required: - - name - type: object - minItems: 1 - type: array - podDisruptionBudget: - description: |- - PodDisruptionBudget provides access to the default Pod disruption budget(s) for the Elasticsearch cluster. - The behavior depends on the license level. - With a Basic license or if podDisruptionBudget.spec is not empty: - The default budget doesn't allow any Pod to be removed in case the cluster is not green or if there is only one node of type `data` or `master`. - In all other cases the default podDisruptionBudget sets `minUnavailable` equal to the total number of nodes minus 1. - With an Enterprise license and if podDisruptionBudget.spec is empty: - The default budget is split into multiple budgets, each targeting a specific node role type allowing additional disruptions - for certain roles according to the health status of the cluster. - Example: - All data roles (excluding frozen): allows disruptions only when the cluster is green. - All other roles: allows disruptions only when the cluster is yellow or green. - To disable, set `podDisruptionBudget` to the empty value (`{}` in YAML). - properties: - metadata: - description: |- - ObjectMeta is the metadata of the PDB. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the PDB. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - An eviction is allowed if at most "maxUnavailable" pods selected by - "selector" are unavailable after the eviction, i.e. even in absence of - the evicted pod. For example, one can prevent all voluntary evictions - by specifying 0. This is a mutually exclusive setting with "minAvailable". - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - description: |- - An eviction is allowed if at least "minAvailable" pods selected by - "selector" will still be available after the eviction, i.e. even in the - absence of the evicted pod. So for example you can prevent all voluntary - evictions by specifying "100%". - x-kubernetes-int-or-string: true - selector: - description: |- - Label query over pods whose evictions are managed by the disruption - budget. - A null selector will match no pods, while an empty ({}) selector will select - all pods within the namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - unhealthyPodEvictionPolicy: - description: |- - UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods - should be considered for eviction. Current implementation considers healthy pods, - as pods that have status.conditions item with type="Ready",status="True". - - Valid policies are IfHealthyBudget and AlwaysAllow. - If no policy is specified, the default behavior will be used, - which corresponds to the IfHealthyBudget policy. - - IfHealthyBudget policy means that running pods (status.phase="Running"), - but not yet healthy can be evicted only if the guarded application is not - disrupted (status.currentHealthy is at least equal to status.desiredHealthy). - Healthy pods will be subject to the PDB for eviction. - - AlwaysAllow policy means that all running pods (status.phase="Running"), - but not yet healthy are considered disrupted and can be evicted regardless - of whether the criteria in a PDB is met. This means perspective running - pods of a disrupted application might not get a chance to become healthy. - Healthy pods will be subject to the PDB for eviction. - - Additional policies may be added in the future. - Clients making eviction decisions should disallow eviction of unhealthy pods - if they encounter an unrecognized policy in this field. - type: string - type: object - type: object - remoteClusterServer: - description: |- - RemoteClusterServer specifies if the remote cluster server should be enabled. - This must be enabled if this cluster is a remote cluster which is expected to be accessed using API key authentication. - properties: - enabled: - type: boolean - type: object - remoteClusters: - description: RemoteClusters enables you to establish uni-directional - connections to a remote Elasticsearch cluster. - items: - description: RemoteCluster declares a remote Elasticsearch cluster - connection. - properties: - apiKey: - description: 'APIKey can be used to enable remote cluster access - using Cross-Cluster API keys: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-cross-cluster-api-key.html' - properties: - access: - description: Access is the name of the API Key. It is automatically - generated if not set or empty. - properties: - replication: - properties: - names: - items: - type: string - type: array - required: - - names - type: object - search: - properties: - allow_restricted_indices: - type: boolean - field_security: - properties: - except: - items: - type: string - type: array - grant: - items: - type: string - type: array - required: - - except - - grant - type: object - names: - items: - type: string - type: array - query: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - names - type: object - type: object - required: - - access - type: object - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch - cluster running within the same k8s cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, - defaults to the current namespace. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - name: - description: |- - Name is the name of the remote cluster as it is set in the Elasticsearch settings. - The name is expected to be unique for each remote clusters. - minLength: 1 - type: string - required: - - name - type: object - type: array - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain - to allow rollback in the underlying StatefulSets. - format: int32 - type: integer - secureSettings: - description: SecureSettings is a list of references to Kubernetes - secrets containing sensitive configuration options for Elasticsearch. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. a remote Elasticsearch cluster) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - transport: - description: Transport holds transport layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS on the transport - layer. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the CA certificate - and private key for generating node certificates. - The referenced secret should contain the following: - - - `ca.crt`: The CA certificate in PEM format. - - `ca.key`: The private key for the CA certificate in PEM format. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - certificateAuthorities: - description: |- - CertificateAuthorities is a reference to a config map that contains one or more x509 certificates for - trusted authorities in PEM format. The certificates need to be in a file called `ca.crt`. - properties: - configMapName: - type: string - type: object - otherNameSuffix: - description: |- - OtherNameSuffix when defined will be prefixed with the Pod name and used as the common name, - and the first DNSName, as well as an OtherName required by Elasticsearch in the Subject Alternative Name - extension of each Elasticsearch node's transport TLS certificate. - Example: if set to "node.cluster.local", the generated certificate will have its otherName set to ".node.cluster.local". - type: string - selfSignedCertificates: - description: SelfSignedCertificates allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that provisioning of the - self-signed certificates should be disabled. - type: boolean - type: object - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated node transport TLS certificates. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - updateStrategy: - description: UpdateStrategy specifies how updates to the cluster should - be performed. - properties: - changeBudget: - description: ChangeBudget defines the constraints to consider - when applying changes to the Elasticsearch cluster. - properties: - maxSurge: - description: |- - MaxSurge is the maximum number of new Pods that can be created exceeding the original number of Pods defined in - the specification. MaxSurge is only taken into consideration when scaling up. Setting a negative value will - disable the restriction. Defaults to unbounded if not specified. - format: int32 - type: integer - maxUnavailable: - description: |- - MaxUnavailable is the maximum number of Pods that can be unavailable (not ready) during the update due to - circumstances under the control of the operator. Setting a negative value will disable this restriction. - Defaults to 1 if not specified. - format: int32 - type: integer - type: object - type: object - version: - description: Version of Elasticsearch. - type: string - volumeClaimDeletePolicy: - description: |- - VolumeClaimDeletePolicy sets the policy for handling deletion of PersistentVolumeClaims for all NodeSets. - Possible values are DeleteOnScaledownOnly and DeleteOnScaledownAndClusterDeletion. Defaults to DeleteOnScaledownAndClusterDeletion. - enum: - - DeleteOnScaledownOnly - - DeleteOnScaledownAndClusterDeletion - type: string - required: - - nodeSets - - version - type: object - status: - description: ElasticsearchStatus represents the observed state of Elasticsearch. - properties: - availableNodes: - description: AvailableNodes is the number of available instances. - format: int32 - type: integer - conditions: - description: |- - Conditions holds the current service state of an Elasticsearch cluster. - **This API is in technical preview and may be changed or removed in a future release.** - items: - description: |- - Condition represents Elasticsearch resource's condition. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - status: - type: string - type: - description: ConditionType defines the condition of an Elasticsearch - resource. - type: string - required: - - status - - type - type: object - type: array - health: - description: ElasticsearchHealth is the health of the cluster as returned - by the health API. - type: string - inProgressOperations: - description: |- - InProgressOperations represents changes being applied by the operator to the Elasticsearch cluster. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - downscale: - description: |- - DownscaleOperation provides details about in progress downscale operations. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastUpdatedTime: - format: date-time - type: string - nodes: - description: Nodes which are scheduled to be removed from - the cluster. - items: - description: |- - DownscaledNode provides an overview of in progress changes applied by the operator to remove Elasticsearch nodes from the cluster. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - explanation: - description: |- - Explanation provides details about an in progress node shutdown. It is only available for clusters managed with the - Elasticsearch shutdown API. - type: string - name: - description: Name of the Elasticsearch node that should - be removed. - type: string - shutdownStatus: - description: |- - Shutdown status as returned by the Elasticsearch shutdown API. - If the Elasticsearch shutdown API is not available, the shutdown status is then inferred from the remaining - shards on the nodes, as observed by the operator. - type: string - required: - - name - - shutdownStatus - type: object - type: array - stalled: - description: |- - Stalled represents a state where no progress can be made. - It is only available for clusters managed with the Elasticsearch shutdown API. - type: boolean - type: object - upgrade: - description: |- - UpgradeOperation provides an overview of the pending or in progress changes applied by the operator to update the Elasticsearch nodes in the cluster. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastUpdatedTime: - format: date-time - type: string - nodes: - description: Nodes that must be restarted for upgrade. - items: - description: |- - UpgradedNode provides details about the status of nodes which are expected to be updated. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - message: - description: Optional message to explain why a node - may not be immediately restarted for upgrade. - type: string - name: - description: Name of the Elasticsearch node that should - be upgraded. - type: string - predicate: - description: Predicate is the name of the predicate - currently preventing this node from being deleted - for an upgrade. - type: string - status: - description: |- - Status states if the node is either in the process of being deleted for an upgrade, - or blocked by a predicate or another condition stated in the message field. - type: string - required: - - name - - status - type: object - type: array - type: object - upscale: - description: |- - UpscaleOperation provides an overview of in progress changes applied by the operator to add Elasticsearch nodes to the cluster. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastUpdatedTime: - format: date-time - type: string - nodes: - description: Nodes expected to be added by the operator. - items: - properties: - message: - description: Optional message to explain why a node - may not be immediately added. - type: string - name: - description: Name of the Elasticsearch node that should - be added to the cluster. - type: string - status: - description: NewNodeStatus states if a new node is being - created, or if the upscale is delayed. - type: string - required: - - name - - status - type: object - type: array - type: object - required: - - downscale - - upgrade - - upscale - type: object - monitoringAssociationStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: |- - AssociationStatusMap is the map of association's namespaced name string to its AssociationStatus. For resources that - have a single Association of a given type (for ex. single ES reference), this map contains a single entry. - type: object - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Elasticsearch cluster. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Elasticsearch - controller has not yet processed the changes contained in the Elasticsearch specification. - format: int64 - type: integer - phase: - description: ElasticsearchOrchestrationPhase is the phase Elasticsearch - is in from the controller point of view. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Elasticsearch version - jsonPath: .spec.version - name: version - type: string - - jsonPath: .status.phase - name: phase - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Elasticsearch represents an Elasticsearch resource in a Kubernetes - cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ElasticsearchSpec holds the specification of an Elasticsearch - cluster. - properties: - http: - description: HTTP holds HTTP layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elasticsearch Docker image to deploy. - type: string - nodeSets: - description: NodeSets allow specifying groups of Elasticsearch nodes - sharing the same configuration and Pod templates. - items: - description: NodeSet is the specification for a group of Elasticsearch - nodes sharing the same configuration and a Pod template. - properties: - config: - description: Config holds the Elasticsearch configuration. - type: object - count: - description: Count of Elasticsearch nodes to deploy. - format: int32 - minimum: 1 - type: integer - name: - description: Name of this set of nodes. Becomes a part of the - Elasticsearch node.name setting. - maxLength: 23 - pattern: '[a-zA-Z0-9-]+' - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, - annotations, affinity rules, resource requests, and so on) - for the Pods belonging to this NodeSet. - type: object - volumeClaimTemplates: - description: |- - VolumeClaimTemplates is a list of persistent volume claims to be used by each Pod in this NodeSet. - Every claim in this list must have a matching volumeMount in one of the containers defined in the PodTemplate. - Items defined here take precedence over any default claims added by the operator with the same name. - items: - description: PersistentVolumeClaim is a user's request for - and claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - required: - - count - - name - type: object - minItems: 1 - type: array - podDisruptionBudget: - description: |- - PodDisruptionBudget provides access to the default pod disruption budget for the Elasticsearch cluster. - The default budget selects all cluster pods and sets `maxUnavailable` to 1. To disable, set `PodDisruptionBudget` - to the empty value (`{}` in YAML). - properties: - metadata: - description: |- - ObjectMeta is the metadata of the PDB. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the PDB. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - An eviction is allowed if at most "maxUnavailable" pods selected by - "selector" are unavailable after the eviction, i.e. even in absence of - the evicted pod. For example, one can prevent all voluntary evictions - by specifying 0. This is a mutually exclusive setting with "minAvailable". - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - description: |- - An eviction is allowed if at least "minAvailable" pods selected by - "selector" will still be available after the eviction, i.e. even in the - absence of the evicted pod. So for example you can prevent all voluntary - evictions by specifying "100%". - x-kubernetes-int-or-string: true - selector: - description: |- - Label query over pods whose evictions are managed by the disruption - budget. - A null selector selects no pods. - An empty selector ({}) also selects no pods, which differs from standard behavior of selecting all pods. - In policy/v1, an empty selector will select all pods in the namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - unhealthyPodEvictionPolicy: - description: |- - UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods - should be considered for eviction. Current implementation considers healthy pods, - as pods that have status.conditions item with type="Ready",status="True". - - Valid policies are IfHealthyBudget and AlwaysAllow. - If no policy is specified, the default behavior will be used, - which corresponds to the IfHealthyBudget policy. - - IfHealthyBudget policy means that running pods (status.phase="Running"), - but not yet healthy can be evicted only if the guarded application is not - disrupted (status.currentHealthy is at least equal to status.desiredHealthy). - Healthy pods will be subject to the PDB for eviction. - - AlwaysAllow policy means that all running pods (status.phase="Running"), - but not yet healthy are considered disrupted and can be evicted regardless - of whether the criteria in a PDB is met. This means perspective running - pods of a disrupted application might not get a chance to become healthy. - Healthy pods will be subject to the PDB for eviction. - - Additional policies may be added in the future. - Clients making eviction decisions should disallow eviction of unhealthy pods - if they encounter an unrecognized policy in this field. - type: string - type: object - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes - secrets containing sensitive configuration options for Elasticsearch. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - updateStrategy: - description: UpdateStrategy specifies how updates to the cluster should - be performed. - properties: - changeBudget: - description: ChangeBudget defines the constraints to consider - when applying changes to the Elasticsearch cluster. - properties: - maxSurge: - description: |- - MaxSurge is the maximum number of new pods that can be created exceeding the original number of pods defined in - the specification. MaxSurge is only taken into consideration when scaling up. Setting a negative value will - disable the restriction. Defaults to unbounded if not specified. - format: int32 - type: integer - maxUnavailable: - description: |- - MaxUnavailable is the maximum number of pods that can be unavailable (not ready) during the update due to - circumstances under the control of the operator. Setting a negative value will disable this restriction. - Defaults to 1 if not specified. - format: int32 - type: integer - type: object - type: object - version: - description: Version of Elasticsearch. - type: string - required: - - nodeSets - type: object - status: - description: ElasticsearchStatus defines the observed state of Elasticsearch - properties: - availableNodes: - format: int32 - type: integer - health: - description: ElasticsearchHealth is the health of the cluster as returned - by the health API. - type: string - phase: - description: ElasticsearchOrchestrationPhase is the phase Elasticsearch - is in from the controller point of view. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: to not break compatibility when upgrading from previous versions - of the CRD - type: object - served: false - storage: false ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: enterprisesearches.enterprisesearch.k8s.elastic.co -spec: - group: enterprisesearch.k8s.elastic.co - names: - categories: - - elastic - kind: EnterpriseSearch - listKind: EnterpriseSearchList - plural: enterprisesearches - shortNames: - - ent - singular: enterprisesearch - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Enterprise Search version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - schema: - openAPIV3Schema: - description: EnterpriseSearch is a Kubernetes CRD to represent Enterprise - Search. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EnterpriseSearchSpec holds the specification of an Enterprise - Search resource. - properties: - config: - description: Config holds the Enterprise Search configuration. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Enterprise Search configuration. - Configuration settings are merged and have precedence over settings specified in `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Enterprise Search instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the Elasticsearch - cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for Enterprise - Search resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Enterprise Search Docker image to deploy. - type: string - podTemplate: - description: |- - PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) - for the Enterprise Search pods. - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain - to allow rollback in the underlying Deployment. - format: int32 - type: integer - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Enterprise Search. - type: string - type: object - status: - description: EnterpriseSearchStatus defines the observed state of EnterpriseSearch - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch - clusters. - type: string - availableNodes: - description: AvailableNodes is the number of available replicas in - the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is - the actual number of observed instances of the scaled object. - format: int32 - type: integer - health: - description: Health of the deployment. - type: string - observedGeneration: - description: |- - ObservedGeneration represents the .metadata.generation that the status is based upon. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Enterprise Search - controller has not yet processed the changes contained in the Enterprise Search specification. - format: int64 - type: integer - selector: - description: Selector is the label selector used to find all pods. - type: string - service: - description: ExternalService is the name of the service associated - to the Enterprise Search Pods. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.count - status: {} - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Enterprise Search version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: EnterpriseSearch is a Kubernetes CRD to represent Enterprise - Search. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EnterpriseSearchSpec holds the specification of an Enterprise - Search resource. - properties: - config: - description: Config holds the Enterprise Search configuration. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Enterprise Search configuration. - Configuration settings are merged and have precedence over settings specified in `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Enterprise Search instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the Elasticsearch - cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for Enterprise - Search resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Enterprise Search Docker image to deploy. - type: string - podTemplate: - description: |- - PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) - for the Enterprise Search pods. - type: object - x-kubernetes-preserve-unknown-fields: true - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Enterprise Search. - type: string - type: object - status: - description: EnterpriseSearchStatus defines the observed state of EnterpriseSearch - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch - clusters. - type: string - availableNodes: - description: AvailableNodes is the number of available replicas in - the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is - the actual number of observed instances of the scaled object. - format: int32 - type: integer - health: - description: Health of the deployment. - type: string - selector: - description: Selector is the label selector used to find all pods. - type: string - service: - description: ExternalService is the name of the service associated - to the Enterprise Search Pods. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: kibanas.kibana.k8s.elastic.co -spec: - group: kibana.k8s.elastic.co - names: - categories: - - elastic - kind: Kibana - listKind: KibanaList - plural: kibanas - shortNames: - - kb - singular: kibana - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Kibana version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Kibana represents a Kibana resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: KibanaSpec holds the specification of a Kibana instance. - properties: - config: - description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count of Kibana instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - enterpriseSearchRef: - description: |- - EnterpriseSearchRef is a reference to an EnterpriseSearch running in the same Kubernetes cluster. - Kibana provides the default Enterprise Search UI starting version 7.14. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for Kibana. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Kibana Docker image to deploy. - type: string - monitoring: - description: |- - Monitoring enables you to collect and ship log and monitoring data of this Kibana. - See https://www.elastic.co/guide/en/kibana/current/xpack-monitoring.html. - Metricbeat and Filebeat are deployed in the same Pod as sidecars and each one sends data to one or two different - Elasticsearch monitoring clusters running in the same Kubernetes cluster. - properties: - logs: - description: Logs holds references to Elasticsearch clusters which - receive log data from an associated resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If - empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - metrics: - description: Metrics holds references to Elasticsearch clusters - which receive monitoring data from this resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If - empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - type: object - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Kibana pods - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain - to allow rollback in the underlying Deployment. - format: int32 - type: integer - secureSettings: - description: SecureSettings is a list of references to Kubernetes - secrets containing sensitive configuration options for Kibana. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Kibana. - type: string - required: - - version - type: object - status: - description: KibanaStatus defines the observed state of Kibana - properties: - associationStatus: - description: |- - AssociationStatus is the status of any auto-linking to Elasticsearch clusters. - This field is deprecated and will be removed in a future release. Use ElasticsearchAssociationStatus instead. - type: string - availableNodes: - description: AvailableNodes is the number of available replicas in - the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is - the actual number of observed instances of the scaled object. - format: int32 - type: integer - elasticsearchAssociationStatus: - description: ElasticsearchAssociationStatus is the status of any auto-linking - to Elasticsearch clusters. - type: string - enterpriseSearchAssociationStatus: - description: EnterpriseSearchAssociationStatus is the status of any - auto-linking to Enterprise Search. - type: string - health: - description: Health of the deployment. - type: string - monitoringAssociationStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: MonitoringAssociationStatus is the status of any auto-linking - to monitoring Elasticsearch clusters. - type: object - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Kibana instance. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Kibana - controller has not yet processed the changes contained in the Kibana specification. - format: int64 - type: integer - selector: - description: Selector is the label selector used to find all pods. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.count - status: {} - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Kibana version - jsonPath: .spec.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Kibana represents a Kibana resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: KibanaSpec holds the specification of a Kibana instance. - properties: - config: - description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count of Kibana instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Kibana. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Kibana Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Kibana pods - type: object - x-kubernetes-preserve-unknown-fields: true - secureSettings: - description: SecureSettings is a list of references to Kubernetes - secrets containing sensitive configuration options for Kibana. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - version: - description: Version of Kibana. - type: string - type: object - status: - description: KibanaStatus defines the observed state of Kibana - properties: - associationStatus: - description: AssociationStatus is the status of an association resource. - type: string - availableNodes: - format: int32 - type: integer - health: - description: KibanaHealth expresses the status of the Kibana instances. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: to not break compatibility when upgrading from previous versions - of the CRD - type: object - served: false - storage: false ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: logstashes.logstash.k8s.elastic.co -spec: - group: logstash.k8s.elastic.co - names: - categories: - - elastic - kind: Logstash - listKind: LogstashList - plural: logstashes - shortNames: - - ls - singular: logstash - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Health - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: available - type: integer - - description: Expected nodes - jsonPath: .status.expectedNodes - name: expected - type: integer - - jsonPath: .metadata.creationTimestamp - name: age - type: date - - description: Logstash version - jsonPath: .status.version - name: version - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Logstash is the Schema for the logstashes API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: LogstashSpec defines the desired state of Logstash - properties: - config: - description: Config holds the Logstash configuration. At most one - of [`Config`, `ConfigRef`] can be specified. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Logstash configuration. - Logstash settings must be specified as yaml, under a single "logstash.yml" entry. At most one of [`Config`, `ConfigRef`] - can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - format: int32 - type: integer - elasticsearchRefs: - description: ElasticsearchRefs are references to Elasticsearch clusters - running in the same Kubernetes cluster. - items: - description: ElasticsearchCluster is a named reference to an Elasticsearch - cluster which can be used in a Logstash pipeline. - properties: - clusterName: - description: |- - ClusterName is an alias for the cluster to be used to refer to the Elasticsearch cluster in Logstash - configuration files, and will be used to identify "named clusters" in Logstash - minLength: 1 - type: string - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - required: - - clusterName - type: object - type: array - image: - description: Image is the Logstash Docker image to deploy. Version - and Type have to match the Logstash in the image. - type: string - monitoring: - description: |- - Monitoring enables you to collect and ship log and monitoring data of this Logstash. - Metricbeat and Filebeat are deployed in the same Pod as sidecars and each one sends data to one or two different - Elasticsearch monitoring clusters running in the same Kubernetes cluster. - properties: - logs: - description: Logs holds references to Elasticsearch clusters which - receive log data from an associated resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If - empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - metrics: - description: Metrics holds references to Elasticsearch clusters - which receive monitoring data from this resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding - to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If - empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. - The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - type: object - pipelines: - description: Pipelines holds the Logstash Pipelines. At most one of - [`Pipelines`, `PipelinesRef`] can be specified. - items: - type: object - type: array - x-kubernetes-preserve-unknown-fields: true - pipelinesRef: - description: |- - PipelinesRef contains a reference to an existing Kubernetes Secret holding the Logstash Pipelines. - Logstash pipelines must be specified as yaml, under a single "pipelines.yml" entry. At most one of [`Pipelines`, `PipelinesRef`] - can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - podTemplate: - description: PodTemplate provides customisation options for the Logstash - pods. - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain - to allow rollback in the underlying StatefulSet. - format: int32 - type: integer - secureSettings: - description: |- - SecureSettings is a list of references to Kubernetes Secrets containing sensitive configuration options for the Logstash. - Secrets data can be then referenced in the Logstash config using the Secret's keys or as specified in `Entries` field of - each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to Elasticsearch resource in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - services: - description: |- - Services contains details of services that Logstash should expose - similar to the HTTP layer configuration for the - rest of the stack, but also applicable for more use cases than the metrics API, as logstash may need to - be opened up for other services: Beats, TCP, UDP, etc, inputs. - items: - properties: - name: - type: string - service: - description: Service defines the template for the associated - Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's - port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by - this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations - of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the - self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning - of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs - to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN - entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - type: array - updateStrategy: - description: UpdateStrategy is a StatefulSetUpdateStrategy. The default - type is "RollingUpdate". - properties: - rollingUpdate: - description: RollingUpdate is used to communicate parameters when - Type is RollingUpdateStatefulSetStrategyType. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - description: |- - Type indicates the type of the StatefulSetUpdateStrategy. - Default is RollingUpdate. - type: string - type: object - version: - description: Version of the Logstash. - type: string - volumeClaimTemplates: - description: |- - VolumeClaimTemplates is a list of persistent volume claims to be used by each Pod. - Every claim in this list must have a matching volumeMount in one of the containers defined in the PodTemplate. - Items defined here take precedence over any default claims added by the operator with the same name. - items: - description: PersistentVolumeClaim is a user's request for and claim - to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: |- - status represents the current information/status of a persistent volume claim. - Read-only. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status of - resource being resized for the given PVC.\nKey names follow - standard Kubernetes label syntax. Valid values are either:\n\t* - Un-prefixed keys:\n\t\t- storage - the capacity of the - volume.\n\t* Custom resources must use implementation-defined - prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have kubernetes.io - prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus - can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with a - terminal error.\n\t- NodeResizePending:\n\t\tState set - when resize controller has finished resizing the volume - but further resizing of\n\t\tvolume is needed on the node.\n\t- - NodeResizeInProgress:\n\t\tState set when kubelet starts - resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this field - can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, it - means that no resize operation is in progress for the - given PVC.\n\nA controller that receives PVC update with - previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for resizing - capacity of the volume, should ignore PVC updates that - change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources allocated - to a PVC including its capacity.\nKey names follow standard - Kubernetes label syntax. Valid values are either:\n\t* - Un-prefixed keys:\n\t\t- storage - the capacity of the - volume.\n\t* Custom resources must use implementation-defined - prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have kubernetes.io - prefix are considered\nreserved and hence may not be used.\n\nCapacity - reported here may be larger than the actual capacity when - a volume expansion operation\nis requested.\nFor storage - quota, the larger value from allocatedResources and PVC.spec.resources - is used.\nIf allocatedResources is not set, PVC.spec.resources - alone is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and if - the actual volume capacity\nis equal or lower than the - requested capacity.\n\nA controller that receives PVC - update with previously unknown resourceName\nshould ignore - the update for the purpose it was designed. For example - - a controller that\nonly is responsible for resizing - capacity of the volume, should ignore PVC updates that - change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources of - the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'Resizing'. - items: - description: PersistentVolumeClaimCondition contains details - about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed the - condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the condition - transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "Resizing" that means the underlying - persistent volume is being resized. - type: string - status: - description: |- - Status is the status of the condition. - Can be True, False, Unknown. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required - type: string - type: - description: |- - Type is the type of the condition. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible indicates - that the request has been rejected as invalid by the - CSI driver. To\n\t resolve the error, a valid VolumeAttributesClass - needs to be specified.\nNote: New statuses can be - added in the future. Consumers should check for unknown - statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: array - required: - - version - type: object - status: - description: LogstashStatus defines the observed state of Logstash - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationsStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: ElasticsearchAssociationStatus is the status of any auto-linking - to Elasticsearch clusters. - type: object - expectedNodes: - format: int32 - type: integer - health: - type: string - monitoringAssociationStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: MonitoringAssociationStatus is the status of any auto-linking - to monitoring Elasticsearch clusters. - type: object - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Logstash instance. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Logstash - controller has not yet processed the changes contained in the Logstash specification. - format: int64 - type: integer - selector: - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - required: - - selector - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.expectedNodes - status: {} ---- -# Source: elastic-operator/charts/eck-operator/charts/eck-operator-crds/templates/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.2.0' - helm.sh/chart: 'eck-operator-crds-3.2.0' - name: stackconfigpolicies.stackconfigpolicy.k8s.elastic.co -spec: - group: stackconfigpolicy.k8s.elastic.co - names: - categories: - - elastic - kind: StackConfigPolicy - listKind: StackConfigPolicyList - plural: stackconfigpolicies - shortNames: - - scp - singular: stackconfigpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Resources configured - jsonPath: .status.readyCount - name: Ready - type: string - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: StackConfigPolicy represents a StackConfigPolicy resource in - a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - elasticsearch: - properties: - clusterSettings: - description: ClusterSettings holds the Elasticsearch cluster settings - (/_cluster/settings) - type: object - x-kubernetes-preserve-unknown-fields: true - config: - description: Config holds the settings that go into elasticsearch.yml. - type: object - x-kubernetes-preserve-unknown-fields: true - indexLifecyclePolicies: - description: IndexLifecyclePolicies holds the Index Lifecycle - policies settings (/_ilm/policy) - type: object - x-kubernetes-preserve-unknown-fields: true - indexTemplates: - description: IndexTemplates holds the Index and Component Templates - settings - properties: - componentTemplates: - description: ComponentTemplates holds the Component Templates - settings (/_component_template) - type: object - x-kubernetes-preserve-unknown-fields: true - composableIndexTemplates: - description: ComposableIndexTemplates holds the Index Templates - settings (/_index_template) - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - x-kubernetes-preserve-unknown-fields: true - ingestPipelines: - description: IngestPipelines holds the Ingest Pipelines settings - (/_ingest/pipeline) - type: object - x-kubernetes-preserve-unknown-fields: true - secretMounts: - description: SecretMounts are additional Secrets that need to - be mounted into the Elasticsearch pods. - items: - description: SecretMount contains information about additional - secrets to be mounted to the elasticsearch pods - properties: - mountPath: - description: MountPath denotes the path to which the secret - should be mounted to inside the elasticsearch pod - type: string - secretName: - description: SecretName denotes the name of the secret that - needs to be mounted to the elasticsearch pod - type: string - type: object - type: array - x-kubernetes-preserve-unknown-fields: true - secureSettings: - description: SecureSettings are additional Secrets that contain - data to be configured to Elasticsearch's keystore. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - x-kubernetes-preserve-unknown-fields: true - securityRoleMappings: - description: SecurityRoleMappings holds the Role Mappings settings - (/_security/role_mapping) - type: object - x-kubernetes-preserve-unknown-fields: true - snapshotLifecyclePolicies: - description: SnapshotLifecyclePolicies holds the Snapshot Lifecycle - Policies settings (/_slm/policy) - type: object - x-kubernetes-preserve-unknown-fields: true - snapshotRepositories: - description: SnapshotRepositories holds the Snapshot Repositories - settings (/_snapshot) - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - kibana: - properties: - config: - description: Config holds the settings that go into kibana.yml. - type: object - x-kubernetes-preserve-unknown-fields: true - secureSettings: - description: SecureSettings are additional Secrets that contain - data to be configured to Kibana's keystore. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - x-kubernetes-preserve-unknown-fields: true - type: object - resourceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - secureSettings: - description: 'Deprecated: SecureSettings only applies to Elasticsearch - and is deprecated. It must be set per application instead.' - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - type: object - status: - properties: - details: - additionalProperties: - additionalProperties: - description: ResourcePolicyStatus models the status of the policy - for one resource to be configured. - properties: - currentVersion: - description: |- - CurrentVersion denotes the current version of filesettings applied to the Elasticsearch cluster - This field does not apply to Kibana resources - format: int64 - type: integer - error: - properties: - message: - type: string - version: - format: int64 - type: integer - type: object - expectedVersion: - description: |- - ExpectedVersion denotes the expected version of filesettings that should be applied to the Elasticsearch cluster - This field does not apply to Kibana resources - format: int64 - type: integer - phase: - type: string - type: object - type: object - description: Details holds the status details for each resource to - be configured. - type: object - errors: - description: Errors is the number of resources which have an incorrect - configuration - type: integer - observedGeneration: - description: ObservedGeneration is the most recent generation observed - for this StackConfigPolicy. - format: int64 - type: integer - phase: - description: Phase is the phase of the StackConfigPolicy. - type: string - ready: - description: Ready is the number of resources successfully configured. - type: integer - readyCount: - description: ReadyCount is a human representation of the number of - resources successfully configured. - type: string - resources: - description: Resources is the number of resources to be configured. - type: integer - resourcesStatuses: - additionalProperties: - description: ResourcePolicyStatus models the status of the policy - for one resource to be configured. - properties: - currentVersion: - description: |- - CurrentVersion denotes the current version of filesettings applied to the Elasticsearch cluster - This field does not apply to Kibana resources - format: int64 - type: integer - error: - properties: - message: - type: string - version: - format: int64 - type: integer - type: object - expectedVersion: - description: |- - ExpectedVersion denotes the expected version of filesettings that should be applied to the Elasticsearch cluster - This field does not apply to Kibana resources - format: int64 - type: integer - phase: - type: string - type: object - description: |- - ResourcesStatuses holds the status for each resource to be configured. - Deprecated: Details is used to store the status of resources from ECK 2.11 - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: elastic-operator/charts/eck-operator/templates/cluster-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: elastic-operator - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "authorization.k8s.io" - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - elastic-operator-leader - verbs: - - get - - watch - - update -- apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - - events - - persistentvolumeclaims - - secrets - - services - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments - - statefulsets - - daemonsets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - - elasticsearches/status - - elasticsearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - autoscaling.k8s.elastic.co - resources: - - elasticsearchautoscalers - - elasticsearchautoscalers/status - - elasticsearchautoscalers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - - kibanas/status - - kibanas/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - - apmservers/status - - apmservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - - enterprisesearches/status - - enterprisesearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - - beats/status - - beats/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - agent.k8s.elastic.co - resources: - - agents - - agents/status - - agents/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - maps.k8s.elastic.co - resources: - - elasticmapsservers - - elasticmapsservers/status - - elasticmapsservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - stackconfigpolicy.k8s.elastic.co - resources: - - stackconfigpolicies - - stackconfigpolicies/status - - stackconfigpolicies/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - logstash.k8s.elastic.co - resources: - - logstashes - - logstashes/status - - logstashes/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch ---- -# Source: elastic-operator/charts/eck-operator/templates/cluster-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "elastic-operator-view" - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: ["elasticsearch.k8s.elastic.co"] - resources: ["elasticsearches"] - verbs: ["get", "list", "watch"] - - apiGroups: ["autoscaling.k8s.elastic.co"] - resources: ["elasticsearchautoscalers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apm.k8s.elastic.co"] - resources: ["apmservers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["kibana.k8s.elastic.co"] - resources: ["kibanas"] - verbs: ["get", "list", "watch"] - - apiGroups: ["enterprisesearch.k8s.elastic.co"] - resources: ["enterprisesearches"] - verbs: ["get", "list", "watch"] - - apiGroups: ["beat.k8s.elastic.co"] - resources: ["beats"] - verbs: ["get", "list", "watch"] - - apiGroups: ["agent.k8s.elastic.co"] - resources: ["agents"] - verbs: ["get", "list", "watch"] - - apiGroups: ["maps.k8s.elastic.co"] - resources: ["elasticmapsservers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["stackconfigpolicy.k8s.elastic.co"] - resources: ["stackconfigpolicies"] - verbs: ["get", "list", "watch"] - - apiGroups: ["logstash.k8s.elastic.co"] - resources: ["logstashes"] - verbs: ["get", "list", "watch"] ---- -# Source: elastic-operator/charts/eck-operator/templates/cluster-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "elastic-operator-edit" - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: ["elasticsearch.k8s.elastic.co"] - resources: ["elasticsearches"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["autoscaling.k8s.elastic.co"] - resources: ["elasticsearchautoscalers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["apm.k8s.elastic.co"] - resources: ["apmservers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["kibana.k8s.elastic.co"] - resources: ["kibanas"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["enterprisesearch.k8s.elastic.co"] - resources: ["enterprisesearches"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["beat.k8s.elastic.co"] - resources: ["beats"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["agent.k8s.elastic.co"] - resources: ["agents"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["maps.k8s.elastic.co"] - resources: ["elasticmapsservers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["stackconfigpolicy.k8s.elastic.co"] - resources: ["stackconfigpolicies"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["logstash.k8s.elastic.co"] - resources: ["logstashes"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] ---- -# Source: elastic-operator/charts/eck-operator/templates/role-bindings.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: elastic-operator - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-operator ---- -# Source: elastic-operator/charts/eck-operator/templates/webhook.yaml -apiVersion: v1 -kind: Service -metadata: - name: elastic-operator-webhook - namespace: elastic-operator - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -spec: - ports: - - name: https - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator ---- -# Source: elastic-operator/charts/eck-operator/templates/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: elastic-operator - namespace: elastic-operator - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - serviceName: elastic-operator - replicas: 2 - template: - metadata: - annotations: - # Rename the fields "error" to "error.message" and "source" to "event.source" - # This is to avoid a conflict with the ECS "error" and "source" documents. - "co.elastic.logs/raw": "[{\"type\":\"filestream\",\"enabled\":true,\"id\":\"eck-container-logs-${data.kubernetes.container.id}\",\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"parsers\":[{\"container\":{}},{\"ndjson\":{\"keys_under_root\":true}}],\"prospector.scanner.symlinks\":true,\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]" - "checksum/config": b73feaddf363fb2b6fe00148962a59c33dac58db78014f4b50b9c3de06865131 - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - spec: - terminationGracePeriodSeconds: 10 - serviceAccountName: elastic-operator - automountServiceAccountToken: true - securityContext: - runAsNonRoot: true - containers: - - image: "docker.elastic.co/eck/eck-operator:3.2.0" - imagePullPolicy: IfNotPresent - name: manager - args: - - "manager" - - "--config=/conf/eck.yaml" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - env: - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: WEBHOOK_SECRET - value: elastic-operator-webhook-cert - resources: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 100m - memory: 150Mi - ports: - - containerPort: 9000 - name: metrics - protocol: TCP - - containerPort: 9443 - name: https-webhook - protocol: TCP - volumeMounts: - - mountPath: "/conf" - name: conf - readOnly: true - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - volumes: - - name: conf - configMap: - name: elastic-operator - - name: cert - secret: - defaultMode: 420 - secretName: elastic-operator-webhook-cert ---- -# Source: elastic-operator/charts/eck-operator/templates/podMonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: elastic-operator - namespace: elastic-operator - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -spec: - podMetricsEndpoints: - - port: metrics - path: /metrics - interval: 5m - scrapeTimeout: 30s - namespaceSelector: - matchNames: - - elastic-operator - selector: - matchLabels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator ---- -# Source: elastic-operator/charts/eck-operator/templates/webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: elastic-operator.elastic-operator.k8s.elastic.co - labels: - app.kubernetes.io/name: elastic-operator - app.kubernetes.io/instance: elastic-operator - app.kubernetes.io/version: "3.2.0" - helm.sh/chart: eck-operator-3.2.0 - app.kubernetes.io/managed-by: Helm -webhooks: -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-agent-k8s-elastic-co-v1alpha1-agent - failurePolicy: Ignore - name: elastic-agent-validation-v1alpha1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - agent.k8s.elastic.co - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - agents -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-apm-k8s-elastic-co-v1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-apm-k8s-elastic-co-v1beta1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1beta1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-beat-k8s-elastic-co-v1beta1-beat - failurePolicy: Ignore - name: elastic-beat-validation-v1beta1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - beat.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - beats -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-enterprisesearch-k8s-elastic-co-v1-enterprisesearch - failurePolicy: Ignore - name: elastic-ent-validation-v1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - enterprisesearch.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - enterprisesearches -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-enterprisesearch-k8s-elastic-co-v1beta1-enterprisesearch - failurePolicy: Ignore - name: elastic-ent-validation-v1beta1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - enterprisesearch.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - enterprisesearches -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1beta1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-ems-k8s-elastic-co-v1alpha1-mapsservers - failurePolicy: Ignore - name: elastic-ems-validation-v1alpha1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - maps.k8s.elastic.co - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - mapsservers -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-kibana-k8s-elastic-co-v1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - kibanas -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-kibana-k8s-elastic-co-v1beta1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1beta1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - kibanas -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-autoscaling-k8s-elastic-co-v1alpha1-elasticsearchautoscaler - failurePolicy: Ignore - name: elastic-esa-validation-v1alpha1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - autoscaling.k8s.elastic.co - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearchautoscalers -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-scp-k8s-elastic-co-v1alpha1-stackconfigpolicies - failurePolicy: Ignore - name: elastic-scp-validation-v1alpha1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - stackconfigpolicy.k8s.elastic.co - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - stackconfigpolicies -- clientConfig: - service: - name: elastic-operator-webhook - namespace: elastic-operator - path: /validate-logstash-k8s-elastic-co-v1alpha1-logstash - failurePolicy: Ignore - name: elastic-logstash-validation-v1alpha1.k8s.elastic.co - matchPolicy: Exact - admissionReviewVersions: [v1] - sideEffects: None - rules: - - apiGroups: - - logstash.k8s.elastic.co - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - logstashes diff --git a/clusters/cl01tl/manifests/element-web/element-web.yaml b/clusters/cl01tl/manifests/element-web/element-web.yaml deleted file mode 100644 index 40e887bca..000000000 --- a/clusters/cl01tl/manifests/element-web/element-web.yaml +++ /dev/null @@ -1,258 +0,0 @@ ---- -# Source: element-web/charts/element-web/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: element-web - labels: - helm.sh/chart: element-web-1.4.26 - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web - app.kubernetes.io/version: "1.12.6" - app.kubernetes.io/managed-by: Helm ---- -# Source: element-web/charts/element-web/templates/configuration-nginx.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: element-web-nginx - labels: - helm.sh/chart: element-web-1.4.26 - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web - app.kubernetes.io/version: "1.12.6" - app.kubernetes.io/managed-by: Helm -data: - default.conf: | - server { - listen 8080; - listen [::]:8080; - server_name localhost; - - root /usr/share/nginx/html; - index index.html; - - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'self'"; - - # Set no-cache for the index.html only so that browsers always check for a new copy of Element Web. - location = /index.html { - add_header Cache-Control "no-cache"; - } - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - } ---- -# Source: element-web/charts/element-web/templates/configuration.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: element-web - labels: - helm.sh/chart: element-web-1.4.26 - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web - app.kubernetes.io/version: "1.12.6" - app.kubernetes.io/managed-by: Helm -data: - config.json: | - {"brand":"Alex Lebens","branding":{"auth_header_logo_url":"https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png","welcome_background_url":"https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background.jpg"},"default_country_code":"US","default_server_config":{"m.homeserver":{"base_url":"https://matrix.alexlebens.dev","server_name":"alexlebens.dev"},"m.identity_server":{"base_url":"https://alexlebens.dev"}},"default_theme":"dark","disable_3pid_login":true,"sso_redirect_options":{"immediate":true}} ---- -# Source: element-web/charts/element-web/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: element-web - labels: - helm.sh/chart: element-web-1.4.26 - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web - app.kubernetes.io/version: "1.12.6" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web ---- -# Source: element-web/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: element-web-cloudflared - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: element-web - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: element-web -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: element-web - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: element-web - app.kubernetes.io/name: cloudflared - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: element-web-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: element-web/charts/element-web/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: element-web - labels: - helm.sh/chart: element-web-1.4.26 - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web - app.kubernetes.io/version: "1.12.6" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web - template: - metadata: - annotations: - checksum/config: 07dfcbf8ec12efac4a1e2bcc3779031a8c985138f9a5da5b419223c06b1b4675 - checksum/config-nginx: 75e21c87909fe90a77679c788366b70868068fde41c3d7a263955b35829d424b - labels: - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web - spec: - serviceAccountName: element-web - securityContext: - {} - containers: - - name: element-web - securityContext: - {} - image: "vectorim/element-web:v1.12.6" - imagePullPolicy: IfNotPresent - env: - - name: ELEMENT_WEB_PORT - value: '8080' - ports: - - name: http - containerPort: 8080 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /app/config.json - name: config - subPath: config.json - - mountPath: /etc/nginx/conf.d/config.json - name: config-nginx - subPath: config.json - volumes: - - name: config - configMap: - name: element-web - - name: config-nginx - configMap: - name: element-web-nginx ---- -# Source: element-web/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: element-web-cloudflared-secret - namespace: element-web - labels: - app.kubernetes.io/name: element-web-cloudflared-secret - app.kubernetes.io/instance: element-web - app.kubernetes.io/part-of: element-web -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/element - metadataPolicy: None - property: token ---- -# Source: element-web/charts/element-web/templates/tests/test-connection.yaml -apiVersion: v1 -kind: Pod -metadata: - name: "element-web-test-connection" - labels: - helm.sh/chart: element-web-1.4.26 - app.kubernetes.io/name: element-web - app.kubernetes.io/instance: element-web - app.kubernetes.io/version: "1.12.6" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['element-web:80'] - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/ephemera/ephemera.yaml b/clusters/cl01tl/manifests/ephemera/ephemera.yaml deleted file mode 100644 index b0e068969..000000000 --- a/clusters/cl01tl/manifests/ephemera/ephemera.yaml +++ /dev/null @@ -1,360 +0,0 @@ ---- -# Source: ephemera/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: ephemera-import-nfs-storage - namespace: ephemera - labels: - app.kubernetes.io/name: ephemera-import-nfs-storage - app.kubernetes.io/instance: ephemera - app.kubernetes.io/part-of: ephemera -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Books Import - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: ephemera/charts/ephemera/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: ephemera - labels: - app.kubernetes.io/instance: ephemera - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ephemera - helm.sh/chart: ephemera-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: ephemera -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: ephemera/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: ephemera-import-nfs-storage - namespace: ephemera - labels: - app.kubernetes.io/name: ephemera-import-nfs-storage - app.kubernetes.io/instance: ephemera - app.kubernetes.io/part-of: ephemera -spec: - volumeName: ephemera-import-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: ephemera/charts/ephemera/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: ephemera - labels: - app.kubernetes.io/instance: ephemera - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ephemera - app.kubernetes.io/service: ephemera - helm.sh/chart: ephemera-4.4.0 - namespace: ephemera -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8286 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: ephemera - app.kubernetes.io/name: ephemera ---- -# Source: ephemera/charts/ephemera/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ephemera - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: ephemera - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ephemera - helm.sh/chart: ephemera-4.4.0 - namespace: ephemera -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: ephemera - app.kubernetes.io/instance: ephemera - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: ephemera - app.kubernetes.io/name: ephemera - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: APPRISE_STORAGE_MODE - value: memory - - name: APPRISE_STATEFUL_MODE - value: disabled - - name: APPRISE_WORKER_COUNT - value: "1" - - name: APPRISE_STATELESS_URLS - valueFrom: - secretKeyRef: - key: ntfy-url - name: ephemera-apprise-config - image: caronc/apprise:1.2.6 - imagePullPolicy: IfNotPresent - name: apprise-api - resources: - requests: - cpu: 10m - memory: 128Mi - - env: - - name: LOG_LEVEL - value: info - - name: LOG_HTML - value: "false" - - name: CAPTCHA_SOLVER - value: none - - name: TZ - value: America/Chicago - image: ghcr.io/flaresolverr/flaresolverr:v3.4.6 - imagePullPolicy: IfNotPresent - name: flaresolverr - resources: - requests: - cpu: 10m - memory: 128Mi - - env: - - name: AA_BASE_URL - value: https://annas-archive.org - - name: FLARESOLVERR_URL - value: http://127.0.0.1:8191 - - name: LG_BASE_URL - value: https://gen.com - - name: PUID - value: "0" - - name: PGID - value: "0" - image: ghcr.io/orwellianepilogue/ephemera:1.3.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 50m - memory: 128Mi - volumeMounts: - - mountPath: /app/downloads - name: cache - - mountPath: /app/data - name: config - - mountPath: /app/ingest - name: ingest - volumes: - - emptyDir: {} - name: cache - - name: config - persistentVolumeClaim: - claimName: ephemera - - name: ingest - persistentVolumeClaim: - claimName: ephemera-import-nfs-storage ---- -# Source: ephemera/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ephemera-key-secret - namespace: ephemera - labels: - app.kubernetes.io/name: ephemera-key-secret - app.kubernetes.io/instance: ephemera - app.kubernetes.io/part-of: ephemera -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/ephemera/config - metadataPolicy: None - property: key ---- -# Source: ephemera/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ephemera-apprise-config - namespace: ephemera - labels: - app.kubernetes.io/name: ephemera-apprise-config - app.kubernetes.io/instance: ephemera - app.kubernetes.io/part-of: ephemera -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ntfy-url - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/ephemera/config - metadataPolicy: None - property: ntfy-url ---- -# Source: ephemera/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ephemera-config-backup-secret - namespace: ephemera - labels: - app.kubernetes.io/name: ephemera-config-backup-secret - app.kubernetes.io/instance: ephemera - app.kubernetes.io/part-of: ephemera -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/ephemera/ephemera-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: ephemera/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-ephemera - namespace: ephemera - labels: - app.kubernetes.io/name: http-route-ephemera - app.kubernetes.io/instance: ephemera - app.kubernetes.io/part-of: ephemera -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - ephemera.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: ephemera - port: 80 - weight: 100 ---- -# Source: ephemera/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: ephemera-config-backup-source - namespace: ephemera - labels: - app.kubernetes.io/name: ephemera-config-backup-source - app.kubernetes.io/instance: ephemera - app.kubernetes.io/part-of: ephemera -spec: - sourcePVC: ephemera-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: ephemera-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot - cacheCapacity: 10Gi diff --git a/clusters/cl01tl/manifests/eraser/eraser.yaml b/clusters/cl01tl/manifests/eraser/eraser.yaml deleted file mode 100644 index cb8839f34..000000000 --- a/clusters/cl01tl/manifests/eraser/eraser.yaml +++ /dev/null @@ -1,608 +0,0 @@ ---- -# Source: eraser/charts/eraser/templates/eraser-controller-manager-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - helm.sh/chart: 'eraser' - name: eraser-controller-manager - namespace: 'eraser' ---- -# Source: eraser/charts/eraser/templates/eraser-imagejob-pods-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - helm.sh/chart: 'eraser' - name: eraser-imagejob-pods - namespace: 'eraser' ---- -# Source: eraser/charts/eraser/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: eraser-manager-config - namespace: "eraser" -data: - controller_manager_config.yaml: | - apiVersion: eraser.sh/v1alpha3 - components: - collector: - enabled: true - image: - tag: v1.4.1 - limit: {} - request: - cpu: 10m - memory: 128Mi - remover: - image: - tag: v1.4.1 - limit: {} - request: - cpu: 10m - memory: 128Mi - scanner: - config: "" - enabled: false - image: - tag: v1.4.1 - limit: {} - request: - cpu: 100m - memory: 128Mi - health: {} - kind: EraserConfig - leaderElection: {} - manager: - additionalPodLabels: {} - imageJob: - cleanup: - delayOnFailure: 24h - delayOnSuccess: 0s - successRatio: 1 - logLevel: info - nodeFilter: - selectors: - - eraser.sh/cleanup.filter - - kubernetes.io/os=windows - type: exclude - otlpEndpoint: "" - priorityClassName: "" - profile: - enabled: false - port: 6060 - pullSecrets: [] - runtime: - address: unix:///run/containerd/containerd.sock - name: containerd - scheduling: - beginImmediately: true - repeatInterval: 24h - metrics: {} - webhook: {} ---- -# Source: eraser/charts/eraser/templates/imagejobs.eraser.sh-customresourcedefinition.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - helm.sh/chart: 'eraser' - name: imagejobs.eraser.sh -spec: - group: eraser.sh - names: - kind: ImageJob - listKind: ImageJobList - plural: imagejobs - singular: imagejob - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ImageJob is the Schema for the imagejobs API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - status: - description: ImageJobStatus defines the observed state of ImageJob. - properties: - deleteAfter: - description: Time to delay deletion until - format: date-time - type: string - desired: - description: desired number of pods - type: integer - failed: - description: number of pods that failed - type: integer - phase: - description: job running, successfully completed, or failed - type: string - skipped: - description: number of nodes that were skipped e.g. because they are not a linux node - type: integer - succeeded: - description: number of pods that completed successfully - type: integer - required: - - desired - - failed - - phase - - skipped - - succeeded - type: object - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: v1alpha1 of the eraser API has been deprecated. Please migrate to v1. - name: v1alpha1 - schema: - openAPIV3Schema: - description: ImageJob is the Schema for the imagejobs API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - status: - description: ImageJobStatus defines the observed state of ImageJob. - properties: - deleteAfter: - description: Time to delay deletion until - format: date-time - type: string - desired: - description: desired number of pods - type: integer - failed: - description: number of pods that failed - type: integer - phase: - description: job running, successfully completed, or failed - type: string - skipped: - description: number of nodes that were skipped e.g. because they are not a linux node - type: integer - succeeded: - description: number of pods that completed successfully - type: integer - required: - - desired - - failed - - phase - - skipped - - succeeded - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -# Source: eraser/charts/eraser/templates/imagelists.eraser.sh-customresourcedefinition.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - helm.sh/chart: 'eraser' - name: imagelists.eraser.sh -spec: - group: eraser.sh - names: - kind: ImageList - listKind: ImageListList - plural: imagelists - singular: imagelist - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ImageList is the Schema for the imagelists API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ImageListSpec defines the desired state of ImageList. - properties: - images: - description: The list of non-compliant images to delete if non-running. - items: - type: string - type: array - required: - - images - type: object - status: - description: ImageListStatus defines the observed state of ImageList. - properties: - failed: - description: Number of nodes that failed to run the job - format: int64 - type: integer - skipped: - description: Number of nodes that were skipped due to a skip selector - format: int64 - type: integer - success: - description: Number of nodes that successfully ran the job - format: int64 - type: integer - timestamp: - description: Information when the job was completed. - format: date-time - type: string - required: - - failed - - skipped - - success - - timestamp - type: object - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: v1alpha1 of the eraser API has been deprecated. Please migrate to v1. - name: v1alpha1 - schema: - openAPIV3Schema: - description: ImageList is the Schema for the imagelists API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ImageListSpec defines the desired state of ImageList. - properties: - images: - description: The list of non-compliant images to delete if non-running. - items: - type: string - type: array - required: - - images - type: object - status: - description: ImageListStatus defines the observed state of ImageList. - properties: - failed: - description: Number of nodes that failed to run the job - format: int64 - type: integer - skipped: - description: Number of nodes that were skipped due to a skip selector - format: int64 - type: integer - success: - description: Number of nodes that successfully ran the job - format: int64 - type: integer - timestamp: - description: Information when the job was completed. - format: date-time - type: string - required: - - failed - - skipped - - success - - timestamp - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -# Source: eraser/charts/eraser/templates/eraser-manager-role-clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - helm.sh/chart: 'eraser' - name: eraser-manager-role -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - eraser.sh - resources: - - imagejobs - verbs: - - create - - delete - - get - - list - - watch -- apiGroups: - - eraser.sh - resources: - - imagejobs/status - verbs: - - get - - patch - - update -- apiGroups: - - eraser.sh - resources: - - imagelists - verbs: - - get - - list - - watch -- apiGroups: - - eraser.sh - resources: - - imagelists/status - verbs: - - get - - patch - - update ---- -# Source: eraser/charts/eraser/templates/eraser-manager-rolebinding-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - helm.sh/chart: 'eraser' - name: eraser-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: eraser-manager-role -subjects: -- kind: ServiceAccount - name: eraser-controller-manager - namespace: 'eraser' ---- -# Source: eraser/charts/eraser/templates/eraser-manager-role-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - helm.sh/chart: 'eraser' - name: eraser-manager-role - namespace: 'eraser' -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - podtemplates - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -# Source: eraser/charts/eraser/templates/eraser-manager-rolebinding-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - helm.sh/chart: 'eraser' - name: eraser-manager-rolebinding - namespace: 'eraser' -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: eraser-manager-role -subjects: -- kind: ServiceAccount - name: eraser-controller-manager - namespace: 'eraser' ---- -# Source: eraser/charts/eraser/templates/eraser-controller-manager-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - control-plane: controller-manager - helm.sh/chart: 'eraser' - name: eraser-controller-manager - namespace: 'eraser' -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - control-plane: controller-manager - helm.sh/chart: 'eraser' - template: - metadata: - labels: - app.kubernetes.io/instance: 'eraser' - app.kubernetes.io/managed-by: 'Helm' - app.kubernetes.io/name: 'eraser' - control-plane: controller-manager - helm.sh/chart: 'eraser' - spec: - affinity: - {} - containers: - - args: - - --config=/config/controller_manager_config.yaml - command: - - /manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: OTEL_SERVICE_NAME - value: eraser-manager - image: 'ghcr.io/eraser-dev/eraser-manager:v1.4.1' - imagePullPolicy: 'IfNotPresent' - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - memory: 30Mi - requests: - cpu: 10m - memory: 30Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /config - name: eraser-manager-config - nodeSelector: - kubernetes.io/os: linux - priorityClassName: '' - serviceAccountName: eraser-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: - [] - volumes: - - configMap: - name: eraser-manager-config - name: eraser-manager-config diff --git a/clusters/cl01tl/manifests/external-dns/external-dns.yaml b/clusters/cl01tl/manifests/external-dns/external-dns.yaml deleted file mode 100644 index 52e4da3af..000000000 --- a/clusters/cl01tl/manifests/external-dns/external-dns.yaml +++ /dev/null @@ -1,518 +0,0 @@ ---- -# Source: external-dns/charts/external-dns-unifi/crds/dnsendpoints.externaldns.k8s.io.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/external-dns/pull/2007 - name: dnsendpoints.externaldns.k8s.io -spec: - group: externaldns.k8s.io - names: - kind: DNSEndpoint - listKind: DNSEndpointList - plural: dnsendpoints - singular: dnsendpoint - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - DNSEndpoint is a contract that a user-specified CRD must implement to be used as a source for external-dns. - The user-specified CRD should also have the status sub-resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DNSEndpointSpec defines the desired state of DNSEndpoint - properties: - endpoints: - items: - description: Endpoint is a high-level way of a connection between a service and an IP - properties: - dnsName: - description: The hostname of the DNS record - type: string - labels: - additionalProperties: - type: string - description: Labels stores labels defined for the Endpoint - type: object - providerSpecific: - description: ProviderSpecific stores provider specific config - items: - description: ProviderSpecificProperty holds the name and value of a configuration which is specific to individual DNS providers - properties: - name: - type: string - value: - type: string - type: object - type: array - recordTTL: - description: TTL for the record - format: int64 - type: integer - recordType: - description: RecordType type of record, e.g. CNAME, A, AAAA, SRV, TXT etc - type: string - setIdentifier: - description: Identifier to distinguish multiple records with the same name and type (e.g. Route53 records with routing policies other than 'simple') - type: string - targets: - description: The targets the DNS record points to - items: - type: string - type: array - type: object - type: array - type: object - status: - description: DNSEndpointStatus defines the observed state of DNSEndpoint - properties: - observedGeneration: - description: The generation observed by the external-dns controller. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: external-dns/charts/external-dns-unifi/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-dns-unifi - namespace: external-dns - labels: - helm.sh/chart: external-dns-unifi-1.19.0 - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - app.kubernetes.io/version: "0.19.0" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: external-dns/charts/external-dns-unifi/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-dns-unifi - labels: - helm.sh/chart: external-dns-unifi-1.19.0 - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - app.kubernetes.io/version: "0.19.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get","watch","list"] - - apiGroups: ["externaldns.k8s.io"] - resources: ["dnsendpoints"] - verbs: ["get","watch","list"] - - apiGroups: ["externaldns.k8s.io"] - resources: ["dnsendpoints/status"] - verbs: ["*"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get","watch","list"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get","watch","list"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["httproutes"] - verbs: ["get","watch","list"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["tlsroutes"] - verbs: ["get","watch","list"] ---- -# Source: external-dns/charts/external-dns-unifi/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: external-dns-unifi-viewer - labels: - helm.sh/chart: external-dns-unifi-1.19.0 - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - app.kubernetes.io/version: "0.19.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: external-dns-unifi -subjects: - - kind: ServiceAccount - name: external-dns-unifi - namespace: external-dns ---- -# Source: external-dns/charts/external-dns-unifi/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: external-dns-unifi - namespace: external-dns - labels: - helm.sh/chart: external-dns-unifi-1.19.0 - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - app.kubernetes.io/version: "0.19.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - ports: - - name: http - port: 7979 - targetPort: http - protocol: TCP - - name: http-webhook - port: 8080 - targetPort: http-webhook - protocol: TCP ---- -# Source: external-dns/charts/external-dns-unifi/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: external-dns-unifi - namespace: external-dns - labels: - helm.sh/chart: external-dns-unifi-1.19.0 - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - app.kubernetes.io/version: "0.19.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - spec: - automountServiceAccountToken: true - serviceAccountName: external-dns-unifi - securityContext: - fsGroup: 65534 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: external-dns - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - image: registry.k8s.io/external-dns/external-dns:v0.19.0 - imagePullPolicy: IfNotPresent - args: - - --log-level=info - - --log-format=text - - --interval=1m - - --source=ingress - - --source=crd - - --source=gateway-httproute - - --source=gateway-tlsroute - - --policy=sync - - --registry=txt - - --txt-owner-id=default - - --txt-prefix=k8s. - - --domain-filter=alexlebens.net - - --provider=webhook - - --ignore-ingress-tls-spec - ports: - - name: http - protocol: TCP - containerPort: 7979 - livenessProbe: - failureThreshold: 2 - httpGet: - path: /healthz - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: http - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - - name: webhook - image: ghcr.io/kashalls/external-dns-unifi-webhook:v0.7.0 - imagePullPolicy: IfNotPresent - env: - - name: UNIFI_HOST - value: https://192.168.1.1 - - name: UNIFI_API_KEY - valueFrom: - secretKeyRef: - key: api-key - name: external-dns-unifi-secret - - name: LOG_LEVEL - value: debug - ports: - - name: http-webhook - protocol: TCP - containerPort: 8080 - livenessProbe: - failureThreshold: 2 - httpGet: - path: /healthz - port: http-webhook - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: http-webhook - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 ---- -# Source: external-dns/templates/dns-endpoint.yaml -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: external-device-names - namespace: external-dns - labels: - app.kubernetes.io/name: external-device-names - app.kubernetes.io/instance: external-dns - app.kubernetes.io/part-of: external-dns -spec: - endpoints: - # Unifi UDM - - dnsName: unifi.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 192.168.1.1 - # Synology Web - - dnsName: synology.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.61 - # Synology Storage - - dnsName: synologybond.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.64 - # HD Homerun - - dnsName: hdhr.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.72 - # Pi KVM - - dnsName: pikvm.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.71 ---- -# Source: external-dns/templates/dns-endpoint.yaml -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: iot-device-names - namespace: external-dns - labels: - app.kubernetes.io/name: iot-device-names - app.kubernetes.io/instance: external-dns - app.kubernetes.io/part-of: external-dns -spec: - endpoints: - # Airgradient - - dnsName: it01ag.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.83 - # Phillips Hue - - dnsName: it02ph.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.85 - # TubesZB ZigBee - - dnsName: it03tb.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.81 - # TubesZB Z-Wave - - dnsName: it04tb.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.82 ---- -# Source: external-dns/templates/dns-endpoint.yaml -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: server-host-names - namespace: external-dns - labels: - app.kubernetes.io/name: server-host-names - app.kubernetes.io/instance: external-dns - app.kubernetes.io/part-of: external-dns -spec: - endpoints: - # Unifi Gateway - - dnsName: nw01un.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 192.168.1.1 - # Synology - - dnsName: ps02sn.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.61 - # Synology Storage - - dnsName: ps02sn-bond.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.64 - # Raspberry Pi - - dnsName: ps08rp.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.51 - # Raspberry Pi - - dnsName: ps09rp.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.52 ---- -# Source: external-dns/templates/dns-endpoint.yaml -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: cluster-service-names - namespace: external-dns - labels: - app.kubernetes.io/name: cluster-service-names - app.kubernetes.io/instance: external-dns - app.kubernetes.io/part-of: external-dns -spec: - endpoints: - # Treafik Proxy - - dnsName: traefik-cl01tl.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.21 - # Treafik Proxy - - dnsName: blocky.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.22 - # Treafik Proxy - - dnsName: plex.alexlebens.net - recordTTL: 180 - recordType: A - targets: - - 10.232.1.23 ---- -# Source: external-dns/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: external-dns-unifi-secret - namespace: external-dns - labels: - app.kubernetes.io/name: external-dns-unifi-secret - app.kubernetes.io/instance: external-dns - app.kubernetes.io/part-of: external-dns -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: api-key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /unifi/auth/cl01tl - metadataPolicy: None - property: api-key ---- -# Source: external-dns/charts/external-dns-unifi/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: external-dns-unifi - namespace: external-dns - labels: - helm.sh/chart: external-dns-unifi-1.19.0 - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - app.kubernetes.io/version: "0.19.0" - app.kubernetes.io/managed-by: Helm -spec: - jobLabel: app.kubernetes.io/instance - namespaceSelector: - matchNames: - - external-dns - selector: - matchLabels: - app.kubernetes.io/name: external-dns-unifi - app.kubernetes.io/instance: external-dns - endpoints: - - port: http - path: /metrics - - port: http-webhook - path: /metrics diff --git a/clusters/cl01tl/manifests/external-secrets/external-secrets.yaml b/clusters/cl01tl/manifests/external-secrets/external-secrets.yaml deleted file mode 100644 index 0d04a9be1..000000000 --- a/clusters/cl01tl/manifests/external-secrets/external-secrets.yaml +++ /dev/null @@ -1,29357 +0,0 @@ ---- -# Source: external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: external-secrets - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets - namespace: external-secrets - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: external-secrets - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: external-secrets-webhook - namespace: external-secrets - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns an Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - description: ACRAuth defines the authentication methods for Azure Container Registry. - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication. - It uses static credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - - AzureStackCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/cloudsmithaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: cloudsmithaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: CloudsmithAccessToken - listKind: CloudsmithAccessTokenList - plural: cloudsmithaccesstokens - singular: cloudsmithaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication. - properties: - apiUrl: - description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io. - type: string - orgSlug: - description: OrgSlug is the organization slug in Cloudsmith - type: string - serviceAccountRef: - description: Name of the service account you are federating with - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceSlug: - description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication - type: string - required: - - orgSlug - - serviceAccountRef - - serviceSlug - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: |- - The name of the external secrets to be created. - Defaults to the name of the ClusterExternalSecret - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: The key in the Kubernetes Secret to store the value. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will be pulled. - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: |- - ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data - when using DataFrom to fetch multiple values from a Provider. - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret. - maxProperties: 1 - minProperties: 1 - properties: - merge: - description: |- - Used to merge key/values in one single Secret - The resulting key will contain all values from the specified secrets - properties: - conflictPolicy: - default: Error - description: Used to define the policy to use in conflict resolution. - enum: - - Ignore - - Error - type: string - into: - default: "" - description: |- - Used to define the target key of the merge operation. - Required if strategy is JSON. Ignored otherwise. - type: string - priority: - description: Used to define key priority in conflict resolution. - items: - type: string - type: array - priorityPolicy: - default: Strict - description: Used to define the policy when a key in the priority list does not exist in the input. - enum: - - IgnoreNotFound - - Strict - type: string - strategy: - default: Extract - description: Used to define the strategy to use in the merge operation. - enum: - - Extract - - JSON - type: string - type: object - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider, - specified as Golang Duration strings. - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - refreshPolicy: - description: |- - RefreshPolicy determines how the ExternalSecret should be refreshed: - - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. - No periodic updates occur if refreshInterval is 0. - - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes - enum: - - CreatedOnce - - Periodic - - OnChange - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created, - there can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret. - Defaults to "Owner" - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret. - Defaults to "Retain" - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - manifest: - description: |- - Manifest defines a custom Kubernetes resource to create instead of a Secret. - When specified, ExternalSecret will create the resource type defined here - (e.g., ConfigMap, Custom Resource) instead of a Secret. - Warning: Using Generic target. Make sure access policies and encryption are properly configured. - properties: - apiVersion: - description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application) - minLength: 1 - type: string - kind: - description: Kind of the target resource (e.g., "ConfigMap", "Application") - minLength: 1 - type: string - required: - - apiVersion - - kind - type: object - name: - description: |- - The name of the Secret resource to be managed. - Defaults to the .metadata.name of the ExternalSecret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: |- - Target specifies where to place the template result. - For Secret resources, common values are: "Data", "Annotations", "Labels". - For custom resources (when spec.target.manifest is set), this supports - nested paths like "spec.database.config" or "data". - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: |- - Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - Deprecated: Use NamespaceSelectors instead. - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource. - properties: - message: - type: string - status: - type: string - type: - description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions. - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: |- - The name of the external secrets to be created. - Defaults to the name of the ClusterExternalSecret - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: The key in the Kubernetes Secret to store the value. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will be pulled. - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options. - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - description: ExternalSecretRewrite defines rules on how to rewrite secret keys. - maxProperties: 1 - minProperties: 1 - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider, - specified as Golang Duration strings. - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - refreshPolicy: - description: |- - RefreshPolicy determines how the ExternalSecret should be refreshed: - - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. - No periodic updates occur if refreshInterval is 0. - - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes - enum: - - CreatedOnce - - Periodic - - OnChange - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret. - Defaults to "Owner" - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret. - Defaults to "Retain" - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - The name of the Secret resource to be managed. - Defaults to the .metadata.name of the ExternalSecret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how template values should be merged when generating a secret. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: TemplateFrom defines a source for template data. - properties: - configMap: - description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope defines the scope of the template when processing template data. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope defines the scope of the template when processing template data. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: TemplateTarget defines the target field where the template result will be stored. - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: |- - Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - Deprecated: Use NamespaceSelectors instead. - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret. - properties: - message: - type: string - status: - type: string - type: - description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret. - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: false - storage: false - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/clustergenerator.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: clustergenerators.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: ClusterGenerator - listKind: ClusterGeneratorList - plural: clustergenerators - singular: clustergenerator - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator. - properties: - generator: - description: Generator the spec for this generator, must match the kind. - maxProperties: 1 - minProperties: 1 - properties: - acrAccessTokenSpec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - description: ACRAuth defines the authentication methods for Azure Container Registry. - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication. - It uses static credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - - AzureStackCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - cloudsmithAccessTokenSpec: - description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication. - properties: - apiUrl: - description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io. - type: string - orgSlug: - description: OrgSlug is the organization slug in Cloudsmith - type: string - serviceAccountRef: - description: Name of the service account you are federating with - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceSlug: - description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication - type: string - required: - - orgSlug - - serviceAccountRef - - serviceSlug - type: object - ecrAuthorizationTokenSpec: - description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token. - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - scope: - description: |- - Scope specifies the ECR service scope. - Valid options are private and public. - type: string - required: - - region - type: object - fakeSpec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - gcrAccessTokenSpec: - description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token. - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication. - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - workloadIdentityFederation: - description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. - properties: - audience: - description: |- - audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. - If specified, Audience found in the external account credential config will be overridden with the configured value. - audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. - type: string - awsSecurityCredentials: - description: |- - awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, - when using the AWS metadata server is not an option. - properties: - awsCredentialsSecretRef: - description: |- - awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. - Secret should be created with below names for keys - - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. - properties: - name: - description: name of the secret. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the secret exists. If empty, secret will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - region: - description: region is for configuring the AWS region to be used. - example: ap-south-1 - maxLength: 50 - minLength: 1 - pattern: ^[a-z0-9-]+$ - type: string - required: - - awsCredentialsSecretRef - - region - type: object - credConfig: - description: |- - credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. - For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead - serviceAccountRef must be used by providing operators service account details. - properties: - key: - description: key name holding the external account credential config. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: name of the configmap. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - key - - name - type: object - externalTokenEndpoint: - description: |- - externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the - credential_source.url in the provided credConfig. This field is merely to double-check the external token source - URL is having the expected value. - type: string - serviceAccountRef: - description: |- - serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, - when Kubernetes is configured as provider in workload identity pool. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - githubAccessTokenSpec: - description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token. - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - description: GithubSecretRef references a secret containing GitHub credentials. - properties: - secretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - permissions: - additionalProperties: - type: string - description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has. - type: object - repositories: - description: |- - List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App - is installed to. - items: - type: string - type: array - url: - description: URL configures the GitHub instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - grafanaSpec: - description: GrafanaSpec controls the behavior of the grafana generator. - properties: - auth: - description: |- - Auth is the authentication configuration to authenticate - against the Grafana instance. - properties: - basic: - description: |- - Basic auth credentials used to authenticate against the Grafana instance. - Note: you need a token which has elevated permissions to create service accounts. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - properties: - password: - description: A basic auth password used to authenticate against the Grafana instance. - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - username: - description: A basic auth username used to authenticate against the Grafana instance. - type: string - required: - - password - - username - type: object - token: - description: |- - A service account token used to authenticate against the Grafana instance. - Note: you need a token which has elevated permissions to create service accounts. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - serviceAccount: - description: |- - ServiceAccount is the configuration for the service account that - is supposed to be generated by the generator. - properties: - name: - description: Name is the name of the service account that will be created by ESO. - type: string - role: - description: |- - Role is the role of the service account. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - type: string - required: - - name - - role - type: object - url: - description: URL is the URL of the Grafana instance. - type: string - required: - - auth - - serviceAccount - - url - type: object - mfaSpec: - description: MFASpec controls the behavior of the mfa generator. - properties: - algorithm: - description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC. - type: string - length: - description: Length defines the token length. Defaults to 6 characters. - type: integer - secret: - description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - timePeriod: - description: TimePeriod defines how long the token can be active. Defaults to 30 seconds. - type: integer - when: - description: When defines a time parameter that can be used to pin the origin time of the generated token. - format: date-time - type: string - required: - - secret - type: object - passwordSpec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - encoding: - default: raw - description: |- - Encoding specifies the encoding of the generated password. - Valid values are: - - "raw" (default): no encoding - - "base64": standard base64 encoding - - "base64url": base64url encoding - - "base32": base32 encoding - - "hex": hexadecimal encoding - enum: - - base64 - - base64url - - base32 - - hex - - raw - type: string - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - quayAccessTokenSpec: - description: QuayAccessTokenSpec defines the desired state to generate a Quay access token. - properties: - robotAccount: - description: Name of the robot account you are federating with - type: string - serviceAccountRef: - description: Name of the service account you are federating with - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - url: - description: URL configures the Quay instance URL. Defaults to quay.io. - type: string - required: - - robotAccount - - serviceAccountRef - type: object - sshKeySpec: - description: SSHKeySpec controls the behavior of the ssh key generator. - properties: - comment: - description: Comment specifies an optional comment for the SSH key - type: string - keySize: - description: |- - KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256). - For RSA keys: 2048, 3072, 4096 - For ECDSA keys: 256, 384, 521 - Ignored for ed25519 keys - maximum: 8192 - minimum: 256 - type: integer - keyType: - default: rsa - description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519) - enum: - - rsa - - ecdsa - - ed25519 - type: string - type: object - stsSessionTokenSpec: - description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token. - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - requestParameters: - description: RequestParameters contains parameters that can be passed to the STS service. - properties: - serialNumber: - description: |- - SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making - the GetSessionToken call. - Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device - (such as arn:aws:iam::123456789012:mfa/user) - type: string - sessionDuration: - format: int32 - type: integer - tokenCode: - description: TokenCode is the value provided by the MFA device, if MFA is required. - type: string - type: object - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - uuidSpec: - description: UUIDSpec controls the behavior of the uuid generator. - type: object - vaultDynamicSecretSpec: - description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret. - properties: - allowEmptyResponse: - default: false - description: Do not fail if no secrets are found. Useful for requests where no data is expected. - type: boolean - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - path: - default: cert - description: |- - Path where the Certificate authentication backend is mounted - in Vault, e.g: "cert" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - gcp: - description: |- - Gcp authenticates with Vault using Google Cloud Platform authentication method - GCP authentication method - properties: - location: - description: Location optionally defines a location/region for the secret - type: string - path: - default: gcp - description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"' - type: string - projectID: - description: Project ID of the Google Cloud Platform project - type: string - role: - description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine. - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccountRef: - description: ServiceAccountRef to a service account for impersonation - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - workloadIdentity: - description: Specify a service account with Workload Identity - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - required: - - role - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - checkAndSet: - description: |- - CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. - Only applies to Vault KV v2 stores. When enabled, write operations must include - the current version of the secret to prevent unintentional overwrites. - properties: - required: - description: |- - Required when true, all write operations must include a check-and-set parameter. - This helps prevent unintentional overwrites of secrets. - type: boolean - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default, it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - Additionally, accessing the raw response is possibly by using "Raw" result type. - enum: - - Data - - Auth - - Raw - type: string - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - path - - provider - type: object - webhookSpec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret reference that will be used in webhook templates. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - kind: - description: Kind the kind of this generator. - enum: - - ACRAccessToken - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - required: - - generator - - kind - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/clusterpushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: clusterpushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: ClusterPushSecret - listKind: ClusterPushSecretList - plural: clusterpushsecrets - singular: clusterpushsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource. - properties: - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - pushSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - pushSecretName: - description: |- - The name of the push secrets to be created. - Defaults to the name of the ClusterPushSecret - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - pushSecretSpec: - description: PushSecretSpec defines what to do with the secrets. - properties: - data: - description: Secret Data that should be pushed to providers - items: - description: PushSecretData defines data to be pushed to the provider and associated metadata. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: Deletion Policy to handle Secrets in the provider. - enum: - - Delete - - None - type: string - refreshInterval: - default: 1h - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - description: PushSecretStoreRef contains a reference on how to sync to a SecretStore. - properties: - kind: - default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - enum: - - SecretStore - - ClusterSecretStore - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: Point to a generator to create a Secret. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - secret: - description: Select a Secret to Push. - properties: - name: - description: |- - Name of the Secret. - The Secret must exist in the same namespace as the PushSecret manifest. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - selector: - description: Selector chooses secrets using a labelSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: |- - Target specifies where to place the template result. - For Secret resources, common values are: "Data", "Annotations", "Labels". - For custom resources (when spec.target.manifest is set), this supports - nested paths like "spec.database.config" or "data". - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: UpdatePolicy to handle Secrets in the provider. - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - pushSecretSpec - type: object - status: - description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an PushSecret - items: - description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an PushSecret - type: string - reason: - description: Reason is why the PushSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets - items: - type: string - type: array - pushSecretName: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessType: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessTypeParam: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: AlibabaRRSAAuth authenticates against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30-day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - description: |- - Tag is a key-value pair that can be attached to an AWS resource. - see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - customCloudConfig: - description: |- - CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints. - Required when EnvironmentType is AzureStackCloud. - IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud - configuration is not supported with the legacy go-autorest SDK. - properties: - activeDirectoryEndpoint: - description: |- - ActiveDirectoryEndpoint is the AAD endpoint for authentication - Required when using custom cloud configuration - type: string - keyVaultDNSSuffix: - description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs - type: string - keyVaultEndpoint: - description: KeyVaultEndpoint is the Key Vault service endpoint - type: string - resourceManagerEndpoint: - description: ResourceManagerEndpoint is the Azure Resource Manager endpoint - type: string - required: - - activeDirectoryEndpoint - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud - Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints. - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - - AzureStackCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - useAzureSDK: - default: false - description: |- - UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK. - This is experimental and may have behavioral differences. Defaults to false (legacy SDK). - type: boolean - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - beyondtrust: - description: Beyondtrust configures this store to sync secrets using Password Safe provider. - properties: - auth: - description: Auth configures how the operator authenticates with Beyondtrust. - properties: - apiKey: - description: APIKey If not provided then ClientID/ClientSecret become required. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificate: - description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificateKey: - description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientId: - description: ClientID is the API OAuth Client ID. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the API OAuth Client Secret. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - type: object - server: - description: Auth configures how API server works. - properties: - apiUrl: - type: string - apiVersion: - type: string - clientTimeOutSeconds: - description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. - type: integer - retrievalType: - description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. - type: string - separator: - description: A character that separates the folder names. - type: string - verifyCA: - type: boolean - required: - - apiUrl - - verifyCA - type: object - required: - - auth - - server - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - cloudrusm: - description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider - properties: - auth: - description: CSMAuth contains a secretRef for credentials. - properties: - secretRef: - description: CSMAuthSecretRef holds secret references for Cloud.ru credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - projectID: - description: ProjectID is the project, which the secrets are stored in. - type: string - required: - - auth - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - description: Defines authentication settings for connecting to Conjur. - properties: - apikey: - description: Authenticates with Conjur using an API key. - properties: - account: - description: Account is the Conjur organization account name. - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' containing the Conjur API key - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' containing the Conjur username - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - description: Jwt enables JWT authentication using Kubernetes service account tokens. - properties: - account: - description: Account is the Conjur organization account name. - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate. - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - description: URL is the endpoint of the Conjur instance. - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - description: Device42SecretRef contains the secret reference for accessing the Device42 instance. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - description: DopplerAuthSecretRef contains the secret reference for accessing the Doppler API. - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - description: FakeProviderData defines a key-value pair with optional version for the fake provider. - properties: - key: - type: string - value: - type: string - version: - type: string - required: - - key - - value - type: object - type: array - validationResult: - description: ValidationResult is defined type for the number of validation results. - type: integer - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP. - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - workloadIdentityFederation: - description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. - properties: - audience: - description: |- - audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. - If specified, Audience found in the external account credential config will be overridden with the configured value. - audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. - type: string - awsSecurityCredentials: - description: |- - awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, - when using the AWS metadata server is not an option. - properties: - awsCredentialsSecretRef: - description: |- - awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. - Secret should be created with below names for keys - - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. - properties: - name: - description: name of the secret. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the secret exists. If empty, secret will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - region: - description: region is for configuring the AWS region to be used. - example: ap-south-1 - maxLength: 50 - minLength: 1 - pattern: ^[a-z0-9-]+$ - type: string - required: - - awsCredentialsSecretRef - - region - type: object - credConfig: - description: |- - credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. - For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead - serviceAccountRef must be used by providing operators service account details. - properties: - key: - description: key name holding the external account credential config. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: name of the configmap. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - key - - name - type: object - externalTokenEndpoint: - description: |- - externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the - credential_source.url in the provided credConfig. This field is merely to double-check the external token source - URL is having the expected value. - type: string - serviceAccountRef: - description: |- - serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, - when Kubernetes is configured as provider in workload identity pool. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - secretVersionSelectionPolicy: - default: LatestOrFail - description: |- - SecretVersionSelectionPolicy specifies how the provider selects a secret version - when "latest" is disabled or destroyed. - Possible values are: - - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed. - - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED - type: string - type: object - github: - description: |- - Github configures this store to push GitHub Action secrets using GitHub API provider. - Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub - properties: - appID: - description: appID specifies the Github APP that will be used to authenticate the client - format: int64 - type: integer - auth: - description: auth configures how secret-manager authenticates with a Github instance. - properties: - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKey - type: object - environment: - description: environment will be used to fetch secrets from a particular environment within a github repository - type: string - installationID: - description: installationID specifies the Github APP installation that will be used to authenticate the client - format: int64 - type: integer - organization: - description: organization will be used to fetch secrets from the Github organization - type: string - repository: - description: repository will be used to fetch secrets from the Github repository within an organization - type: string - uploadURL: - description: Upload URL for enterprise instances. Default to URL. - type: string - url: - default: https://github.com/ - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installationID - - organization - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - description: GitlabSecretRef contains the secret reference for GitLab authentication credentials. - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - SecretRef - type: object - caBundle: - description: |- - Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication. - properties: - iamEndpoint: - description: The IAM endpoint used to obain a token - type: string - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - awsAuthCredentials: - description: AwsAuthCredentials represents the credentials for AWS authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - azureAuthCredentials: - description: AzureAuthCredentials represents the credentials for Azure authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - resource: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - gcpIamAuthCredentials: - description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountKeyFilePath: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - serviceAccountKeyFilePath - type: object - gcpIdTokenAuthCredentials: - description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - jwtAuthCredentials: - description: JwtAuthCredentials represents the credentials for JWT authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - jwt: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - jwt - type: object - kubernetesAuthCredentials: - description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountTokenPath: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - ldapAuthCredentials: - description: LdapAuthCredentials represents the credentials for LDAP authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - ldapPassword: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - ldapUsername: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - ldapPassword - - ldapUsername - type: object - ociAuthCredentials: - description: OciAuthCredentials represents the credentials for OCI authentication. - properties: - fingerprint: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeyPassphrase: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - region: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenancyId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - identityId - - privateKey - - region - - tenancyId - - userId - type: object - tokenAuthCredentials: - description: TokenAuthCredentials represents the credentials for access token-based authentication. - properties: - accessToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - universalAuthCredentials: - description: UniversalAuthCredentials represents the client credentials for universal authentication. - properties: - clientId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api". - type: string - secretsScope: - description: SecretsScope defines the scope of the secrets within the workspace - properties: - environmentSlug: - description: EnvironmentSlug is the required slug identifier for the environment. - type: string - expandSecretReferences: - default: true - description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. - type: boolean - projectSlug: - description: ProjectSlug is the required slug identifier for the project. - type: string - recursive: - default: false - description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided. - type: boolean - secretsPath: - default: / - description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided. - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - ngrok: - description: Ngrok configures this store to sync secrets using the ngrok provider. - properties: - apiUrl: - default: https://api.ngrok.com - description: APIURL is the URL of the ngrok API. - type: string - auth: - description: Auth configures how the ngrok provider authenticates with the ngrok API. - maxProperties: 1 - minProperties: 1 - properties: - apiKey: - description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication - properties: - secretRef: - description: SecretRef is a reference to a secret containing the ngrok API key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - vault: - description: Vault configures the ngrok vault to sync secrets with. - properties: - name: - description: Name is the name of the ngrok vault to sync secrets with. - type: string - required: - - name - type: object - required: - - auth - - vault - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - onepasswordSDK: - description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets. - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword API. - properties: - serviceAccountSecretRef: - description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - serviceAccountSecretRef - type: object - integrationInfo: - description: |- - IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK. - If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively. - properties: - name: - default: 1Password SDK - description: Name defaults to "1Password SDK". - type: string - version: - default: v1.0.0 - description: Version defaults to "v1.0.0". - type: string - type: object - vault: - description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically. - type: string - required: - - auth - - vault - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - description: |- - PassboltProvider provides access to Passbolt secrets manager. - See: https://www.passbolt.com. - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeySecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - previder: - description: Previder configures this store to sync secrets using the Previder provider - properties: - auth: - description: PreviderAuth contains a secretRef for credentials. - properties: - secretRef: - description: PreviderAuthSecretRef holds secret references for Previder Vault credentials. - properties: - accessToken: - description: The AccessToken is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - type: object - baseUri: - type: string - required: - - auth - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/esc - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - project: - description: Project is the name of the Pulumi ESC project the environment belongs to. - type: string - required: - - accessToken - - environment - - organization - - project - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used - if the ServerURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Secret ServerURL certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - domain: - description: Domain is the secret server domain. - type: string - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - path: - default: cert - description: |- - Path where the Certificate authentication backend is mounted - in Vault, e.g: "cert" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - gcp: - description: |- - Gcp authenticates with Vault using Google Cloud Platform authentication method - GCP authentication method - properties: - location: - description: Location optionally defines a location/region for the secret - type: string - path: - default: gcp - description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"' - type: string - projectID: - description: Project ID of the Google Cloud Platform project - type: string - role: - description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine. - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccountRef: - description: ServiceAccountRef to a service account for impersonation - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - workloadIdentity: - description: Specify a service account with Workload Identity - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - required: - - role - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - checkAndSet: - description: |- - CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. - Only applies to Vault KV v2 stores. When enabled, write operations must include - the current version of the secret to prevent unintentional overwrites. - properties: - required: - description: |- - Required when true, all write operations must include a check-and-set parameter. - This helps prevent unintentional overwrites of secrets. - type: boolean - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - volcengine: - description: Volcengine configures this store to sync secrets using the Volcengine provider - properties: - auth: - description: |- - Auth defines the authentication method to use. - If not specified, the provider will try to use IRSA (IAM Role for Service Account). - properties: - secretRef: - description: |- - SecretRef defines the static credentials to use for authentication. - If not set, IRSA is used. - properties: - accessKeyID: - description: AccessKeyID is the reference to the secret containing the Access Key ID. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKey: - description: SecretAccessKey is the reference to the secret containing the Secret Access Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - token: - description: Token is the reference to the secret containing the STS(Security Token Service) Token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyID - - secretAccessKey - type: object - type: object - region: - description: Region specifies the Volcengine region to connect to. - type: string - required: - - region - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret that will be passed to the webhook request. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex.Cloud - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - fetching: - description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name - maxProperties: 1 - minProperties: 1 - properties: - byID: - description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID. - type: object - byName: - description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name. - properties: - folderID: - description: The folder to fetch secrets from - type: string - required: - - folderID - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex.Cloud - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - fetching: - description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name - maxProperties: 1 - minProperties: 1 - properties: - byID: - description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID. - type: object - byName: - description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name. - properties: - folderID: - description: The folder to fetch secrets from - type: string - required: - - folderID - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - description: SecretStoreStatusCondition contains condition information for a SecretStore. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: SecretStoreConditionType represents the condition of the SecretStore. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessType: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessTypeParam: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication). - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - description: Tag defines a tag key and value for AWS resources. - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - beyondtrust: - description: Beyondtrust configures this store to sync secrets using Password Safe provider. - properties: - auth: - description: Auth configures how the operator authenticates with Beyondtrust. - properties: - apiKey: - description: APIKey If not provided then ClientID/ClientSecret become required. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificate: - description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificateKey: - description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientId: - description: ClientID is the API OAuth Client ID. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the API OAuth Client Secret. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - type: object - server: - description: Auth configures how API server works. - properties: - apiUrl: - type: string - apiVersion: - type: string - clientTimeOutSeconds: - description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. - type: integer - retrievalType: - description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. - type: string - separator: - description: A character that separates the folder names. - type: string - verifyCA: - type: boolean - required: - - apiUrl - - verifyCA - type: object - required: - - auth - - server - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - cloudrusm: - description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider - properties: - auth: - description: CSMAuth contains a secretRef for credentials. - properties: - secretRef: - description: CSMAuthSecretRef holds secret references for Cloud.ru credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - projectID: - description: ProjectID is the project, which the secrets are stored in. - type: string - required: - - auth - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - description: Defines authentication settings for connecting to Conjur. - properties: - apikey: - description: Authenticates with Conjur using an API key. - properties: - account: - description: Account is the Conjur organization account name. - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' containing the Conjur API key - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' containing the Conjur username - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - description: Jwt enables JWT authentication using Kubernetes service account tokens. - properties: - account: - description: Account is the Conjur organization account name. - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate. - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - description: URL is the endpoint of the Conjur instance. - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider. - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - description: FakeProviderData defines a key-value pair for the fake provider used in testing. - properties: - key: - type: string - value: - type: string - version: - type: string - required: - - key - - value - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication. - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - github: - description: Github configures this store to push Github Action secrets using Github API provider - properties: - appID: - description: appID specifies the Github APP that will be used to authenticate the client - format: int64 - type: integer - auth: - description: auth configures how secret-manager authenticates with a Github instance. - properties: - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKey - type: object - environment: - description: environment will be used to fetch secrets from a particular environment within a github repository - type: string - installationID: - description: installationID specifies the Github APP installation that will be used to authenticate the client - format: int64 - type: integer - organization: - description: organization will be used to fetch secrets from the Github organization - type: string - repository: - description: repository will be used to fetch secrets from the Github repository within an organization - type: string - uploadURL: - description: Upload URL for enterprise instances. Default to URL. - type: string - url: - default: https://github.com/ - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installationID - - organization - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider. - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - SecretRef - type: object - caBundle: - description: |- - Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider. - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth. - properties: - clientId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api". - type: string - secretsScope: - description: SecretsScope defines the scope of the secrets within the workspace - properties: - environmentSlug: - description: EnvironmentSlug is the required slug identifier for the environment. - type: string - expandSecretReferences: - default: true - description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. - type: boolean - projectSlug: - description: ProjectSlug is the required slug identifier for the project. - type: string - recursive: - default: false - description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided. - type: boolean - secretsPath: - default: / - description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided. - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - description: PassboltProvider defines configuration for the Passbolt provider. - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: PasswordSecretRef is a reference to the secret containing the Passbolt password - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeySecretRef: - description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - previder: - description: Previder configures this store to sync secrets using the Previder provider - properties: - auth: - description: PreviderAuth contains a secretRef for credentials. - properties: - secretRef: - description: PreviderAuthSecretRef holds secret references for Previder Vault credentials. - properties: - accessToken: - description: The AccessToken is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - type: object - baseUri: - type: string - required: - - auth - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/esc - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - project: - description: Project is the name of the Pulumi ESC project the environment belongs to. - type: string - required: - - accessToken - - environment - - organization - - project - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret to be used in webhook templates. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - description: MaxRetries is the maximum number of retry attempts. - format: int32 - type: integer - retryInterval: - description: RetryInterval is the interval between retry attempts. - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - description: SecretStoreStatusCondition defines the observed condition of the SecretStore. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: SecretStoreConditionType represents the condition type of the SecretStore. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: false - storage: false - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token. - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - scope: - description: |- - Scope specifies the ECR service scope. - Valid options are private and public. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.kind - name: StoreType - type: string - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1 - schema: - openAPIV3Schema: - description: |- - ExternalSecret is the Schema for the external-secrets API. - It defines how to fetch data from external APIs and make it available as Kubernetes Secrets. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: The key in the Kubernetes Secret to store the value. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will be pulled. - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: |- - ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data - when using DataFrom to fetch multiple values from a Provider. - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret. - maxProperties: 1 - minProperties: 1 - properties: - merge: - description: |- - Used to merge key/values in one single Secret - The resulting key will contain all values from the specified secrets - properties: - conflictPolicy: - default: Error - description: Used to define the policy to use in conflict resolution. - enum: - - Ignore - - Error - type: string - into: - default: "" - description: |- - Used to define the target key of the merge operation. - Required if strategy is JSON. Ignored otherwise. - type: string - priority: - description: Used to define key priority in conflict resolution. - items: - type: string - type: array - priorityPolicy: - default: Strict - description: Used to define the policy when a key in the priority list does not exist in the input. - enum: - - IgnoreNotFound - - Strict - type: string - strategy: - default: Extract - description: Used to define the strategy to use in the merge operation. - enum: - - Extract - - JSON - type: string - type: object - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider, - specified as Golang Duration strings. - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - refreshPolicy: - description: |- - RefreshPolicy determines how the ExternalSecret should be refreshed: - - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. - No periodic updates occur if refreshInterval is 0. - - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes - enum: - - CreatedOnce - - Periodic - - OnChange - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created, - there can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret. - Defaults to "Owner" - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret. - Defaults to "Retain" - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - manifest: - description: |- - Manifest defines a custom Kubernetes resource to create instead of a Secret. - When specified, ExternalSecret will create the resource type defined here - (e.g., ConfigMap, Custom Resource) instead of a Secret. - Warning: Using Generic target. Make sure access policies and encryption are properly configured. - properties: - apiVersion: - description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application) - minLength: 1 - type: string - kind: - description: Kind of the target resource (e.g., "ConfigMap", "Application") - minLength: 1 - type: string - required: - - apiVersion - - kind - type: object - name: - description: |- - The name of the Secret resource to be managed. - Defaults to the .metadata.name of the ExternalSecret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: |- - Target specifies where to place the template result. - For Secret resources, common values are: "Data", "Annotations", "Labels". - For custom resources (when spec.target.manifest is set), this supports - nested paths like "spec.database.config" or "data". - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - description: ExternalSecretStatus defines the observed state of ExternalSecret. - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: ExternalSecretConditionType defines a value type for ExternalSecret conditions. - enum: - - Ready - - Deleted - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - selectableFields: - - jsonPath: .spec.secretStoreRef.name - - jsonPath: .spec.secretStoreRef.kind - - jsonPath: .spec.target.name - - jsonPath: .spec.refreshInterval - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.kind - name: StoreType - type: string - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: The key in the Kubernetes Secret to store the value. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will be pulled. - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options. - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - description: ExternalSecretRewrite defines rules on how to rewrite secret keys. - maxProperties: 1 - minProperties: 1 - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider, - specified as Golang Duration strings. - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - refreshPolicy: - description: |- - RefreshPolicy determines how the ExternalSecret should be refreshed: - - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. - No periodic updates occur if refreshInterval is 0. - - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes - enum: - - CreatedOnce - - Periodic - - OnChange - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - enum: - - SecretStore - - ClusterSecretStore - type: string - name: - description: Name of the SecretStore resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret. - Defaults to "Owner" - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret. - Defaults to "Retain" - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - The name of the Secret resource to be managed. - Defaults to the .metadata.name of the ExternalSecret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how template values should be merged when generating a secret. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: TemplateFrom defines a source for template data. - properties: - configMap: - description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope defines the scope of the template when processing template data. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope defines the scope of the template when processing template data. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: TemplateTarget defines the target field where the template result will be stored. - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - description: ExternalSecretStatus defines the observed state of ExternalSecret. - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - description: ExternalSecretStatusCondition contains condition information for an ExternalSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: ExternalSecretConditionType defines the condition type for an ExternalSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: false - storage: false - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: Fake - listKind: FakeList - plural: fakes - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token. - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication. - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - workloadIdentityFederation: - description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. - properties: - audience: - description: |- - audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. - If specified, Audience found in the external account credential config will be overridden with the configured value. - audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. - type: string - awsSecurityCredentials: - description: |- - awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, - when using the AWS metadata server is not an option. - properties: - awsCredentialsSecretRef: - description: |- - awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. - Secret should be created with below names for keys - - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. - properties: - name: - description: name of the secret. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the secret exists. If empty, secret will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - region: - description: region is for configuring the AWS region to be used. - example: ap-south-1 - maxLength: 50 - minLength: 1 - pattern: ^[a-z0-9-]+$ - type: string - required: - - awsCredentialsSecretRef - - region - type: object - credConfig: - description: |- - credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. - For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead - serviceAccountRef must be used by providing operators service account details. - properties: - key: - description: key name holding the external account credential config. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: name of the configmap. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - key - - name - type: object - externalTokenEndpoint: - description: |- - externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the - credential_source.url in the provided credConfig. This field is merely to double-check the external token source - URL is having the expected value. - type: string - serviceAccountRef: - description: |- - serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, - when Kubernetes is configured as provider in workload identity pool. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/generatorstate.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: generatorstates.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: GeneratorState - listKind: GeneratorStateList - plural: generatorstates - shortNames: - - gs - singular: generatorstate - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.garbageCollectionDeadline - name: GC Deadline - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: GeneratorState represents the state created and managed by a generator resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GeneratorStateSpec defines the desired state of a generator state resource. - properties: - garbageCollectionDeadline: - description: |- - GarbageCollectionDeadline is the time after which the generator state - will be deleted. - It is set by the controller which creates the generator state and - can be set configured by the user. - If the garbage collection deadline is not set the generator state will not be deleted. - format: date-time - type: string - resource: - description: |- - Resource is the generator manifest that produced the state. - It is a snapshot of the generator manifest at the time the state was produced. - This manifest will be used to delete the resource. Any configuration that is referenced - in the manifest should be available at the time of garbage collection. If that is not the case deletion will - be blocked by a finalizer. - x-kubernetes-preserve-unknown-fields: true - state: - description: State is the state that was produced by the generator implementation. - x-kubernetes-preserve-unknown-fields: true - required: - - resource - - state - type: object - status: - description: GeneratorStateStatus defines the observed state of a generator state resource. - properties: - conditions: - items: - description: GeneratorStateStatusCondition represents the observed condition of a generator state. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: GeneratorStateConditionType represents the type of condition for a generator state. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token. - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - description: GithubSecretRef references a secret containing GitHub credentials. - properties: - secretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - permissions: - additionalProperties: - type: string - description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has. - type: object - repositories: - description: |- - List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App - is installed to. - items: - type: string - type: array - url: - description: URL configures the GitHub instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/grafana.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: grafanas.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: Grafana - listKind: GrafanaList - plural: grafanas - singular: grafana - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Grafana represents a generator for Grafana service account tokens. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaSpec controls the behavior of the grafana generator. - properties: - auth: - description: |- - Auth is the authentication configuration to authenticate - against the Grafana instance. - properties: - basic: - description: |- - Basic auth credentials used to authenticate against the Grafana instance. - Note: you need a token which has elevated permissions to create service accounts. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - properties: - password: - description: A basic auth password used to authenticate against the Grafana instance. - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - username: - description: A basic auth username used to authenticate against the Grafana instance. - type: string - required: - - password - - username - type: object - token: - description: |- - A service account token used to authenticate against the Grafana instance. - Note: you need a token which has elevated permissions to create service accounts. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - serviceAccount: - description: |- - ServiceAccount is the configuration for the service account that - is supposed to be generated by the generator. - properties: - name: - description: Name is the name of the service account that will be created by ESO. - type: string - role: - description: |- - Role is the role of the service account. - See here for the documentation on basic roles offered by Grafana: - https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/ - type: string - required: - - name - - role - type: object - url: - description: URL is the URL of the Grafana instance. - type: string - required: - - auth - - serviceAccount - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/mfa.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: mfas.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: MFA - listKind: MFAList - plural: mfas - singular: mfa - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: MFA generates a new TOTP token that is compliant with RFC 6238. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: MFASpec controls the behavior of the mfa generator. - properties: - algorithm: - description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC. - type: string - length: - description: Length defines the token length. Defaults to 6 characters. - type: integer - secret: - description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - timePeriod: - description: TimePeriod defines how long the token can be active. Defaults to 30 seconds. - type: integer - when: - description: When defines a time parameter that can be used to pin the origin time of the generated token. - format: date-time - type: string - required: - - secret - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: Password - listKind: PasswordList - plural: passwords - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - encoding: - default: raw - description: |- - Encoding specifies the encoding of the generated password. - Valid values are: - - "raw" (default): no encoding - - "base64": standard base64 encoding - - "base64url": base64url encoding - - "base32": base32 encoding - - "hex": hexadecimal encoding - enum: - - base64 - - base64url - - base32 - - hex - - raw - type: string - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - shortNames: - - ps - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - description: PushSecretData defines data to be pushed to the provider and associated metadata. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: Deletion Policy to handle Secrets in the provider. - enum: - - Delete - - None - type: string - refreshInterval: - default: 1h - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - description: PushSecretStoreRef contains a reference on how to sync to a SecretStore. - properties: - kind: - default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - enum: - - SecretStore - - ClusterSecretStore - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: Point to a generator to create a Secret. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - secret: - description: Select a Secret to Push. - properties: - name: - description: |- - Name of the Secret. - The Secret must exist in the same namespace as the PushSecret manifest. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - selector: - description: Selector chooses secrets using a labelSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: |- - Target specifies where to place the template result. - For Secret resources, common values are: "Data", "Annotations", "Labels". - For custom resources (when spec.target.manifest is set), this supports - nested paths like "spec.database.config" or "data". - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: UpdatePolicy to handle Secrets in the provider. - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - description: PushSecretData defines data to be pushed to the provider and associated metadata. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/quayaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: quayaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: QuayAccessToken - listKind: QuayAccessTokenList - plural: quayaccesstokens - singular: quayaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: QuayAccessToken generates Quay oauth token for pulling/pushing images - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: QuayAccessTokenSpec defines the desired state to generate a Quay access token. - properties: - robotAccount: - description: Name of the robot account you are federating with - type: string - serviceAccountRef: - description: Name of the service account you are federating with - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - url: - description: URL configures the Quay instance URL. Defaults to quay.io. - type: string - required: - - robotAccount - - serviceAccountRef - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessType: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessTypeParam: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: AlibabaRRSAAuth authenticates against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30-day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - description: |- - Tag is a key-value pair that can be attached to an AWS resource. - see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - customCloudConfig: - description: |- - CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints. - Required when EnvironmentType is AzureStackCloud. - IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud - configuration is not supported with the legacy go-autorest SDK. - properties: - activeDirectoryEndpoint: - description: |- - ActiveDirectoryEndpoint is the AAD endpoint for authentication - Required when using custom cloud configuration - type: string - keyVaultDNSSuffix: - description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs - type: string - keyVaultEndpoint: - description: KeyVaultEndpoint is the Key Vault service endpoint - type: string - resourceManagerEndpoint: - description: ResourceManagerEndpoint is the Azure Resource Manager endpoint - type: string - required: - - activeDirectoryEndpoint - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud - Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints. - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - - AzureStackCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - useAzureSDK: - default: false - description: |- - UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK. - This is experimental and may have behavioral differences. Defaults to false (legacy SDK). - type: boolean - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - beyondtrust: - description: Beyondtrust configures this store to sync secrets using Password Safe provider. - properties: - auth: - description: Auth configures how the operator authenticates with Beyondtrust. - properties: - apiKey: - description: APIKey If not provided then ClientID/ClientSecret become required. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificate: - description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificateKey: - description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientId: - description: ClientID is the API OAuth Client ID. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the API OAuth Client Secret. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - type: object - server: - description: Auth configures how API server works. - properties: - apiUrl: - type: string - apiVersion: - type: string - clientTimeOutSeconds: - description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. - type: integer - retrievalType: - description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. - type: string - separator: - description: A character that separates the folder names. - type: string - verifyCA: - type: boolean - required: - - apiUrl - - verifyCA - type: object - required: - - auth - - server - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - cloudrusm: - description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider - properties: - auth: - description: CSMAuth contains a secretRef for credentials. - properties: - secretRef: - description: CSMAuthSecretRef holds secret references for Cloud.ru credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - projectID: - description: ProjectID is the project, which the secrets are stored in. - type: string - required: - - auth - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - description: Defines authentication settings for connecting to Conjur. - properties: - apikey: - description: Authenticates with Conjur using an API key. - properties: - account: - description: Account is the Conjur organization account name. - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' containing the Conjur API key - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' containing the Conjur username - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - description: Jwt enables JWT authentication using Kubernetes service account tokens. - properties: - account: - description: Account is the Conjur organization account name. - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate. - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - description: URL is the endpoint of the Conjur instance. - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - description: Device42SecretRef contains the secret reference for accessing the Device42 instance. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - description: DopplerAuthSecretRef contains the secret reference for accessing the Doppler API. - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - description: FakeProviderData defines a key-value pair with optional version for the fake provider. - properties: - key: - type: string - value: - type: string - version: - type: string - required: - - key - - value - type: object - type: array - validationResult: - description: ValidationResult is defined type for the number of validation results. - type: integer - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP. - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - workloadIdentityFederation: - description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. - properties: - audience: - description: |- - audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. - If specified, Audience found in the external account credential config will be overridden with the configured value. - audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. - type: string - awsSecurityCredentials: - description: |- - awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, - when using the AWS metadata server is not an option. - properties: - awsCredentialsSecretRef: - description: |- - awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. - Secret should be created with below names for keys - - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. - properties: - name: - description: name of the secret. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the secret exists. If empty, secret will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - region: - description: region is for configuring the AWS region to be used. - example: ap-south-1 - maxLength: 50 - minLength: 1 - pattern: ^[a-z0-9-]+$ - type: string - required: - - awsCredentialsSecretRef - - region - type: object - credConfig: - description: |- - credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. - For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead - serviceAccountRef must be used by providing operators service account details. - properties: - key: - description: key name holding the external account credential config. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: name of the configmap. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - key - - name - type: object - externalTokenEndpoint: - description: |- - externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the - credential_source.url in the provided credConfig. This field is merely to double-check the external token source - URL is having the expected value. - type: string - serviceAccountRef: - description: |- - serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, - when Kubernetes is configured as provider in workload identity pool. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - secretVersionSelectionPolicy: - default: LatestOrFail - description: |- - SecretVersionSelectionPolicy specifies how the provider selects a secret version - when "latest" is disabled or destroyed. - Possible values are: - - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed. - - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED - type: string - type: object - github: - description: |- - Github configures this store to push GitHub Action secrets using GitHub API provider. - Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub - properties: - appID: - description: appID specifies the Github APP that will be used to authenticate the client - format: int64 - type: integer - auth: - description: auth configures how secret-manager authenticates with a Github instance. - properties: - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKey - type: object - environment: - description: environment will be used to fetch secrets from a particular environment within a github repository - type: string - installationID: - description: installationID specifies the Github APP installation that will be used to authenticate the client - format: int64 - type: integer - organization: - description: organization will be used to fetch secrets from the Github organization - type: string - repository: - description: repository will be used to fetch secrets from the Github repository within an organization - type: string - uploadURL: - description: Upload URL for enterprise instances. Default to URL. - type: string - url: - default: https://github.com/ - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installationID - - organization - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - description: GitlabSecretRef contains the secret reference for GitLab authentication credentials. - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - SecretRef - type: object - caBundle: - description: |- - Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication. - properties: - iamEndpoint: - description: The IAM endpoint used to obain a token - type: string - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - awsAuthCredentials: - description: AwsAuthCredentials represents the credentials for AWS authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - azureAuthCredentials: - description: AzureAuthCredentials represents the credentials for Azure authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - resource: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - gcpIamAuthCredentials: - description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountKeyFilePath: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - serviceAccountKeyFilePath - type: object - gcpIdTokenAuthCredentials: - description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - jwtAuthCredentials: - description: JwtAuthCredentials represents the credentials for JWT authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - jwt: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - jwt - type: object - kubernetesAuthCredentials: - description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountTokenPath: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - type: object - ldapAuthCredentials: - description: LdapAuthCredentials represents the credentials for LDAP authentication. - properties: - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - ldapPassword: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - ldapUsername: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - identityId - - ldapPassword - - ldapUsername - type: object - ociAuthCredentials: - description: OciAuthCredentials represents the credentials for OCI authentication. - properties: - fingerprint: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - identityId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeyPassphrase: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - region: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenancyId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - identityId - - privateKey - - region - - tenancyId - - userId - type: object - tokenAuthCredentials: - description: TokenAuthCredentials represents the credentials for access token-based authentication. - properties: - accessToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - universalAuthCredentials: - description: UniversalAuthCredentials represents the client credentials for universal authentication. - properties: - clientId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api". - type: string - secretsScope: - description: SecretsScope defines the scope of the secrets within the workspace - properties: - environmentSlug: - description: EnvironmentSlug is the required slug identifier for the environment. - type: string - expandSecretReferences: - default: true - description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. - type: boolean - projectSlug: - description: ProjectSlug is the required slug identifier for the project. - type: string - recursive: - default: false - description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided. - type: boolean - secretsPath: - default: / - description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided. - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - ngrok: - description: Ngrok configures this store to sync secrets using the ngrok provider. - properties: - apiUrl: - default: https://api.ngrok.com - description: APIURL is the URL of the ngrok API. - type: string - auth: - description: Auth configures how the ngrok provider authenticates with the ngrok API. - maxProperties: 1 - minProperties: 1 - properties: - apiKey: - description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication - properties: - secretRef: - description: SecretRef is a reference to a secret containing the ngrok API key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - vault: - description: Vault configures the ngrok vault to sync secrets with. - properties: - name: - description: Name is the name of the ngrok vault to sync secrets with. - type: string - required: - - name - type: object - required: - - auth - - vault - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - onepasswordSDK: - description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets. - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword API. - properties: - serviceAccountSecretRef: - description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - serviceAccountSecretRef - type: object - integrationInfo: - description: |- - IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK. - If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively. - properties: - name: - default: 1Password SDK - description: Name defaults to "1Password SDK". - type: string - version: - default: v1.0.0 - description: Version defaults to "v1.0.0". - type: string - type: object - vault: - description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically. - type: string - required: - - auth - - vault - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - description: |- - PassboltProvider provides access to Passbolt secrets manager. - See: https://www.passbolt.com. - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeySecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - previder: - description: Previder configures this store to sync secrets using the Previder provider - properties: - auth: - description: PreviderAuth contains a secretRef for credentials. - properties: - secretRef: - description: PreviderAuthSecretRef holds secret references for Previder Vault credentials. - properties: - accessToken: - description: The AccessToken is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - type: object - baseUri: - type: string - required: - - auth - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/esc - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - project: - description: Project is the name of the Pulumi ESC project the environment belongs to. - type: string - required: - - accessToken - - environment - - organization - - project - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used - if the ServerURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Secret ServerURL certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - domain: - description: Domain is the secret server domain. - type: string - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - path: - default: cert - description: |- - Path where the Certificate authentication backend is mounted - in Vault, e.g: "cert" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - gcp: - description: |- - Gcp authenticates with Vault using Google Cloud Platform authentication method - GCP authentication method - properties: - location: - description: Location optionally defines a location/region for the secret - type: string - path: - default: gcp - description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"' - type: string - projectID: - description: Project ID of the Google Cloud Platform project - type: string - role: - description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine. - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccountRef: - description: ServiceAccountRef to a service account for impersonation - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - workloadIdentity: - description: Specify a service account with Workload Identity - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - required: - - role - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - checkAndSet: - description: |- - CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. - Only applies to Vault KV v2 stores. When enabled, write operations must include - the current version of the secret to prevent unintentional overwrites. - properties: - required: - description: |- - Required when true, all write operations must include a check-and-set parameter. - This helps prevent unintentional overwrites of secrets. - type: boolean - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - volcengine: - description: Volcengine configures this store to sync secrets using the Volcengine provider - properties: - auth: - description: |- - Auth defines the authentication method to use. - If not specified, the provider will try to use IRSA (IAM Role for Service Account). - properties: - secretRef: - description: |- - SecretRef defines the static credentials to use for authentication. - If not set, IRSA is used. - properties: - accessKeyID: - description: AccessKeyID is the reference to the secret containing the Access Key ID. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKey: - description: SecretAccessKey is the reference to the secret containing the Secret Access Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - token: - description: Token is the reference to the secret containing the STS(Security Token Service) Token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyID - - secretAccessKey - type: object - type: object - region: - description: Region specifies the Volcengine region to connect to. - type: string - required: - - region - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret that will be passed to the webhook request. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex.Cloud - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - fetching: - description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name - maxProperties: 1 - minProperties: 1 - properties: - byID: - description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID. - type: object - byName: - description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name. - properties: - folderID: - description: The folder to fetch secrets from - type: string - required: - - folderID - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex.Cloud - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - fetching: - description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name - maxProperties: 1 - minProperties: 1 - properties: - byID: - description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID. - type: object - byName: - description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name. - properties: - folderID: - description: The folder to fetch secrets from - type: string - required: - - folderID - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - description: SecretStoreStatusCondition contains condition information for a SecretStore. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: SecretStoreConditionType represents the condition of the SecretStore. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessType: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessTypeParam: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication). - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - description: Tag defines a tag key and value for AWS resources. - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - beyondtrust: - description: Beyondtrust configures this store to sync secrets using Password Safe provider. - properties: - auth: - description: Auth configures how the operator authenticates with Beyondtrust. - properties: - apiKey: - description: APIKey If not provided then ClientID/ClientSecret become required. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificate: - description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - certificateKey: - description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientId: - description: ClientID is the API OAuth Client ID. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the API OAuth Client Secret. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - type: object - server: - description: Auth configures how API server works. - properties: - apiUrl: - type: string - apiVersion: - type: string - clientTimeOutSeconds: - description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. - type: integer - retrievalType: - description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. - type: string - separator: - description: A character that separates the folder names. - type: string - verifyCA: - type: boolean - required: - - apiUrl - - verifyCA - type: object - required: - - auth - - server - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - cloudrusm: - description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider - properties: - auth: - description: CSMAuth contains a secretRef for credentials. - properties: - secretRef: - description: CSMAuthSecretRef holds secret references for Cloud.ru credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - projectID: - description: ProjectID is the project, which the secrets are stored in. - type: string - required: - - auth - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - description: Defines authentication settings for connecting to Conjur. - properties: - apikey: - description: Authenticates with Conjur using an API key. - properties: - account: - description: Account is the Conjur organization account name. - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' containing the Conjur API key - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' containing the Conjur username - within a Secret resource. In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - description: Jwt enables JWT authentication using Kubernetes service account tokens. - properties: - account: - description: Account is the Conjur organization account name. - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate. - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - description: URL is the endpoint of the Conjur instance. - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider. - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - description: FakeProviderData defines a key-value pair for the fake provider used in testing. - properties: - key: - type: string - value: - type: string - version: - type: string - required: - - key - - value - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider. - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - workloadIdentity: - description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication. - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - github: - description: Github configures this store to push Github Action secrets using Github API provider - properties: - appID: - description: appID specifies the Github APP that will be used to authenticate the client - format: int64 - type: integer - auth: - description: auth configures how secret-manager authenticates with a Github instance. - properties: - privateKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - privateKey - type: object - environment: - description: environment will be used to fetch secrets from a particular environment within a github repository - type: string - installationID: - description: installationID specifies the Github APP installation that will be used to authenticate the client - format: int64 - type: integer - organization: - description: organization will be used to fetch secrets from the Github organization - type: string - repository: - description: repository will be used to fetch secrets from the Github repository within an organization - type: string - uploadURL: - description: Upload URL for enterprise instances. Default to URL. - type: string - url: - default: https://github.com/ - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installationID - - organization - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider. - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - SecretRef - type: object - caBundle: - description: |- - Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider. - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth. - properties: - clientId: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api". - type: string - secretsScope: - description: SecretsScope defines the scope of the secrets within the workspace - properties: - environmentSlug: - description: EnvironmentSlug is the required slug identifier for the environment. - type: string - expandSecretReferences: - default: true - description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. - type: boolean - projectSlug: - description: ProjectSlug is the required slug identifier for the project. - type: string - recursive: - default: false - description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided. - type: boolean - secretsPath: - default: / - description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided. - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - clientKey: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - description: PassboltProvider defines configuration for the Passbolt provider. - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: PasswordSecretRef is a reference to the secret containing the Passbolt password - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - privateKeySecretRef: - description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider. - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - previder: - description: Previder configures this store to sync secrets using the Previder provider - properties: - auth: - description: PreviderAuth contains a secretRef for credentials. - properties: - secretRef: - description: PreviderAuthSecretRef holds secret references for Previder Vault credentials. - properties: - accessToken: - description: The AccessToken is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - accessToken - type: object - type: object - baseUri: - type: string - required: - - auth - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/esc - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - project: - description: Project is the name of the Pulumi ESC project the environment belongs to. - type: string - required: - - accessToken - - environment - - organization - - project - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret to be used in webhook templates. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - description: MaxRetries is the maximum number of retry attempts. - format: int32 - type: integer - retryInterval: - description: RetryInterval is the interval between retry attempts. - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - description: SecretStoreStatusCondition defines the observed condition of the SecretStore. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: SecretStoreConditionType represents the condition type of the SecretStore. - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: false - storage: false - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/sshkey.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: sshkeys.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: SSHKey - listKind: SSHKeyList - plural: sshkeys - singular: sshkey - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SSHKey generates SSH key pairs. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SSHKeySpec controls the behavior of the ssh key generator. - properties: - comment: - description: Comment specifies an optional comment for the SSH key - type: string - keySize: - description: |- - KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256). - For RSA keys: 2048, 3072, 4096 - For ECDSA keys: 256, 384, 521 - Ignored for ed25519 keys - maximum: 8192 - minimum: 256 - type: integer - keyType: - default: rsa - description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519) - enum: - - rsa - - ecdsa - - ed25519 - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/stssessiontoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: stssessiontokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: STSSessionToken - listKind: STSSessionTokenList - plural: stssessiontokens - singular: stssessiontoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - STSSessionToken uses the GetSessionToken API to retrieve an authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded. - For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token. - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - requestParameters: - description: RequestParameters contains parameters that can be passed to the STS service. - properties: - serialNumber: - description: |- - SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making - the GetSessionToken call. - Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device - (such as arn:aws:iam::123456789012:mfa/user) - type: string - sessionDuration: - format: int32 - type: integer - tokenCode: - description: TokenCode is the value provided by the MFA device, if MFA is required. - type: string - type: object - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/uuid.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: uuids.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: UUID - listKind: UUIDList - plural: uuids - singular: uuid - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: UUIDSpec controls the behavior of the uuid generator. - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret. - properties: - allowEmptyResponse: - default: false - description: Do not fail if no secrets are found. Useful for requests where no data is expected. - type: boolean - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - path: - default: cert - description: |- - Path where the Certificate authentication backend is mounted - in Vault, e.g: "cert" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - gcp: - description: |- - Gcp authenticates with Vault using Google Cloud Platform authentication method - GCP authentication method - properties: - location: - description: Location optionally defines a location/region for the secret - type: string - path: - default: gcp - description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"' - type: string - projectID: - description: Project ID of the Google Cloud Platform project - type: string - role: - description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine. - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - serviceAccountRef: - description: ServiceAccountRef to a service account for impersonation - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - workloadIdentity: - description: Specify a service account with Workload Identity - properties: - clusterLocation: - description: |- - ClusterLocation is the location of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterName: - description: |- - ClusterName is the name of the cluster - If not specified, it fetches information from the metadata server - type: string - clusterProjectID: - description: |- - ClusterProjectID is the project ID of the cluster - If not specified, it fetches information from the metadata server - type: string - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - required: - - role - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: ServiceAccountSelector is a reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - Namespace of the resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is an LDAP username used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: userpass - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "userpass" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - username: - description: |- - Username is a username used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - checkAndSet: - description: |- - CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. - Only applies to Vault KV v2 stores. When enabled, write operations must include - the current version of the secret to prevent unintentional overwrites. - properties: - required: - description: |- - Required when true, all write operations must include a check-and-set parameter. - This helps prevent unintentional overwrites of secrets. - type: boolean - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default, it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - Additionally, accessing the raw response is possibly by using "Raw" result type. - enum: - - Data - - Auth - - Raw - type: string - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - external-secrets - - external-secrets-generators - kind: Webhook - listKind: WebhookList - plural: webhooks - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - auth: - description: Auth specifies a authorization protocol. Only one protocol may be set. - maxProperties: 1 - minProperties: 1 - properties: - ntlm: - description: NTLMProtocol configures the store to use NTLM for auth - properties: - passwordSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - usernameSecret: - description: |- - SecretKeySelector is a reference to a specific 'key' within a Secret resource. - In some instances, `key` is a required field. - properties: - key: - description: |- - A key in the referenced Secret. - Some instances of this field may be defaulted, in others it may be required. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: |- - The namespace of the Secret resource being referred to. - Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: object - required: - - passwordSecret - - usernameSecret - type: object - type: object - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the object located at the provider type. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - namespace: - description: The namespace the Provider type is in. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - description: WebhookSecret defines a secret reference that will be used in webhook templates. - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: The name of the Secret resource being referred to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-secrets-cert-controller - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "list" - - "watch" - - "get" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - resourceNames: - - "secretstore-validate" - - "externalsecret-validate" - verbs: - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "discovery.k8s.io" - resources: - - "endpointslices" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-secrets-controller - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - - "clusterpushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - - "clusterpushsecrets" - - "clusterpushsecrets/status" - - "clusterpushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "generatorstates" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "patch" - - "delete" - - "deletecollection" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "cloudsmithaccesstokens" - - "clustergenerators" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "quayaccesstokens" - - "passwords" - - "sshkeys" - - "stssessiontokens" - - "uuids" - - "vaultdynamicsecrets" - - "webhooks" - - "grafanas" - - "mfas" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "namespaces" - verbs: - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" - - apiGroups: - - "external-secrets.io" - resources: - - "pushsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-secrets-view - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - - "clusterpushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "cloudsmithaccesstokens" - - "clustergenerators" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "quayaccesstokens" - - "passwords" - - "sshkeys" - - "vaultdynamicsecrets" - - "webhooks" - - "grafanas" - - "generatorstates" - - "mfas" - - "uuids" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-secrets-edit - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - - "clusterpushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "cloudsmithaccesstokens" - - "clustergenerators" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "quayaccesstokens" - - "passwords" - - "sshkeys" - - "vaultdynamicsecrets" - - "webhooks" - - "grafanas" - - "generatorstates" - - "mfas" - - "uuids" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: external-secrets-cert-controller - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: external-secrets - kind: ServiceAccount ---- -# Source: external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: external-secrets-controller - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: external-secrets-controller -subjects: - - name: external-secrets - namespace: external-secrets - kind: ServiceAccount ---- -# Source: external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: external-secrets-leaderelection - namespace: external-secrets - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: external-secrets-leaderelection - namespace: external-secrets - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: external-secrets - namespace: external-secrets ---- -# Source: external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: external-secrets-webhook - namespace: external-secrets - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook - -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: webhook - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets ---- -# Source: external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: external-secrets-cert-controller - namespace: external-secrets - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: external-secrets - template: - metadata: - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - image: ghcr.io/external-secrets/external-secrets:v1.1.0 - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=external-secrets-webhook - - --service-namespace=external-secrets - - --secret-name=external-secrets-webhook - - --secret-namespace=external-secrets - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: external-secrets - namespace: external-secrets - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - image: ghcr.io/external-secrets/external-secrets:v1.1.0 - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: external-secrets-webhook - namespace: external-secrets - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets - template: - metadata: - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - image: ghcr.io/external-secrets/external-secrets:v1.1.0 - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=external-secrets-webhook.external-secrets.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: external-secrets-webhook ---- -# Source: external-secrets/templates/cluster-secret-store.yaml -apiVersion: external-secrets.io/v1 -kind: ClusterSecretStore -metadata: - name: vault - namespace: external-secrets - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/part-of: external-secrets -spec: - provider: - vault: - server: http://vault-internal.vault:8200 - path: secret - auth: - tokenSecretRef: - namespace: vault - name: vault-token - key: token ---- -# Source: external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: external-secrets - name: external-secrets-webhook - path: /validate-external-secrets-io-v1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: external-secrets - name: external-secrets-webhook - path: /validate-external-secrets-io-v1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - - helm.sh/chart: external-secrets-1.1.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: external-secrets - app.kubernetes.io/version: "v1.1.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: external-secrets - name: external-secrets-webhook - path: /validate-external-secrets-io-v1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/clusters/cl01tl/manifests/freshrss/freshrss.yaml b/clusters/cl01tl/manifests/freshrss/freshrss.yaml deleted file mode 100644 index 5cb75d5c1..000000000 --- a/clusters/cl01tl/manifests/freshrss/freshrss.yaml +++ /dev/null @@ -1,1085 +0,0 @@ ---- -# Source: freshrss/charts/freshrss/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: freshrss-data - labels: - app.kubernetes.io/instance: freshrss - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: freshrss - helm.sh/chart: freshrss-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: freshrss -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: freshrss/charts/freshrss/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: freshrss-extensions - labels: - app.kubernetes.io/instance: freshrss - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: freshrss - helm.sh/chart: freshrss-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: freshrss -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "1Gi" - storageClassName: "ceph-block" ---- -# Source: freshrss/charts/freshrss/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: freshrss - labels: - app.kubernetes.io/instance: freshrss - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: freshrss - app.kubernetes.io/service: freshrss - helm.sh/chart: freshrss-4.4.0 - namespace: freshrss -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: freshrss - app.kubernetes.io/name: freshrss ---- -# Source: freshrss/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: freshrss-cloudflared - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: freshrss - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: freshrss -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: freshrss - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: freshrss - app.kubernetes.io/name: cloudflared - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: freshrss-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: freshrss/charts/freshrss/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: freshrss - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: freshrss - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: freshrss - helm.sh/chart: freshrss-4.4.0 - namespace: freshrss -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: freshrss - app.kubernetes.io/instance: freshrss - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: freshrss - app.kubernetes.io/name: freshrss - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - initContainers: - - command: - - /bin/sh - - -ec - - | - apk add --no-cache git; - cd /tmp; - git clone -n --depth=1 --filter=tree:0 https://github.com/cn-tools/cntools_FreshRssExtensions.git; - cd cntools_FreshRssExtensions; - git sparse-checkout set --no-cone /xExtension-YouTubeChannel2RssFeed; - git checkout; - rm -rf /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed - cp -r xExtension-YouTubeChannel2RssFeed /var/www/FreshRSS/extensions - chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed - image: alpine:3.23.0 - imagePullPolicy: IfNotPresent - name: init-download-extension-1 - resources: - requests: - cpu: 10m - memory: 128Mi - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /var/www/FreshRSS/extensions - name: extensions - - command: - - /bin/sh - - -ec - - | - apk add --no-cache git; - cd /tmp; - git clone -n --depth=1 --filter=tree:0 https://github.com/FreshRSS/Extensions.git; - cd Extensions; - git sparse-checkout set --no-cone /xExtension-ImageProxy; - git checkout; - rm -rf /var/www/FreshRSS/extensions/xExtension-ImageProxy - cp -r xExtension-ImageProxy /var/www/FreshRSS/extensions - chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-ImageProxy - image: alpine:3.23.0 - imagePullPolicy: IfNotPresent - name: init-download-extension-2 - resources: - requests: - cpu: 10m - memory: 128Mi - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /var/www/FreshRSS/extensions - name: extensions - - command: - - /bin/sh - - -ec - - | - cd /tmp; - wget https://github.com/zimmra/xExtension-karakeep-button/archive/refs/tags/v1.1.tar.gz; - tar -xvzf *.tar.gz; - rm -rf /var/www/FreshRSS/extensions/xExtension-karakeep-button - mkdir /var/www/FreshRSS/extensions/xExtension-karakeep-button - cp -r /tmp/xExtension-karakeep-button-*/* /var/www/FreshRSS/extensions/xExtension-karakeep-button - chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-karakeep-button - image: alpine:3.23.0 - imagePullPolicy: IfNotPresent - name: init-download-extension-3 - resources: - requests: - cpu: 10m - memory: 128Mi - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /var/www/FreshRSS/extensions - name: extensions - containers: - - env: - - name: PGID - value: "568" - - name: PUID - value: "568" - - name: TZ - value: US/Central - - name: FRESHRSS_ENV - value: production - - name: CRON_MIN - value: 13,43 - - name: BASE_URL - value: https://rss.alexlebens.dev - - name: DB_HOST - valueFrom: - secretKeyRef: - key: host - name: freshrss-postgresql-17-cluster-app - - name: DB_BASE - valueFrom: - secretKeyRef: - key: dbname - name: freshrss-postgresql-17-cluster-app - - name: DB_USER - valueFrom: - secretKeyRef: - key: user - name: freshrss-postgresql-17-cluster-app - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: freshrss-postgresql-17-cluster-app - - name: FRESHRSS_INSTALL - value: | - --api-enabled - --base-url $(BASE_URL) - --db-base $(DB_BASE) - --db-host $(DB_HOST) - --db-password $(DB_PASSWORD) - --db-type pgsql - --db-user $(DB_USER) - --auth-type http_auth - --default-user admin - --language en - - name: FRESHRSS_USER - value: | - --api-password $(ADMIN_API_PASSWORD) - --email $(ADMIN_EMAIL) - --language en - --password $(ADMIN_PASSWORD) - --user admin - - name: OIDC_ENABLED - value: "1" - - name: OIDC_PROVIDER_METADATA_URL - value: https://auth.alexlebens.dev/application/o/freshrss/.well-known/openid-configuration - - name: OIDC_X_FORWARDED_HEADERS - value: X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host - - name: OIDC_SCOPES - value: openid email profile - - name: OIDC_REMOTE_USER_CLAIM - value: preferred_username - envFrom: - - secretRef: - name: freshrss-oidc-secret - - secretRef: - name: freshrss-install-secret - image: freshrss/freshrss:1.27.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /var/www/FreshRSS/data - name: data - - mountPath: /var/www/FreshRSS/extensions - name: extensions - volumes: - - name: data - persistentVolumeClaim: - claimName: freshrss-data - - name: extensions - persistentVolumeClaim: - claimName: freshrss-extensions ---- -# Source: freshrss/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: freshrss-postgresql-17-cluster - namespace: freshrss - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: freshrss-postgresql-17 - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "freshrss-postgresql-17-external-backup" - serverName: "freshrss-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "freshrss-postgresql-17-garage-local-backup" - serverName: "freshrss-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "freshrss-postgresql-17-recovery" - serverName: freshrss-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: freshrss-postgresql-17-backup-1 - - externalClusters: - - name: freshrss-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "freshrss-postgresql-17-recovery" - serverName: freshrss-postgresql-17-backup-1 ---- -# Source: freshrss/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: freshrss-install-secret - namespace: freshrss - labels: - app.kubernetes.io/name: freshrss-install-secret - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ADMIN_EMAIL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/freshrss/config - metadataPolicy: None - property: ADMIN_EMAIL - - secretKey: ADMIN_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/freshrss/config - metadataPolicy: None - property: ADMIN_PASSWORD - - secretKey: ADMIN_API_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/freshrss/config - metadataPolicy: None - property: ADMIN_API_PASSWORD ---- -# Source: freshrss/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: freshrss-oidc-secret - namespace: freshrss - labels: - app.kubernetes.io/name: freshrss-oidc-secret - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: OIDC_CLIENT_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/freshrss - metadataPolicy: None - property: client - - secretKey: OIDC_CLIENT_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/freshrss - metadataPolicy: None - property: secret - - secretKey: OIDC_CLIENT_CRYPTO_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/freshrss - metadataPolicy: None - property: crypto-key ---- -# Source: freshrss/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: freshrss-cloudflared-secret - namespace: freshrss - labels: - app.kubernetes.io/name: freshrss-cloudflared-secret - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/freshrss - metadataPolicy: None - property: token ---- -# Source: freshrss/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: freshrss-data-backup-secret - namespace: freshrss - labels: - app.kubernetes.io/name: freshrss-data-backup-secret - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/freshrss/freshrss-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: freshrss/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: freshrss-postgresql-17-cluster-backup-secret - namespace: freshrss - labels: - app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: freshrss/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: freshrss-postgresql-17-cluster-backup-secret-garage - namespace: freshrss - labels: - app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: freshrss/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "freshrss-postgresql-17-external-backup" - namespace: freshrss - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: freshrss-postgresql-17 - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: freshrss-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: freshrss-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: freshrss/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "freshrss-postgresql-17-garage-local-backup" - namespace: freshrss - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: freshrss-postgresql-17 - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: freshrss-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: freshrss-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: freshrss-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: freshrss/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "freshrss-postgresql-17-recovery" - namespace: freshrss - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: freshrss-postgresql-17 - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: freshrss-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: freshrss-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: freshrss/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: freshrss-postgresql-17-alert-rules - namespace: freshrss - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: freshrss-postgresql-17 - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/freshrss-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="freshrss"} - cnpg_pg_replication_is_wal_receiver_up{namespace="freshrss"}) < 1 - for: 5m - labels: - severity: critical - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="freshrss"} - cnpg_pg_replication_is_wal_receiver_up{namespace="freshrss"}) < 2 - for: 5m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "freshrss/freshrss-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="freshrss", pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="freshrss", pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "freshrss/freshrss-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="freshrss", pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="freshrss", pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "freshrss/freshrss-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="freshrss",pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "freshrss/freshrss-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="freshrss", pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "freshrss/freshrss-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "freshrss/freshrss-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="freshrss", persistentvolumeclaim=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "freshrss/freshrss-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="freshrss",pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "freshrss/freshrss-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="freshrss", pod=~"freshrss-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: freshrss - cnpg_cluster: freshrss-postgresql-17-cluster ---- -# Source: freshrss/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: freshrss-data-backup-source - namespace: freshrss - labels: - app.kubernetes.io/name: freshrss-data-backup-source - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss -spec: - sourcePVC: freshrss-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: freshrss-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: - - 44 - - 100 - - 109 - - 65539 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: freshrss/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "freshrss-postgresql-17-daily-backup-scheduled-backup" - namespace: freshrss - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: freshrss-postgresql-17 - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: freshrss-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "freshrss-postgresql-17-external-backup" ---- -# Source: freshrss/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "freshrss-postgresql-17-live-backup-scheduled-backup" - namespace: freshrss - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: freshrss-postgresql-17 - app.kubernetes.io/instance: freshrss - app.kubernetes.io/part-of: freshrss - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: freshrss-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "freshrss-postgresql-17-garage-local-backup" diff --git a/clusters/cl01tl/manifests/garage/garage.yaml b/clusters/cl01tl/manifests/garage/garage.yaml deleted file mode 100644 index 2d0726004..000000000 --- a/clusters/cl01tl/manifests/garage/garage.yaml +++ /dev/null @@ -1,430 +0,0 @@ ---- -# Source: garage/charts/garage/templates/common.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: garage - labels: - app.kubernetes.io/instance: garage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: garage - helm.sh/chart: garage-4.4.0 - namespace: garage -data: - garage.toml: | - replication_factor = 1 - - metadata_dir = "/var/lib/garage/meta" - data_dir = "/var/lib/garage/data" - metadata_snapshots_dir = "/var/lib/garage/snapshots" - - db_engine = "lmdb" - - metadata_auto_snapshot_interval = "6h" - - compression_level = 3 - - rpc_bind_addr = "[::]:3901" - rpc_public_addr = "127.0.0.1:3901" - - allow_world_readable_secrets = false - - [s3_api] - s3_region = "us-east-1" - api_bind_addr = "[::]:3900" - root_domain = ".garage-s3.alexlebens.net" - - [s3_web] - bind_addr = "[::]:3902" - root_domain = ".garage-s3.alexlebens.net" - - [admin] - api_bind_addr = "[::]:3903" - metrics_require_token = true ---- -# Source: garage/charts/garage/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: garage-data - labels: - app.kubernetes.io/instance: garage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: garage - helm.sh/chart: garage-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: garage -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "800Gi" - storageClassName: "synology-iscsi-delete" ---- -# Source: garage/charts/garage/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: garage-db - labels: - app.kubernetes.io/instance: garage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: garage - helm.sh/chart: garage-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: garage -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: garage/charts/garage/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: garage-snapshots - labels: - app.kubernetes.io/instance: garage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: garage - helm.sh/chart: garage-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: garage -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "50Gi" - storageClassName: "synology-iscsi-delete" ---- -# Source: garage/charts/garage/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: garage-main - labels: - app.kubernetes.io/instance: garage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: garage - app.kubernetes.io/service: garage-main - helm.sh/chart: garage-4.4.0 - namespace: garage -spec: - type: ClusterIP - ports: - - port: 3903 - targetPort: 3903 - protocol: TCP - name: admin - - port: 3901 - targetPort: 3901 - protocol: TCP - name: rpc - - port: 3900 - targetPort: 3900 - protocol: TCP - name: s3 - - port: 3902 - targetPort: 3902 - protocol: TCP - name: web - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: garage - app.kubernetes.io/name: garage ---- -# Source: garage/charts/garage/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: garage-webui - labels: - app.kubernetes.io/instance: garage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: garage - app.kubernetes.io/service: garage-webui - helm.sh/chart: garage-4.4.0 - namespace: garage -spec: - type: ClusterIP - ports: - - port: 3909 - targetPort: 3909 - protocol: TCP - name: webui - selector: - app.kubernetes.io/controller: webui - app.kubernetes.io/instance: garage - app.kubernetes.io/name: garage ---- -# Source: garage/charts/garage/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: garage-main - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: garage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: garage - helm.sh/chart: garage-4.4.0 - namespace: garage -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: garage - app.kubernetes.io/instance: garage - template: - metadata: - annotations: - checksum/configMaps: aecb65cb46684688a356974d7ecaec4abb2d4fed3f71863780e7f35505c7af02 - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: garage - app.kubernetes.io/name: garage - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - envFrom: - - secretRef: - name: garage-token-secret - image: dxflrs/garage:v2.1.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /etc/garage.toml - mountPropagation: None - name: config - readOnly: true - subPath: garage.toml - - mountPath: /var/lib/garage/data - name: data - - mountPath: /var/lib/garage/meta - name: db - - mountPath: /var/lib/garage/snapshots - name: snapshots - volumes: - - configMap: - name: garage - name: config - - name: data - persistentVolumeClaim: - claimName: garage-data - - name: db - persistentVolumeClaim: - claimName: garage-db - - name: snapshots - persistentVolumeClaim: - claimName: garage-snapshots ---- -# Source: garage/charts/garage/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: garage-webui - labels: - app.kubernetes.io/controller: webui - app.kubernetes.io/instance: garage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: garage - helm.sh/chart: garage-4.4.0 - namespace: garage -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: webui - app.kubernetes.io/name: garage - app.kubernetes.io/instance: garage - template: - metadata: - annotations: - checksum/configMaps: aecb65cb46684688a356974d7ecaec4abb2d4fed3f71863780e7f35505c7af02 - labels: - app.kubernetes.io/controller: webui - app.kubernetes.io/instance: garage - app.kubernetes.io/name: garage - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: API_BASE_URL - value: http://garage-main.garage:3903 - - name: S3_ENDPOINT_URL - value: http://garage-main.garage:3900 - - name: API_ADMIN_KEY - valueFrom: - secretKeyRef: - key: GARAGE_ADMIN_TOKEN - name: garage-token-secret - image: khairul169/garage-webui:1.1.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /etc/garage.toml - mountPropagation: None - name: config - readOnly: true - subPath: garage.toml - volumes: - - configMap: - name: garage - name: config ---- -# Source: garage/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: garage-token-secret - namespace: garage - labels: - app.kubernetes.io/name: garage-token-secret - app.kubernetes.io/instance: garage - app.kubernetes.io/part-of: garage -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: GARAGE_RPC_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/garage/token - metadataPolicy: None - property: rpc - - secretKey: GARAGE_ADMIN_TOKEN - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/garage/token - metadataPolicy: None - property: admin - - secretKey: GARAGE_METRICS_TOKEN - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/garage/token - metadataPolicy: None - property: metric ---- -# Source: garage/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-garage-webui - namespace: garage - labels: - app.kubernetes.io/name: http-route-garage-webui - app.kubernetes.io/instance: garage - app.kubernetes.io/part-of: garage -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - garage-webui.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: garage-webui - port: 3909 - weight: 100 ---- -# Source: garage/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-garage-s3 - namespace: garage - labels: - app.kubernetes.io/name: http-route-garage-s3 - app.kubernetes.io/instance: garage - app.kubernetes.io/part-of: garage -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - garage-s3.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: garage-main - port: 3900 - weight: 100 ---- -# Source: garage/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: garage - namespace: garage - labels: - app.kubernetes.io/name: garage - app.kubernetes.io/instance: garage - app.kubernetes.io/part-of: garage -spec: - selector: - matchLabels: - app.kubernetes.io/name: garage - app.kubernetes.io/instance: garage - endpoints: - - port: admin - interval: 1m - scrapeTimeout: 30s - path: /metrics - bearerTokenSecret: - name: garage-token-secret - key: GARAGE_METRICS_TOKEN diff --git a/clusters/cl01tl/manifests/gatus/gatus.yaml b/clusters/cl01tl/manifests/gatus/gatus.yaml deleted file mode 100644 index 54ec20155..000000000 --- a/clusters/cl01tl/manifests/gatus/gatus.yaml +++ /dev/null @@ -1,1527 +0,0 @@ ---- -# Source: gatus/charts/gatus/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: gatus - namespace: gatus - labels: - helm.sh/chart: gatus-1.4.4 - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus - app.kubernetes.io/version: "v5.33.0" - app.kubernetes.io/managed-by: Helm -data: - config.yaml: | - alerting: - ntfy: - click: https://gatus.alexlebens.net - default-alert: - failure-threshold: 5 - send-on-resolved: true - priority: 3 - token: ${NTFY_TOKEN} - topic: gatus-alerts - url: http://ntfy.ntfy - connectivity: - checker: - interval: 60s - target: 1.1.1.1:53 - default-endpoint: - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - endpoints: - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 401' - group: core - interval: 30s - name: plex - url: http://plex.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: jellyfin - url: https://jellyfin.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: overseerr - url: https://overseerr.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: yamtrack - url: https://yamtrack.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: tubearchivist - url: https://tubearchivist.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: immich - url: https://immich.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: photoview - url: https://photoview.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: audiobookshelf - url: https://audiobookshelf.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: home-assistant - url: https://home-assistant.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: actual - url: https://actual.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: ollama - url: https://ollama.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: searxng - url: https://searxng.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: roundcube - url: https://mail.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: kiwix - url: https://kiwix.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: gitea - url: https://gitea.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: home-assistant-code-server - url: https://home-assistant-code-server.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: argocd - url: https://argocd.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: komodo - url: https://komodo.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: argo-workflows - url: https://argo-workflows.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: n8n - url: https://n8n.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: omni-tools - url: https://omni-tools.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: headlamp - url: https://headlamp.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: hubble - url: https://hubble.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: grafana - url: https://grafana.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: prometheus - url: https://prometheus.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: alertmanager - url: https://alertmanager.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: tautulli - url: https://tautulli.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: jellystat - url: https://jellystat.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: authentik - url: https://authentik.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: stalwart - url: https://stalwart.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: ntfy - url: https://ntfy.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: traefik-cl01tl - url: https://traefik-cl01tl.alexlebens.net/dashboard/#/ - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: harbor - url: https://harbor.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: unifi - url: https://unifi.alexlebens.net - - alerts: - - type: ntfy - client: - insecure: true - conditions: - - '[CONNECTED] == true' - group: core - interval: 30s - name: synology - url: https://synology.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - group: core - interval: 30s - name: hdhr - url: http://hdhr.alexlebens.net - - alerts: - - type: ntfy - client: - insecure: true - conditions: - - '[CONNECTED] == true' - group: core - interval: 30s - name: pikvm - url: https://pikvm.alexlebens.net/login/ - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - group: core - interval: 30s - name: shelly - url: http://it05sp.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: ceph - url: https://ceph.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: pgadmin - url: https://pgadmin.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: whodb - url: https://whodb.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: vault - url: https://vault.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: sonarr - url: https://sonarr.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: sonarr-4k - url: https://sonarr-4k.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: sonarr-anime - url: https://sonarr-anime.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: radarr - url: https://radarr.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: radarr-4k - url: https://radarr-4k.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: radarr-anime - url: https://radarr-anime.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: radarr-standup - url: https://radarr-standup.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: lidarr - url: https://lidarr.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: lidatube - url: https://lidatube.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: slskd - url: https://slskd.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: qui - url: https://qui.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: qbittorrent - url: https://qbittorrent.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: prowlarr - url: https://prowlarr.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 401' - group: core - interval: 30s - name: bazarr - url: https://bazarr.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: huntarr - url: https://huntarr.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: core - interval: 30s - name: tdarr - url: https://tdarr.alexlebens.net - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: www - url: https://www.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: directus - url: https://directus.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 120s - name: postiz - url: https://postiz.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: matrix - url: https://chat.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: outline - url: https://wiki.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: vaultwarden - url: https://passwords.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: karakeep - url: https://karakeep.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 401' - group: external - interval: 30s - name: freshrss - url: https://rss.alexlebens.dev/i/ - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: gitea-external - url: https://gitea.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: codeserver - url: https://codeserver.alexlebens.dev - - alerts: - - type: ntfy - conditions: - - '[STATUS] == 200' - - '[CERTIFICATE_EXPIRATION] > 240h' - group: external - interval: 30s - name: public homepage - url: https://home.alexlebens.dev - - conditions: - - '[STATUS] == 200' - - '[RESPONSE_TIME] < 400' - group: public - interval: 10s - name: discord - url: https://discord.com/app - - conditions: - - '[STATUS] == 200' - - '[RESPONSE_TIME] < 400' - group: public - interval: 10s - name: reddit - url: https://reddit.com - metrics: true - security: - oidc: - client-id: ${OIDC_CLIENT_ID} - client-secret: ${OIDC_CLIENT_SECRET} - issuer-url: https://authentik.alexlebens.net/application/o/gatus/ - redirect-url: https://gatus.alexlebens.net/authorization-code/callback - scopes: - - openid - storage: - path: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}?sslmode=disable - type: postgres ---- -# Source: gatus/charts/gatus/templates/pvc.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gatus - namespace: gatus - labels: - helm.sh/chart: gatus-1.4.4 - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus - app.kubernetes.io/version: "v5.33.0" - app.kubernetes.io/managed-by: Helm - finalizers: - - kubernetes.io/pvc-protection -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "1Gi" - storageClassName: ceph-block ---- -# Source: gatus/charts/gatus/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: gatus - namespace: gatus - labels: - helm.sh/chart: gatus-1.4.4 - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus - app.kubernetes.io/version: "v5.33.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: http - port: 80 - targetPort: http - protocol: TCP - selector: - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus ---- -# Source: gatus/charts/gatus/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gatus - namespace: gatus - labels: - helm.sh/chart: gatus-1.4.4 - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus - app.kubernetes.io/version: "v5.33.0" - app.kubernetes.io/managed-by: Helm - annotations: - reloader.stakater.com/auto: "true" -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus - annotations: - checksum/config: 31c72cc890f0e181e18d8c8f38bec005f1ea27d18aeaebc241351d1e3d5dd21d - spec: - - serviceAccountName: default - automountServiceAccountToken: false - securityContext: - fsGroup: 65534 - containers: - - name: gatus - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - image: "ghcr.io/twin/gatus:v5.33.0" - imagePullPolicy: IfNotPresent - ports: - - name: http - containerPort: 8080 - protocol: TCP - env: - - name: "NTFY_TOKEN" - valueFrom: - secretKeyRef: - key: NTFY_TOKEN - name: gatus-config-secret - - name: "OIDC_CLIENT_ID" - valueFrom: - secretKeyRef: - key: OIDC_CLIENT_ID - name: gatus-oidc-secret - - name: "OIDC_CLIENT_SECRET" - valueFrom: - secretKeyRef: - key: OIDC_CLIENT_SECRET - name: gatus-oidc-secret - - name: "POSTGRES_DB" - valueFrom: - secretKeyRef: - key: dbname - name: gatus-postgresql-17-cluster-app - - name: "POSTGRES_HOST" - valueFrom: - secretKeyRef: - key: host - name: gatus-postgresql-17-cluster-app - - name: "POSTGRES_PASSWORD" - valueFrom: - secretKeyRef: - key: password - name: gatus-postgresql-17-cluster-app - - name: "POSTGRES_PORT" - valueFrom: - secretKeyRef: - key: port - name: gatus-postgresql-17-cluster-app - - name: "POSTGRES_USER" - valueFrom: - secretKeyRef: - key: username - name: gatus-postgresql-17-cluster-app - envFrom: - - configMapRef: - name: gatus - readinessProbe: - httpGet: - path: /health - port: http - livenessProbe: - httpGet: - path: /health - port: http - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - name: gatus-config - mountPath: /config - readOnly: true - - name: gatus-data - mountPath: /data - volumes: - - name: gatus-config - configMap: - name: gatus - - name: gatus-data - persistentVolumeClaim: - claimName: gatus ---- -# Source: gatus/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: gatus-postgresql-17-cluster - namespace: gatus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gatus-postgresql-17 - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "gatus-postgresql-17-external-backup" - serverName: "gatus-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "gatus-postgresql-17-garage-local-backup" - serverName: "gatus-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "gatus-postgresql-17-recovery" - serverName: gatus-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: gatus-postgresql-17-backup-1 - - externalClusters: - - name: gatus-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "gatus-postgresql-17-recovery" - serverName: gatus-postgresql-17-backup-1 ---- -# Source: gatus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gatus-config-secret - namespace: gatus - labels: - app.kubernetes.io/name: gatus-config-secret - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: NTFY_TOKEN - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /ntfy/user/cl01tl - metadataPolicy: None - property: token ---- -# Source: gatus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gatus-oidc-secret - namespace: gatus - labels: - app.kubernetes.io/name: gatus-oidc-secret - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: OIDC_CLIENT_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/gatus - metadataPolicy: None - property: client - - secretKey: OIDC_CLIENT_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/gatus - metadataPolicy: None - property: secret ---- -# Source: gatus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gatus-postgresql-17-cluster-backup-secret - namespace: gatus - labels: - app.kubernetes.io/name: gatus-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: gatus/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gatus-postgresql-17-cluster-backup-secret-garage - namespace: gatus - labels: - app.kubernetes.io/name: gatus-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: gatus/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-gatus - namespace: gatus - labels: - app.kubernetes.io/name: http-route-gatus - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - gatus.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: gatus - port: 80 - weight: 100 ---- -# Source: gatus/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "gatus-postgresql-17-external-backup" - namespace: gatus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gatus-postgresql-17 - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: gatus-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: gatus-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: gatus/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "gatus-postgresql-17-garage-local-backup" - namespace: gatus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gatus-postgresql-17 - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: gatus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: gatus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: gatus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: gatus/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "gatus-postgresql-17-recovery" - namespace: gatus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gatus-postgresql-17 - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: gatus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: gatus-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: gatus/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: gatus-postgresql-17-alert-rules - namespace: gatus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gatus-postgresql-17 - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/gatus-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="gatus"} - cnpg_pg_replication_is_wal_receiver_up{namespace="gatus"}) < 1 - for: 5m - labels: - severity: critical - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="gatus"} - cnpg_pg_replication_is_wal_receiver_up{namespace="gatus"}) < 2 - for: 5m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "gatus/gatus-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="gatus", pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="gatus", pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "gatus/gatus-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="gatus", pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="gatus", pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "gatus/gatus-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="gatus",pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "gatus/gatus-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="gatus", pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "gatus/gatus-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "gatus/gatus-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="gatus", persistentvolumeclaim=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "gatus/gatus-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="gatus",pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "gatus/gatus-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="gatus", pod=~"gatus-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: gatus - cnpg_cluster: gatus-postgresql-17-cluster ---- -# Source: gatus/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "gatus-postgresql-17-daily-backup-scheduled-backup" - namespace: gatus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gatus-postgresql-17 - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: gatus-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "gatus-postgresql-17-external-backup" ---- -# Source: gatus/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "gatus-postgresql-17-live-backup-scheduled-backup" - namespace: gatus - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gatus-postgresql-17 - app.kubernetes.io/instance: gatus - app.kubernetes.io/part-of: gatus - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: gatus-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "gatus-postgresql-17-garage-local-backup" ---- -# Source: gatus/charts/gatus/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: gatus - namespace: gatus - labels: - helm.sh/chart: gatus-1.4.4 - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus - app.kubernetes.io/version: "v5.33.0" - app.kubernetes.io/managed-by: Helm -spec: - endpoints: - - port: http - interval: 1m - scrapeTimeout: 30s - honorLabels: true - path: /metrics - scheme: http - jobLabel: "gatus" - selector: - matchLabels: - app.kubernetes.io/name: gatus - app.kubernetes.io/instance: gatus - namespaceSelector: - matchNames: - - gatus diff --git a/clusters/cl01tl/manifests/generic-device-plugin/generic-device-plugin.yaml b/clusters/cl01tl/manifests/generic-device-plugin/generic-device-plugin.yaml deleted file mode 100644 index 19e98fb42..000000000 --- a/clusters/cl01tl/manifests/generic-device-plugin/generic-device-plugin.yaml +++ /dev/null @@ -1,163 +0,0 @@ ---- -# Source: generic-device-plugin/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: generic-device-plugin - labels: - app.kubernetes.io/name: generic-device-plugin - app.kubernetes.io/instance: generic-device-plugin - app.kubernetes.io/part-of: generic-device-plugin - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: generic-device-plugin/charts/generic-device-plugin/templates/common.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: generic-device-plugin - labels: - app.kubernetes.io/instance: generic-device-plugin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: generic-device-plugin - app.kubernetes.io/version: 0.20.3 - helm.sh/chart: generic-device-plugin-0.20.3 - namespace: generic-device-plugin -data: - config.yaml: | - devices: - - name: tun - groups: - - count: 1000 - paths: - - path: /dev/net/tun ---- -# Source: generic-device-plugin/charts/generic-device-plugin/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: generic-device-plugin - labels: - app.kubernetes.io/instance: generic-device-plugin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: generic-device-plugin - app.kubernetes.io/service: generic-device-plugin - app.kubernetes.io/version: 0.20.3 - helm.sh/chart: generic-device-plugin-0.20.3 - namespace: generic-device-plugin -spec: - type: ClusterIP - ports: - - port: 8080 - targetPort: 8080 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: generic-device-plugin - app.kubernetes.io/name: generic-device-plugin ---- -# Source: generic-device-plugin/charts/generic-device-plugin/templates/common.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: generic-device-plugin - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: generic-device-plugin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: generic-device-plugin - app.kubernetes.io/version: 0.20.3 - helm.sh/chart: generic-device-plugin-0.20.3 - namespace: generic-device-plugin -spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: generic-device-plugin - app.kubernetes.io/instance: generic-device-plugin - template: - metadata: - annotations: - checksum/configMaps: 473a15a17751b0c136528e129767f6ed0871ca7522e5a6ccd90d041808571e81 - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: generic-device-plugin - app.kubernetes.io/name: generic-device-plugin - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - priorityClassName: system-node-critical - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - tolerations: - - effect: NoExecute - operator: Exists - - effect: NoSchedule - operator: Exists - containers: - - args: - - --config=/config/config.yaml - env: - - name: LISTEN - value: :8080 - - name: PLUGIN_DIRECTORY - value: /var/lib/kubelet/device-plugins - - name: DOMAIN - value: devic.es - image: ghcr.io/squat/generic-device-plugin:latest@sha256:4896ffd516624d6eb7572e102bc4397e91f8bc3b2fb38b5bfefd758baae3dcf2 - imagePullPolicy: Always - name: main - securityContext: - privileged: true - volumeMounts: - - mountPath: /config - name: config - - mountPath: /dev - name: dev - - mountPath: /var/lib/kubelet/device-plugins - name: device-plugins - volumes: - - configMap: - name: generic-device-plugin-config - name: config - - hostPath: - path: /dev - name: dev - - hostPath: - path: /var/lib/kubelet/device-plugins - name: device-plugins ---- -# Source: generic-device-plugin/charts/generic-device-plugin/templates/common.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: generic-device-plugin - labels: - app.kubernetes.io/instance: generic-device-plugin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: generic-device-plugin - app.kubernetes.io/version: 0.20.3 - helm.sh/chart: generic-device-plugin-0.20.3 - namespace: generic-device-plugin -spec: - jobLabel: "generic-device-plugin" - namespaceSelector: - matchNames: - - generic-device-plugin - selector: - matchLabels: - app.kubernetes.io/service: generic-device-plugin - app.kubernetes.io/name: generic-device-plugin - app.kubernetes.io/instance: generic-device-plugin - endpoints: - - interval: 30s - path: /metrics - port: http - scheme: http - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/gitea/gitea.yaml b/clusters/cl01tl/manifests/gitea/gitea.yaml deleted file mode 100644 index 62f97b872..000000000 --- a/clusters/cl01tl/manifests/gitea/gitea.yaml +++ /dev/null @@ -1,2446 +0,0 @@ ---- -# Source: gitea/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: gitea - labels: - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: gitea/charts/backup/templates/common.yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gitea-backup - labels: - app.kubernetes.io/instance: gitea - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: gitea - helm.sh/chart: backup-4.4.0 - namespace: gitea ---- -# Source: gitea/charts/meilisearch/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gitea-meilisearch - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: gitea/charts/gitea/templates/gitea/config.yaml -apiVersion: v1 -kind: Secret -metadata: - name: gitea-inline-config - namespace: gitea - labels: - helm.sh/chart: gitea-12.4.0 - app: gitea - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.25.2" - version: "1.25.2" - app.kubernetes.io/managed-by: Helm -type: Opaque -stringData: - _generals_: APP_NAME=Gitea - actions: ENABLED=true - cache: |- - ADAPTER=redis - ENABLED=true - HOST=redis://redis-replication-gitea-master.gitea:6379 - database: |- - DB_TYPE=postgres - SCHEMA=public - explore: REQUIRE_SIGNIN_VIEW=true - indexer: |- - ISSUE_INDEXER_ENABLED=true - ISSUE_INDEXER_TYPE=meilisearch - REPO_INDEXER_ENABLED=false - metrics: ENABLED=true - mirror: DEFAULT_INTERVAL=10m - oauth2_client: ENABLE_AUTO_REGISTRATION=true - queue: |- - CONN_STR=redis://redis-replication-gitea-master.gitea:6379 - TYPE=redis - repo-archive: ENABLED=false - repository: ROOT=/data/git/gitea-repositories - security: INSTALL_LOCK=true - server: |- - APP_DATA_PATH=/data - DOMAIN=gitea.alexlebens.dev - ENABLE_PPROF=true - HTTP_PORT=3000 - LANDING_PAGE=explore - LOCAL_ROOT_URL=http://gitea-http.gitea.svc.cluster.local:3000 - PROTOCOL=http - ROOT_URL=https://gitea.alexlebens.dev - SSH_DOMAIN=gitea.alexlebens.net - SSH_LISTEN_PORT=22 - SSH_PORT=22 - START_SSH_SERVER=true - service: |- - ALLOW_ONLY_EXTERNAL_REGISTRATION=true - REGISTER_MANUAL_CONFIRM=true - SHOW_REGISTRATION_BUTTON=false - session: |- - PROVIDER=redis - PROVIDER_CONFIG=redis://redis-replication-gitea-master.gitea:6379 - ui: |- - DEFAULT_THEME=gitea-auto - THEMES=gitea-light,gitea-dark,gitea-auto,catppuccin-rosewater-auto,catppuccin-flamingo-auto,catppuccin-pink-auto,catppuccin-mauve-auto,catppuccin-red-auto,catppuccin-maroon-auto,catppuccin-peach-auto,catppuccin-yellow-auto,catppuccin-green-auto,catppuccin-teal-auto,catppuccin-sky-auto,catppuccin-sapphire-auto,catppuccin-blue-auto,catppuccin-lavender-auto,catppuccin-latte-rosewater,catppuccin-latte-flamingo,catppuccin-latte-pink,catppuccin-latte-mauve,catppuccin-latte-red,catppuccin-latte-maroon,catppuccin-latte-peach,catppuccin-latte-yellow,catppuccin-latte-green,catppuccin-latte-teal,catppuccin-latte-sky,catppuccin-latte-sapphire,catppuccin-latte-blue,catppuccin-latte-lavender,catppuccin-frappe-rosewater,catppuccin-frappe-flamingo,catppuccin-frappe-pink,catppuccin-frappe-mauve,catppuccin-frappe-red,catppuccin-frappe-maroon,catppuccin-frappe-peach,catppuccin-frappe-yellow,catppuccin-frappe-green,catppuccin-frappe-teal,catppuccin-frappe-sky,catppuccin-frappe-sapphire,catppuccin-frappe-blue,catppuccin-frappe-lavender,catppuccin-macchiato-rosewater,catppuccin-macchiato-flamingo,catppuccin-macchiato-pink,catppuccin-macchiato-mauve,catppuccin-macchiato-red,catppuccin-macchiato-maroon,catppuccin-macchiato-peach,catppuccin-macchiato-yellow,catppuccin-macchiato-green,catppuccin-macchiato-teal,catppuccin-macchiato-sky,catppuccin-macchiato-sapphire,catppuccin-macchiato-blue,catppuccin-macchiato-lavender,catppuccin-mocha-rosewater,catppuccin-mocha-flamingo,catppuccin-mocha-pink,catppuccin-mocha-mauve,catppuccin-mocha-red,catppuccin-mocha-maroon,catppuccin-mocha-peach,catppuccin-mocha-yellow,catppuccin-mocha-green,catppuccin-mocha-teal,catppuccin-mocha-sky,catppuccin-mocha-sapphire,catppuccin-mocha-blue,catppuccin-mocha-lavender - webhook: ALLOWED_HOST_LIST=private ---- -# Source: gitea/charts/gitea/templates/gitea/config.yaml -apiVersion: v1 -kind: Secret -metadata: - name: gitea - namespace: gitea - labels: - helm.sh/chart: gitea-12.4.0 - app: gitea - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.25.2" - version: "1.25.2" - app.kubernetes.io/managed-by: Helm -type: Opaque -stringData: - config_environment.sh: | - #!/usr/bin/env bash - set -euo pipefail - - function env2ini::log() { - printf "${1}\n" - } - - function env2ini::read_config_to_env() { - local section="${1}" - local line="${2}" - - if [[ -z "${line}" ]]; then - # skip empty line - return - fi - - # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line - local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" - - if [[ -z "${setting}" ]]; then - env2ini::log ' ! invalid setting' - exit 1 - fi - - local value='' - local regex="^${setting}(\s*)=(\s*)(.*)" - if [[ $line =~ $regex ]]; then - value="${BASH_REMATCH[3]}" - else - env2ini::log ' ! invalid setting' - exit 1 - fi - - env2ini::log " + '${setting}'" - - if [[ -z "${section}" ]]; then - export "GITEA____${setting^^}=${value}" # '^^' makes the variable content uppercase - return - fi - - local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches - masked_section="${masked_section//-/_0X2D_}" - - export "GITEA__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase - } - - function env2ini::reload_preset_envs() { - env2ini::log "Reloading preset envs..." - - while read -r line; do - if [[ -z "${line}" ]]; then - # skip empty line - return - fi - - # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line - local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" - - if [[ -z "${setting}" ]]; then - env2ini::log ' ! invalid setting' - exit 1 - fi - - local value='' - local regex="^${setting}(\s*)=(\s*)(.*)" - if [[ $line =~ $regex ]]; then - value="${BASH_REMATCH[3]}" - else - env2ini::log ' ! invalid setting' - exit 1 - fi - - env2ini::log " + '${setting}'" - - export "${setting^^}=${value}" # '^^' makes the variable content uppercase - done < "$TMP_EXISTING_ENVS_FILE" - - rm $TMP_EXISTING_ENVS_FILE - } - - - function env2ini::process_config_file() { - local config_file="${1}" - local section="$(basename "${config_file}")" - - if [[ $section == '_generals_' ]]; then - env2ini::log " [ini root]" - section='' - else - env2ini::log " ${section}" - fi - - while read -r line; do - env2ini::read_config_to_env "${section}" "${line}" - done < <(awk 1 "${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading - } - - function env2ini::load_config_sources() { - local path="${1}" - - if [[ -d "${path}" ]]; then - env2ini::log "Processing $(basename "${path}")..." - - while read -d '' configFile; do - env2ini::process_config_file "${configFile}" - done < <(find "${path}" -type l -not -name '..data' -print0) - - env2ini::log "\n" - fi - } - - function env2ini::generate_initial_secrets() { - # These environment variables will either be - # - overwritten with user defined values, - # - initially used to set up Gitea - # Anyway, they won't harm existing app.ini files - - export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) - export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) - export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) - export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) - - env2ini::log "...Initial secrets generated\n" - } - - # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs - env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE - - # MUST BE CALLED BEFORE OTHER CONFIGURATION - env2ini::generate_initial_secrets - - env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/" - env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/" - - # load existing envs to override auto generated envs - env2ini::reload_preset_envs - - env2ini::log "=== All configuration sources loaded ===\n" - - # safety to prevent rewrite of secret keys if an app.ini already exists - if [ -f ${GITEA_APP_INI} ]; then - env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:' - env2ini::log ' - security.INTERNAL_TOKEN' - env2ini::log ' - security.SECRET_KEY' - env2ini::log ' - oauth2.JWT_SECRET' - env2ini::log ' - server.LFS_JWT_SECRET' - - unset GITEA__SECURITY__INTERNAL_TOKEN - unset GITEA__SECURITY__SECRET_KEY - unset GITEA__OAUTH2__JWT_SECRET - unset GITEA__SERVER__LFS_JWT_SECRET - fi - - environment-to-ini -o $GITEA_APP_INI - assertions: | ---- -# Source: gitea/charts/gitea/templates/gitea/init.yaml -apiVersion: v1 -kind: Secret -metadata: - name: gitea-init - namespace: gitea - labels: - helm.sh/chart: gitea-12.4.0 - app: gitea - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.25.2" - version: "1.25.2" - app.kubernetes.io/managed-by: Helm -type: Opaque -stringData: - configure_gpg_environment.sh: | - #!/usr/bin/env bash - set -eu - - gpg --batch --import "$TMP_RAW_GPG_KEY" - init_directory_structure.sh: |- - #!/usr/bin/env bash - - set -euo pipefail - # BEGIN: initPreScript - wget https://github.com/catppuccin/gitea/releases/latest/download/catppuccin-gitea.tar.gz; - tar -xvzf catppuccin-gitea.tar.gz -C /data/gitea/public/assets/css; - rm catppuccin-gitea.tar.gz; - # END: initPreScript - mkdir -pv /data/git/.ssh - chmod -Rv 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf - - # prepare temp directory structure - mkdir -pv "${GITEA_TEMP}" - chmod -v ug+rwx "${GITEA_TEMP}" - - - - configure_gitea.sh: |- - #!/usr/bin/env bash - - set -euo pipefail - - echo '==== BEGIN GITEA CONFIGURATION ====' - - { # try - gitea migrate - } || { # catch - echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds" - exit 1 - } - function configure_admin_user() { - local full_admin_list=$(gitea admin user list --admin) - local actual_user_table='' - - # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line - local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)" - if [[ "${full_admin_list}" =~ $regex ]]; then - actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline - else - # This code block should never be reached, as long as the output table header remains the same. - # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script. - - echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users." - echo " Please review the output of 'gitea admin user list --admin' shown below." - echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues." - echo "DEBUG: Output of 'gitea admin user list --admin'" - echo "--" - echo "${full_admin_list}" - echo "--" - exit 1 - fi - - local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}") - if [[ -z "${ACCOUNT_ID}" ]]; then - local -a create_args - create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email "gitea@local.domain") - if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then - create_args+=(--must-change-password=true) - else - create_args+=(--must-change-password=false) - fi - echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..." - gitea admin user create "${create_args[@]}" - echo '...created.' - else - if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then - echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..." - # See https://gitea.com/gitea/helm-gitea/issues/673 - # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior - # which acted as if it were provided with =false. If the argument is present in this version of gitea, then we - # should add it to prevent requiring frequent admin password resets. - local -a change_args - change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}") - if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then - change_args+=(--must-change-password=false) - fi - gitea admin user change-password "${change_args[@]}" - echo '...password sync done.' - else - echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping." - fi - fi - } - - configure_admin_user - - function configure_ldap() { - echo 'no ldap configuration... skipping.' - } - - configure_ldap - - function configure_oauth() { - local OAUTH_NAME='Authentik' - local full_auth_list=$(gitea admin auth list --vertical-bars) - local actual_auth_table='' - - # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line - local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)" - if [[ "${full_auth_list}" =~ $regex ]]; then - actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline - else - # This code block should never be reached, as long as the output table header remains the same. - # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script. - - echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources." - echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below." - echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues." - echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'" - echo "--" - echo "${full_auth_list}" - echo "--" - exit 1 - fi - - local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}") - - if [[ -z "${AUTH_ID}" ]]; then - echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..." - gitea admin auth add-oauth --auto-discover-url "https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration" --icon-url "https://goauthentik.io/img/icon.png" --key "${GITEA_OAUTH_KEY_0}" --name "Authentik" --provider "openidConnect" --scopes "email profile" --secret "${GITEA_OAUTH_SECRET_0}" - echo '...installed.' - else - echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..." - gitea admin auth update-oauth --id "${AUTH_ID}" --auto-discover-url "https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration" --icon-url "https://goauthentik.io/img/icon.png" --key "${GITEA_OAUTH_KEY_0}" --name "Authentik" --provider "openidConnect" --scopes "email profile" --secret "${GITEA_OAUTH_SECRET_0}" - echo '...sync settings done.' - fi - } - - configure_oauth - - echo '==== END GITEA CONFIGURATION ====' ---- -# Source: gitea/charts/gitea-actions/templates/config-map.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: gitea-actions-act-runner-config - namespace: gitea - labels: - helm.sh/chart: gitea-actions-0.2.1 - app: gitea-actions - app.kubernetes.io/name: gitea-actions - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "0.2.13" - version: "0.2.13" - app.kubernetes.io/managed-by: Helm -data: - config.yaml: | - log: - level: debug - cache: - enabled: false - runner: - labels: - - "ubuntu-latest:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04" - - "ubuntu-js:docker://harbor.alexlebens.net/proxy-ghcr.io/catthehacker/ubuntu:js-24.04" - - "ubuntu-24.04:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04" - - "ubuntu-22.04:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-22.04" ---- -# Source: gitea/charts/meilisearch/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: gitea-meilisearch-environment - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -data: - MEILI_ENV: "production" - MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: "true" - MEILI_NO_ANALYTICS: "true" - MEILI_EXPERIMENTAL_ENABLE_METRICS: "true" ---- -# Source: gitea/charts/gitea/templates/gitea/pvc.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: gitea-shared-storage - namespace: gitea - annotations: - helm.sh/resource-policy: keep - labels: - {} -spec: - accessModes: - - ReadWriteMany - volumeMode: Filesystem - - storageClassName: "ceph-filesystem" - resources: - requests: - storage: 40Gi ---- -# Source: gitea/charts/meilisearch/templates/pvc.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: gitea-meilisearch - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: gitea/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitea-nfs-storage-backup - namespace: gitea - labels: - app.kubernetes.io/name: gitea-nfs-storage-backup - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - volumeMode: Filesystem - storageClassName: nfs-client - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -# Source: gitea/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitea-themes-storage - namespace: gitea - labels: - app.kubernetes.io/name: gitea-themes-storage - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - volumeMode: Filesystem - storageClassName: nfs-client - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -# Source: gitea/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gitea-backup - namespace: gitea - labels: - app.kubernetes.io/name: gitea-backup - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -rules: - - apiGroups: - - "" - resources: - - pods - - pods/exec - verbs: - - create - - list - - apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list ---- -# Source: gitea/templates/role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: gitea-backup - namespace: gitea - labels: - app.kubernetes.io/name: gitea-backup - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gitea-backup -subjects: - - kind: ServiceAccount - name: gitea-backup - namespace: gitea ---- -# Source: gitea/charts/gitea/templates/gitea/http-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: gitea-http - namespace: gitea - labels: - helm.sh/chart: gitea-12.4.0 - app: gitea - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.25.2" - version: "1.25.2" - app.kubernetes.io/managed-by: Helm - annotations: - {} -spec: - type: ClusterIP - clusterIP: 10.103.160.139 - ports: - - name: http - port: 3000 - targetPort: - selector: - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea ---- -# Source: gitea/charts/gitea/templates/gitea/ssh-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: gitea-ssh - namespace: gitea - labels: - helm.sh/chart: gitea-12.4.0 - app: gitea - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.25.2" - version: "1.25.2" - app.kubernetes.io/managed-by: Helm - annotations: - {} -spec: - type: ClusterIP - clusterIP: 10.103.160.140 - ports: - - name: ssh - port: 22 - targetPort: 22 - protocol: TCP - selector: - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea ---- -# Source: gitea/charts/meilisearch/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: gitea-meilisearch - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 7700 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea ---- -# Source: gitea/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gitea-cloudflared - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: gitea - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: gitea -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: gitea - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: gitea - app.kubernetes.io/name: cloudflared - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: gitea-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: gitea/charts/gitea/templates/gitea/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gitea - namespace: gitea - annotations: - labels: - helm.sh/chart: gitea-12.4.0 - app: gitea - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.25.2" - version: "1.25.2" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 3 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: 100% - selector: - matchLabels: - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - template: - metadata: - annotations: - checksum/config: 15d118267cbb18a568310f6955563c2557bca8b8e66a48075e8ebda35d1682f8 - checksum/oauth_0: 03073bf48e66f48f622bd02092a5f93bfd06dbcb5fd833aded3b0d40980be93d - labels: - helm.sh/chart: gitea-12.4.0 - app: gitea - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.25.2" - version: "1.25.2" - app.kubernetes.io/managed-by: Helm - spec: - - securityContext: - fsGroup: 1000 - initContainers: - - name: init-directories - image: "registry.hub.docker.com/gitea/gitea:1.25.2-rootless" - imagePullPolicy: IfNotPresent - command: - - "/usr/sbinx/init_directory_structure.sh" - env: - - name: GITEA_APP_INI - value: /data/gitea/conf/app.ini - - name: GITEA_CUSTOM - value: /data/gitea - - name: GITEA_WORK_DIR - value: /data - - name: GITEA_TEMP - value: /tmp/gitea - volumeMounts: - - name: init - mountPath: /usr/sbinx - - name: temp - mountPath: /tmp - - name: data - mountPath: /data - - mountPath: /data/gitea/public/assets/css - name: gitea-themes-storage - readOnly: false - securityContext: - {} - resources: - limits: {} - requests: - cpu: 100m - memory: 128Mi - - name: init-app-ini - image: "registry.hub.docker.com/gitea/gitea:1.25.2-rootless" - imagePullPolicy: IfNotPresent - command: - - "/usr/sbinx/config_environment.sh" - env: - - name: GITEA_APP_INI - value: /data/gitea/conf/app.ini - - name: GITEA_CUSTOM - value: /data/gitea - - name: GITEA_WORK_DIR - value: /data - - name: GITEA_TEMP - value: /tmp/gitea - - name: TMP_EXISTING_ENVS_FILE - value: /tmp/existing-envs - - name: ENV_TO_INI_MOUNT_POINT - value: /env-to-ini-mounts - - name: GITEA__DATABASE__HOST - valueFrom: - secretKeyRef: - key: host - name: gitea-postgresql-17-cluster-app - - name: GITEA__DATABASE__NAME - valueFrom: - secretKeyRef: - key: dbname - name: gitea-postgresql-17-cluster-app - - name: GITEA__DATABASE__USER - valueFrom: - secretKeyRef: - key: user - name: gitea-postgresql-17-cluster-app - - name: GITEA__DATABASE__PASSWD - valueFrom: - secretKeyRef: - key: password - name: gitea-postgresql-17-cluster-app - - name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR - valueFrom: - secretKeyRef: - key: ISSUE_INDEXER_CONN_STR - name: gitea-meilisearch-master-key-secret - volumeMounts: - - name: config - mountPath: /usr/sbinx - - name: temp - mountPath: /tmp - - name: data - mountPath: /data - - name: inline-config-sources - mountPath: /env-to-ini-mounts/inlines/ - - mountPath: /data/gitea/public/assets/css - name: gitea-themes-storage - readOnly: false - securityContext: - {} - resources: - limits: {} - requests: - cpu: 100m - memory: 128Mi - - name: configure-gitea - image: "registry.hub.docker.com/gitea/gitea:1.25.2-rootless" - command: - - "/usr/sbinx/configure_gitea.sh" - imagePullPolicy: IfNotPresent - securityContext: - runAsUser: 1000 - env: - - name: GITEA_APP_INI - value: /data/gitea/conf/app.ini - - name: GITEA_CUSTOM - value: /data/gitea - - name: GITEA_WORK_DIR - value: /data - - name: GITEA_TEMP - value: /tmp/gitea - - name: HOME - value: /data/gitea/git - - name: GITEA_OAUTH_KEY_0 - valueFrom: - secretKeyRef: - key: key - name: gitea-oidc-secret - - name: GITEA_OAUTH_SECRET_0 - valueFrom: - secretKeyRef: - key: secret - name: gitea-oidc-secret - - name: GITEA_ADMIN_USERNAME - value: "gitea_admin" - - name: GITEA_ADMIN_PASSWORD - value: "r8sA8CPHD9!bt6d" - - name: GITEA_ADMIN_PASSWORD_MODE - value: keepUpdated - volumeMounts: - - name: init - mountPath: /usr/sbinx - - name: temp - mountPath: /tmp - - name: data - mountPath: /data - - mountPath: /data/gitea/public/assets/css - name: gitea-themes-storage - readOnly: false - resources: - limits: {} - requests: - cpu: 100m - memory: 128Mi - terminationGracePeriodSeconds: 60 - containers: - - name: gitea - image: "registry.hub.docker.com/gitea/gitea:1.25.2-rootless" - imagePullPolicy: IfNotPresent - env: - # SSH Port values have to be set here as well for openssh configuration - - name: SSH_LISTEN_PORT - value: "22" - - name: SSH_PORT - value: "22" - - name: GITEA_APP_INI - value: /data/gitea/conf/app.ini - - name: GITEA_CUSTOM - value: /data/gitea - - name: GITEA_WORK_DIR - value: /data - - name: GITEA_TEMP - value: /tmp/gitea - - name: TMPDIR - value: /tmp/gitea - - name: HOME - value: /data/gitea/git - ports: - - name: ssh - containerPort: 22 - - name: http - containerPort: 3000 - - name: profiler - containerPort: 6060 - livenessProbe: - failureThreshold: 10 - initialDelaySeconds: 200 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - resources: - {} - securityContext: - {} - volumeMounts: - - name: temp - mountPath: /tmp - - name: data - mountPath: /data - - mountPath: /opt/backup - name: gitea-nfs-storage-backup - readOnly: false - - mountPath: /data/gitea/public/assets/css - name: gitea-themes-storage - readOnly: true - volumes: - - name: init - secret: - secretName: gitea-init - defaultMode: 110 - - name: config - secret: - secretName: gitea - defaultMode: 110 - - name: gitea-nfs-storage-backup - persistentVolumeClaim: - claimName: gitea-nfs-storage-backup - - name: gitea-themes-storage - persistentVolumeClaim: - claimName: gitea-themes-storage - - name: inline-config-sources - secret: - secretName: gitea-inline-config - - name: temp - emptyDir: {} - - name: data - persistentVolumeClaim: - claimName: gitea-shared-storage ---- -# Source: gitea/charts/gitea-actions/templates/stateful-set.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - helm.sh/chart: gitea-actions-0.2.1 - app: gitea-actions-act-runner - app.kubernetes.io/name: gitea-actions-act-runner - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "0.2.13" - version: "0.2.13" - app.kubernetes.io/managed-by: Helm - annotations: - name: gitea-actions-act-runner - namespace: gitea -spec: - replicas: 6 - selector: - matchLabels: - app.kubernetes.io/name: gitea-actions-act-runner - app.kubernetes.io/instance: gitea - template: - metadata: - labels: - helm.sh/chart: gitea-actions-0.2.1 - app: gitea-actions-act-runner - app.kubernetes.io/name: gitea-actions-act-runner - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "0.2.13" - version: "0.2.13" - app.kubernetes.io/managed-by: Helm - spec: - initContainers: - - name: init-gitea - image: "busybox:1.37.0" - command: - - sh - - -c - - | - while ! nc -z gitea-http.gitea 3000; do - sleep 5 - done - containers: - - name: act-runner - image: "gitea/act_runner:0.2.13" - imagePullPolicy: IfNotPresent - workingDir: /data - env: - - name: DOCKER_HOST - value: tcp://127.0.0.1:2376 - - name: DOCKER_TLS_VERIFY - value: "1" - - name: DOCKER_CERT_PATH - value: /certs/server - - name: GITEA_RUNNER_REGISTRATION_TOKEN - valueFrom: - secretKeyRef: - name: "gitea-runner-secret" - key: "token" - - name: GITEA_INSTANCE_URL - value: http://gitea-http.gitea:3000 - - name: CONFIG_FILE - value: /actrunner/config.yaml - resources: - {} - volumeMounts: - - mountPath: /actrunner/config.yaml - name: act-runner-config - subPath: config.yaml - - mountPath: /certs/server - name: docker-certs - - mountPath: /data - name: data-act-runner - - name: dind - image: "docker:25.0.2-dind" - imagePullPolicy: IfNotPresent - env: - - name: DOCKER_HOST - value: tcp://127.0.0.1:2376 - - name: DOCKER_TLS_VERIFY - value: "1" - - name: DOCKER_CERT_PATH - value: /certs/server - securityContext: - privileged: true - resources: - {} - volumeMounts: - - mountPath: /certs/server - name: docker-certs - volumes: - - name: act-runner-config - configMap: - name: gitea-actions-act-runner-config - - name: docker-certs - emptyDir: {} - volumeClaimTemplates: - - metadata: - name: data-act-runner - spec: - accessModes: [ "ReadWriteOnce" ] - - storageClassName: "ceph-block" - resources: - requests: - storage: 5Gi ---- -# Source: gitea/charts/meilisearch/templates/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: gitea-meilisearch - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - serviceName: gitea-meilisearch - selector: - matchLabels: - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - template: - metadata: - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm - annotations: - checksum/config: 0178cf378f0e14d1efccf74708b9f1f0e6544cc2d63896abe303af68c8e09da5 - spec: - serviceAccountName: gitea-meilisearch - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} - - name: data - persistentVolumeClaim: - claimName: gitea-meilisearch - - - - containers: - - name: meilisearch - image: "getmeili/meilisearch:v1.18.0" - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - name: tmp - mountPath: /tmp - - name: data - mountPath: /meili_data - envFrom: - - configMapRef: - name: gitea-meilisearch-environment - - secretRef: - name: gitea-meilisearch-master-key-secret - ports: - - name: http - containerPort: 7700 - protocol: TCP - startupProbe: - httpGet: - path: /health - port: http - periodSeconds: 1 - initialDelaySeconds: 1 - failureThreshold: 60 - timeoutSeconds: 1 - livenessProbe: - httpGet: - path: /health - port: http - periodSeconds: 10 - initialDelaySeconds: 0 - timeoutSeconds: 10 - readinessProbe: - httpGet: - path: /health - port: http - periodSeconds: 10 - initialDelaySeconds: 0 - timeoutSeconds: 10 - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: gitea/charts/backup/templates/common.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: gitea-backup - labels: - app.kubernetes.io/controller: backup - app.kubernetes.io/instance: gitea - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: gitea - helm.sh/chart: backup-4.4.0 - namespace: gitea -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "0 4 */2 * *" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: backup - app.kubernetes.io/instance: gitea - app.kubernetes.io/name: gitea - spec: - enableServiceLinks: false - serviceAccountName: gitea-backup - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - initContainers: - - args: - - -ec - - | - kubectl exec -it deploy/gitea -n gitea -- rm -f /opt/backup/gitea-backup.zip; - kubectl exec -it deploy/gitea -n gitea -- /app/gitea/gitea dump -c /data/gitea/conf/app.ini --file /opt/backup/gitea-backup.zip; - command: - - sh - image: bitnami/kubectl:latest - imagePullPolicy: IfNotPresent - name: backup - resources: - requests: - cpu: 100m - memory: 128Mi - containers: - - args: - - -ec - - | - echo ">> Running S3 backup for Gitea" - s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/gitea-backup.zip ${BUCKET}/cl01tl/gitea-backup-$(date +"%Y%m%d-%H-%M").zip; - mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip; - echo ">> Completed S3 backup for Gitea" - command: - - /bin/sh - env: - - name: BUCKET - valueFrom: - secretKeyRef: - key: BUCKET - name: gitea-s3cmd-config - image: d3fk/s3cmd:latest@sha256:590c42746db1252be8aad33e287c7910698c32b58b4fc34f67592a5bd0841551 - imagePullPolicy: IfNotPresent - name: s3-backup - resources: - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /opt/backup - name: config - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-config - readOnly: true - subPath: .s3cfg - - args: - - -ec - - | - export DATE_RANGE=$(date -d @$(( $(date +%s) - 604800 )) +%Y%m%d); - export FILE_MATCH="$BUCKET/cl01tl/gitea-backup-$DATE_RANGE-09-00.zip" - echo ">> Running S3 prune for Gitea backup repository" - echo ">> Backups prior to '$DATE_RANGE' will be removed" - echo ">> Backups to be removed:" - s3cmd ls ${BUCKET}/cl01tl/ | - awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' - echo ">> Deleting ..." - s3cmd ls ${BUCKET}/cl01tl/ | - awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' | - while read file; do - s3cmd del "$file"; - done; - echo ">> Completed S3 prune for Gitea backup repository" - command: - - /bin/sh - env: - - name: BUCKET - valueFrom: - secretKeyRef: - key: BUCKET - name: gitea-s3cmd-config - image: d3fk/s3cmd:latest@sha256:590c42746db1252be8aad33e287c7910698c32b58b4fc34f67592a5bd0841551 - imagePullPolicy: IfNotPresent - name: s3-prune - resources: - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-config - readOnly: true - subPath: .s3cfg - volumes: - - name: config - persistentVolumeClaim: - claimName: gitea-nfs-storage-backup - - name: s3cmd-config - secret: - secretName: gitea-s3cmd-config ---- -# Source: gitea/templates/ingress.yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: gitea-tailscale - namespace: gitea - labels: - app.kubernetes.io/name: gitea-tailscale - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - tailscale.com/proxy-class: no-metrics - annotations: - tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" -spec: - ingressClassName: tailscale - tls: - - hosts: - - gitea-cl01tl - secretName: gitea-cl01tl - rules: - - host: gitea-cl01tl - http: - paths: - - path: / - pathType: ImplementationSpecific - backend: - service: - name: gitea-http - port: - name: http ---- -# Source: gitea/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: gitea-postgresql-17-cluster - namespace: gitea - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gitea-postgresql-17 - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "gitea-postgresql-17-external-backup" - serverName: "gitea-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "gitea-postgresql-17-garage-local-backup" - serverName: "gitea-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "gitea-postgresql-17-recovery" - serverName: gitea-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 200m - memory: 1Gi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: gitea-postgresql-17-backup-1 - - externalClusters: - - name: gitea-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "gitea-postgresql-17-recovery" - serverName: gitea-postgresql-17-backup-1 ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-admin-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-admin-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: username - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/auth/admin - metadataPolicy: None - property: username - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/auth/admin - metadataPolicy: None - property: password ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-oidc-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-oidc-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/gitea - metadataPolicy: None - property: secret - - secretKey: key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/gitea - metadataPolicy: None - property: client ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-runner-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-runner-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/runner - metadataPolicy: None - property: token ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-renovate-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-renovate-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: RENOVATE_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/renovate - metadataPolicy: None - property: RENOVATE_ENDPOINT - - secretKey: RENOVATE_GIT_AUTHOR - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/renovate - metadataPolicy: None - property: RENOVATE_GIT_AUTHOR - - secretKey: RENOVATE_TOKEN - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/renovate - metadataPolicy: None - property: RENOVATE_TOKEN - - secretKey: RENOVATE_GIT_PRIVATE_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/renovate - metadataPolicy: None - property: id_rsa - - secretKey: RENOVATE_GITHUB_COM_TOKEN - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /github/gitea-cl01tl - metadataPolicy: None - property: token ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-renovate-ssh-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-renovate-ssh-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/renovate - metadataPolicy: None - property: ssh_config - - secretKey: id_rsa - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/renovate - metadataPolicy: None - property: id_rsa - - secretKey: id_rsa.pub - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/renovate - metadataPolicy: None - property: id_rsa.pub ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-s3cmd-config - namespace: gitea - labels: - app.kubernetes.io/name: gitea-s3cmd-config - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: .s3cfg - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/gitea-backup - metadataPolicy: None - property: s3cfg - - secretKey: BUCKET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/gitea-backup - metadataPolicy: None - property: BUCKET ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-meilisearch-master-key-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-meilisearch-master-key-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - ISSUE_INDEXER_CONN_STR: "http://:{{ .MEILI_MASTER_KEY }}@gitea-meilisearch.gitea:7700/" - data: - - secretKey: MEILI_MASTER_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/gitea/meilisearch - metadataPolicy: None - property: MEILI_MASTER_KEY ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-cloudflared-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-cloudflared-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/gitea - metadataPolicy: None - property: token ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-postgresql-17-cluster-backup-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: gitea/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-postgresql-17-cluster-backup-secret-garage - namespace: gitea - labels: - app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: gitea/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-gitea - namespace: gitea - labels: - app.kubernetes.io/name: http-route-gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - gitea.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: gitea-http - port: 3000 - weight: 100 ---- -# Source: gitea/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "gitea-postgresql-17-external-backup" - namespace: gitea - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gitea-postgresql-17 - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: gitea-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: gitea-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: gitea/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "gitea-postgresql-17-garage-local-backup" - namespace: gitea - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gitea-postgresql-17 - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: gitea-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: gitea-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: gitea-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: gitea/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "gitea-postgresql-17-recovery" - namespace: gitea - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gitea-postgresql-17 - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: gitea-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: gitea-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: gitea/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: gitea-postgresql-17-alert-rules - namespace: gitea - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gitea-postgresql-17 - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/gitea-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="gitea"} - cnpg_pg_replication_is_wal_receiver_up{namespace="gitea"}) < 1 - for: 5m - labels: - severity: critical - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="gitea"} - cnpg_pg_replication_is_wal_receiver_up{namespace="gitea"}) < 2 - for: 5m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "gitea/gitea-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="gitea", pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="gitea", pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "gitea/gitea-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="gitea", pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="gitea", pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "gitea/gitea-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="gitea",pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "gitea/gitea-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="gitea", pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "gitea/gitea-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "gitea/gitea-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "gitea/gitea-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="gitea",pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "gitea/gitea-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="gitea", pod=~"gitea-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: gitea - cnpg_cluster: gitea-postgresql-17-cluster ---- -# Source: gitea/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-gitea - namespace: gitea - labels: - app.kubernetes.io/name: redis-replication-gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 10Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: gitea/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-renovate - namespace: gitea - labels: - app.kubernetes.io/name: redis-replication-renovate - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: gitea/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "gitea-postgresql-17-daily-backup-scheduled-backup" - namespace: gitea - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gitea-postgresql-17 - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: gitea-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "gitea-postgresql-17-external-backup" ---- -# Source: gitea/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "gitea-postgresql-17-live-backup-scheduled-backup" - namespace: gitea - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: gitea-postgresql-17 - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: gitea-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "gitea-postgresql-17-garage-local-backup" ---- -# Source: gitea/charts/meilisearch/templates/serviceMonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: gitea-meilisearch - namespace: gitea - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -spec: - jobLabel: gitea - namespaceSelector: - matchNames: - - gitea - selector: - matchLabels: - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: gitea - endpoints: - - port: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - bearerTokenSecret: - name: gitea-meilisearch-master-key-secret - key: MEILI_MASTER_KEY ---- -# Source: gitea/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: gitea - namespace: gitea - labels: - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - selector: - matchLabels: - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - matchExpressions: - - { key: app.kubernetes.io/controller, operator: NotIn, values: [backup] } - endpoints: - - port: http ---- -# Source: gitea/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-gitea - namespace: gitea - labels: - app.kubernetes.io/name: redis-replication-gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s ---- -# Source: gitea/templates/tcp-route.yaml -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-route-gitea-ssh - namespace: gitea - labels: - app.kubernetes.io/name: tcp-route-gitea-ssh - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - sectionName: ssh - rules: - - backendRefs: - - group: '' - kind: Service - name: gitea-ssh - port: 22 - weight: 100 ---- -# Source: gitea/charts/gitea/templates/tests/test-http-connection.yaml -apiVersion: v1 -kind: Pod -metadata: - name: "gitea-test-connection" - namespace: gitea - labels: - - helm.sh/chart: gitea-12.4.0 - app: gitea - app.kubernetes.io/name: gitea - app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.25.2" - version: "1.25.2" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: "busybox:latest" - command: ['wget'] - args: ['gitea-http:3000'] - restartPolicy: Never ---- -# Source: gitea/charts/meilisearch/templates/tests/test-connection.yaml -apiVersion: v1 -kind: Pod -metadata: - name: gitea-meilisearch-test-connection - labels: - app.kubernetes.io/name: meilisearch - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/instance: gitea - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['gitea-meilisearch:7700'] - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/grafana-operator/grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/grafana-operator.yaml deleted file mode 100644 index b401c3a93..000000000 --- a/clusters/cl01tl/manifests/grafana-operator/grafana-operator.yaml +++ /dev/null @@ -1,10862 +0,0 @@ ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanaalertrulegroups.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanaalertrulegroups.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaAlertRuleGroup - listKind: GrafanaAlertRuleGroupList - plural: grafanaalertrulegroups - singular: grafanaalertrulegroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaAlertRuleGroup is the Schema for the grafanaalertrulegroups - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaAlertRuleGroupSpec defines the desired state of GrafanaAlertRuleGroup - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - editable: - description: Whether to enable or disable editing of the alert rule - group in Grafana UI - type: boolean - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - folderRef: - description: Match GrafanaFolders CRs to infer the uid - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - folderUID: - description: |- - UID of the folder containing this rule group - Overrides the FolderSelector - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - interval: - format: duration - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - name: - description: Name of the alert rule group. If not specified, the resource - name will be used. - type: string - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - rules: - items: - description: AlertRule defines a specific rule to be evaluated. - It is based on the upstream model with some k8s specific type - mappings - properties: - annotations: - additionalProperties: - type: string - type: object - condition: - type: string - data: - items: - properties: - datasourceUid: - description: Grafana data source unique identifier; it - should be '__expr__' for a Server Side Expression operation. - type: string - model: - description: JSON is the raw JSON query and includes the - above properties as well as custom properties. - x-kubernetes-preserve-unknown-fields: true - queryType: - description: |- - QueryType is an optional identifier for the type of query. - It can be used to distinguish different types of queries. - type: string - refId: - description: RefID is the unique identifier of the query, - set by the frontend call. - type: string - relativeTimeRange: - description: relative time range - properties: - from: - description: from - format: int64 - type: integer - to: - description: to - format: int64 - type: integer - type: object - type: object - type: array - execErrState: - enum: - - OK - - Alerting - - Error - - KeepLast - type: string - for: - default: 0s - format: duration - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - isPaused: - type: boolean - keepFiringFor: - format: duration - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - labels: - additionalProperties: - type: string - type: object - missingSeriesEvalsToResolve: - description: The number of missing series evaluations that must - occur before the rule is considered to be resolved. - format: int64 - type: integer - noDataState: - enum: - - Alerting - - NoData - - OK - - KeepLast - type: string - notificationSettings: - properties: - group_by: - items: - type: string - type: array - group_interval: - type: string - group_wait: - type: string - mute_time_intervals: - items: - type: string - type: array - receiver: - type: string - repeat_interval: - type: string - required: - - receiver - type: object - record: - properties: - from: - type: string - metric: - type: string - required: - - from - - metric - type: object - title: - example: Always firing - maxLength: 190 - minLength: 1 - type: string - uid: - description: UID of the alert rule. Can be any string consisting - of alphanumeric characters, - and _ with a maximum length - of 40 - maxLength: 40 - pattern: ^[a-zA-Z0-9-_]+$ - type: string - required: - - condition - - data - - execErrState - - for - - noDataState - - title - - uid - type: object - minItems: 1 - type: array - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - required: - - instanceSelector - - interval - - rules - type: object - x-kubernetes-validations: - - message: Only one of FolderUID or FolderRef can be set and one must - be defined - rule: (has(self.folderUID) && !(has(self.folderRef))) || (has(self.folderRef) - && !(has(self.folderUID))) - - message: spec.editable is immutable - rule: ((!has(oldSelf.editable) && !has(self.editable)) || (has(oldSelf.editable) - && has(self.editable))) - - message: spec.folderUID is immutable - rule: ((!has(oldSelf.folderUID) && !has(self.folderUID)) || (has(oldSelf.folderUID) - && has(self.folderUID))) - - message: spec.folderRef is immutable - rule: ((!has(oldSelf.folderRef) && !has(self.folderRef)) || (has(oldSelf.folderRef) - && has(self.folderRef))) - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: The most recent observed state of a Grafana resource - properties: - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanacontactpoints.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanacontactpoints.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaContactPoint - listKind: GrafanaContactPointList - plural: grafanacontactpoints - singular: grafanacontactpoint - scope: Namespaced - versions: - - additionalPrinterColumns: - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaContactPoint is the Schema for the grafanacontactpoints - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaContactPointSpec defines the desired state of GrafanaContactPoint - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - disableResolveMessage: - type: boolean - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - name: - type: string - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - settings: - x-kubernetes-preserve-unknown-fields: true - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - type: - minLength: 1 - type: string - uid: - description: Manually specify the UID the Contact Point is created - with. Can be any string consisting of alphanumeric characters, - - and _ with a maximum length of 40 - maxLength: 40 - pattern: ^[a-zA-Z0-9-_]+$ - type: string - x-kubernetes-validations: - - message: spec.uid is immutable - rule: self == oldSelf - valuesFrom: - items: - properties: - targetPath: - type: string - valueFrom: - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: Either configMapKeyRef or secretKeyRef must be set - rule: (has(self.configMapKeyRef) && !has(self.secretKeyRef)) - || (!has(self.configMapKeyRef) && has(self.secretKeyRef)) - required: - - targetPath - - valueFrom - type: object - maxItems: 99 - type: array - required: - - instanceSelector - - name - - settings - - type - type: object - x-kubernetes-validations: - - message: spec.uid is immutable - rule: ((!has(oldSelf.uid) && !has(self.uid)) || (has(oldSelf.uid) && - has(self.uid))) - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: The most recent observed state of a Grafana resource - properties: - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanadashboards.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanadashboards.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaDashboard - listKind: GrafanaDashboardList - plural: grafanadashboards - singular: grafanadashboard - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.NoMatchingInstances - name: No matching instances - type: boolean - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaDashboard is the Schema for the grafanadashboards API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaDashboardSpec defines the desired state of GrafanaDashboard - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - configMapRef: - description: model from configmap - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - contentCacheDuration: - description: Cache duration for models fetched from URLs - type: string - datasources: - description: maps required data sources to existing ones - items: - description: |- - GrafanaResourceDatasource is used to set the datasource name of any templated datasources in - content definitions (e.g., dashboard JSON). - properties: - datasourceName: - type: string - inputName: - type: string - required: - - datasourceName - - inputName - type: object - type: array - envFrom: - description: environments variables from secrets or config maps - items: - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: array - envs: - description: environments variables as a map - items: - properties: - name: - type: string - value: - description: Inline env value - type: string - valueFrom: - description: Reference on value source, might be the reference - on a secret or config map - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - folder: - description: folder assignment for dashboard - type: string - folderRef: - description: Name of a `GrafanaFolder` resource in the same namespace - type: string - folderUID: - description: UID of the target folder for this dashboard - type: string - grafanaCom: - description: grafana.com/dashboards - properties: - id: - type: integer - revision: - type: integer - required: - - id - type: object - gzipJson: - description: GzipJson the model's JSON compressed with Gzip. Base64-encoded - when in YAML. - format: byte - type: string - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - json: - description: model json - type: string - jsonnet: - description: Jsonnet - type: string - jsonnetLib: - description: Jsonnet project build - properties: - fileName: - type: string - gzipJsonnetProject: - format: byte - type: string - jPath: - items: - type: string - type: array - required: - - fileName - - gzipJsonnetProject - type: object - plugins: - description: plugins - items: - properties: - name: - minLength: 1 - type: string - version: - pattern: ^((0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?|latest)$ - type: string - required: - - name - - version - type: object - type: array - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - uid: - description: |- - Manually specify the uid, overwrites uids already present in the json model. - Can be any string consisting of alphanumeric characters, - and _ with a maximum length of 40. - maxLength: 40 - pattern: ^[a-zA-Z0-9-_]+$ - type: string - x-kubernetes-validations: - - message: spec.uid is immutable - rule: self == oldSelf - url: - description: model url - type: string - urlAuthorization: - description: authorization options for model from url - properties: - basicAuth: - properties: - password: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: object - required: - - instanceSelector - type: object - x-kubernetes-validations: - - message: Only one of folderUID or folderRef can be declared at the same - time - rule: (has(self.folderUID) && !(has(self.folderRef))) || (has(self.folderRef) - && !(has(self.folderUID))) || !(has(self.folderRef) && (has(self.folderUID))) - - message: folder field cannot be set when folderUID or folderRef is already - declared - rule: (has(self.folder) && !(has(self.folderRef) || has(self.folderUID))) - || !(has(self.folder)) - - message: spec.uid is immutable - rule: ((!has(oldSelf.uid) && !has(self.uid)) || (has(oldSelf.uid) && - has(self.uid))) - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: GrafanaDashboardStatus defines the observed state of GrafanaDashboard - properties: - NoMatchingInstances: - description: The dashboard instanceSelector can't find matching grafana - instances - type: boolean - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentCache: - format: byte - type: string - contentTimestamp: - format: date-time - type: string - contentUrl: - type: string - hash: - type: string - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - uid: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanadatasources.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanadatasources.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaDatasource - listKind: GrafanaDatasourceList - plural: grafanadatasources - singular: grafanadatasource - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.NoMatchingInstances - name: No matching instances - type: boolean - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaDatasource is the Schema for the grafanadatasources API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaDatasourceSpec defines the desired state of GrafanaDatasource - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - datasource: - properties: - access: - type: string - basicAuth: - type: boolean - basicAuthUser: - type: string - database: - type: string - editable: - description: Whether to enable/disable editing of the datasource - in Grafana UI - type: boolean - isDefault: - type: boolean - jsonData: - type: object - x-kubernetes-preserve-unknown-fields: true - name: - type: string - orgId: - description: Deprecated field, it has no effect - format: int64 - type: integer - secureJsonData: - type: object - x-kubernetes-preserve-unknown-fields: true - type: - type: string - uid: - description: Deprecated field, use spec.uid instead - type: string - url: - type: string - user: - type: string - type: object - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - plugins: - description: plugins - items: - properties: - name: - minLength: 1 - type: string - version: - pattern: ^((0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?|latest)$ - type: string - required: - - name - - version - type: object - type: array - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - uid: - description: |- - The UID, for the datasource, fallback to the deprecated spec.datasource.uid - and metadata.uid. Can be any string consisting of alphanumeric characters, - - and _ with a maximum length of 40 +optional - maxLength: 40 - pattern: ^[a-zA-Z0-9-_]+$ - type: string - x-kubernetes-validations: - - message: spec.uid is immutable - rule: self == oldSelf - valuesFrom: - description: environments variables from secrets or config maps - items: - properties: - targetPath: - type: string - valueFrom: - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: Either configMapKeyRef or secretKeyRef must be set - rule: (has(self.configMapKeyRef) && !has(self.secretKeyRef)) - || (!has(self.configMapKeyRef) && has(self.secretKeyRef)) - required: - - targetPath - - valueFrom - type: object - maxItems: 99 - type: array - required: - - datasource - - instanceSelector - type: object - x-kubernetes-validations: - - message: spec.uid is immutable - rule: ((!has(oldSelf.uid) && !has(self.uid)) || (has(oldSelf.uid) && - has(self.uid))) - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: GrafanaDatasourceStatus defines the observed state of GrafanaDatasource - properties: - NoMatchingInstances: - description: The datasource instanceSelector can't find matching grafana - instances - type: boolean - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - hash: - type: string - lastMessage: - description: 'Deprecated: Check status.conditions or operator logs' - type: string - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - uid: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanafolders.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanafolders.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaFolder - listKind: GrafanaFolderList - plural: grafanafolders - singular: grafanafolder - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.NoMatchingInstances - name: No matching instances - type: boolean - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaFolder is the Schema for the grafanafolders API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaFolderSpec defines the desired state of GrafanaFolder - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - parentFolderRef: - description: Reference to an existing GrafanaFolder CR in the same - namespace - type: string - parentFolderUID: - description: UID of the folder in which the current folder should - be created - type: string - permissions: - description: Raw json with folder permissions, potentially exported - from Grafana - type: string - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - title: - description: Display name of the folder in Grafana - type: string - uid: - description: Manually specify the UID the Folder is created with. - Can be any string consisting of alphanumeric characters, - and _ - with a maximum length of 40 - maxLength: 40 - pattern: ^[a-zA-Z0-9-_]+$ - type: string - x-kubernetes-validations: - - message: spec.uid is immutable - rule: self == oldSelf - required: - - instanceSelector - type: object - x-kubernetes-validations: - - message: Only one of parentFolderUID or parentFolderRef can be set - rule: (has(self.parentFolderUID) && !(has(self.parentFolderRef))) || - (has(self.parentFolderRef) && !(has(self.parentFolderUID))) || !(has(self.parentFolderRef) - && (has(self.parentFolderUID))) - - message: spec.uid is immutable - rule: ((!has(oldSelf.uid) && !has(self.uid)) || (has(oldSelf.uid) && - has(self.uid))) - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: GrafanaFolderStatus defines the observed state of GrafanaFolder - properties: - NoMatchingInstances: - description: The folder instanceSelector can't find matching grafana - instances - type: boolean - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - hash: - type: string - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanalibrarypanels.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanalibrarypanels.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaLibraryPanel - listKind: GrafanaLibraryPanelList - plural: grafanalibrarypanels - singular: grafanalibrarypanel - scope: Namespaced - versions: - - additionalPrinterColumns: - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaLibraryPanel is the Schema for the grafanalibrarypanels - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaLibraryPanelSpec defines the desired state of GrafanaLibraryPanel - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - configMapRef: - description: model from configmap - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - contentCacheDuration: - description: Cache duration for models fetched from URLs - type: string - datasources: - description: maps required data sources to existing ones - items: - description: |- - GrafanaResourceDatasource is used to set the datasource name of any templated datasources in - content definitions (e.g., dashboard JSON). - properties: - datasourceName: - type: string - inputName: - type: string - required: - - datasourceName - - inputName - type: object - type: array - envFrom: - description: environments variables from secrets or config maps - items: - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: array - envs: - description: environments variables as a map - items: - properties: - name: - type: string - value: - description: Inline env value - type: string - valueFrom: - description: Reference on value source, might be the reference - on a secret or config map - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - folderRef: - description: Name of a `GrafanaFolder` resource in the same namespace - type: string - folderUID: - description: UID of the target folder for this dashboard - type: string - grafanaCom: - description: grafana.com/dashboards - properties: - id: - type: integer - revision: - type: integer - required: - - id - type: object - gzipJson: - description: GzipJson the model's JSON compressed with Gzip. Base64-encoded - when in YAML. - format: byte - type: string - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - json: - description: model json - type: string - jsonnet: - description: Jsonnet - type: string - jsonnetLib: - description: Jsonnet project build - properties: - fileName: - type: string - gzipJsonnetProject: - format: byte - type: string - jPath: - items: - type: string - type: array - required: - - fileName - - gzipJsonnetProject - type: object - plugins: - description: plugins - items: - properties: - name: - minLength: 1 - type: string - version: - pattern: ^((0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?|latest)$ - type: string - required: - - name - - version - type: object - type: array - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - uid: - description: |- - Manually specify the uid, overwrites uids already present in the json model. - Can be any string consisting of alphanumeric characters, - and _ with a maximum length of 40. - maxLength: 40 - pattern: ^[a-zA-Z0-9-_]+$ - type: string - x-kubernetes-validations: - - message: spec.uid is immutable - rule: self == oldSelf - url: - description: model url - type: string - urlAuthorization: - description: authorization options for model from url - properties: - basicAuth: - properties: - password: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: object - required: - - instanceSelector - type: object - x-kubernetes-validations: - - message: Only one of folderUID or folderRef can be declared at the same - time - rule: (has(self.folderUID) && !(has(self.folderRef))) || (has(self.folderRef) - && !(has(self.folderUID))) || !(has(self.folderRef) && (has(self.folderUID))) - - message: spec.uid is immutable - rule: ((!has(oldSelf.uid) && !has(self.uid)) || (has(oldSelf.uid) && - has(self.uid))) - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: GrafanaLibraryPanelStatus defines the observed state of GrafanaLibraryPanel - properties: - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentCache: - format: byte - type: string - contentTimestamp: - format: date-time - type: string - contentUrl: - type: string - hash: - type: string - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - uid: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanamutetimings.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanamutetimings.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaMuteTiming - listKind: GrafanaMuteTimingList - plural: grafanamutetimings - singular: grafanamutetiming - scope: Namespaced - versions: - - additionalPrinterColumns: - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaMuteTiming is the Schema for the GrafanaMuteTiming API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaMuteTimingSpec defines the desired state of GrafanaMuteTiming - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - editable: - default: true - description: Whether to enable or disable editing of the mute timing - in Grafana UI - type: boolean - x-kubernetes-validations: - - message: spec.editable is immutable - rule: self == oldSelf - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - name: - description: A unique name for the mute timing - type: string - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - time_intervals: - description: Time intervals for muting - items: - properties: - days_of_month: - description: |- - The date 1-31 of a month. Negative values can also be used to represent days that begin at the end of the month. - For example: -1 for the last day of the month. - items: - type: string - type: array - location: - description: Depending on the location, the time range is displayed - in local time. - type: string - months: - description: |- - The months of the year in either numerical or the full calendar month. - For example: 1, may. - items: - type: string - type: array - times: - description: The time inclusive of the start and exclusive of - the end time (in UTC if no location has been selected, otherwise - local time). - items: - properties: - end_time: - description: end time - type: string - start_time: - description: start time - type: string - required: - - end_time - - start_time - type: object - type: array - weekdays: - description: |- - The day or range of days of the week. - For example: monday, thursday - items: - type: string - type: array - years: - description: |- - The year or years for the interval. - For example: 2021 - items: - type: string - type: array - type: object - minItems: 1 - type: array - required: - - instanceSelector - - name - - time_intervals - type: object - x-kubernetes-validations: - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: The most recent observed state of a Grafana resource - properties: - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafananotificationpolicies.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafananotificationpolicies.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaNotificationPolicy - listKind: GrafanaNotificationPolicyList - plural: grafananotificationpolicies - singular: grafananotificationpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaNotificationPolicy is the Schema for the GrafanaNotificationPolicy - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaNotificationPolicySpec defines the desired state of - GrafanaNotificationPolicy - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - editable: - description: Whether to enable or disable editing of the notification - policy in Grafana UI - type: boolean - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - route: - description: Routes for alerts to match against - properties: - continue: - description: continue - type: boolean - group_by: - description: group by - items: - type: string - type: array - group_interval: - description: group interval - type: string - group_wait: - description: group wait - type: string - match_re: - additionalProperties: - type: string - description: match re - type: object - matchers: - description: matchers - items: - properties: - isEqual: - description: is equal - type: boolean - isRegex: - description: is regex - type: boolean - name: - description: name - type: string - value: - description: value - type: string - required: - - isRegex - - value - type: object - type: array - mute_time_intervals: - description: mute time intervals - items: - type: string - type: array - object_matchers: - description: object matchers - items: - description: |- - ObjectMatcher ObjectMatcher is a matcher that can be used to filter alerts. - - swagger:model ObjectMatcher - items: - type: string - type: array - type: array - provenance: - description: provenance - type: string - receiver: - description: receiver - minLength: 1 - type: string - repeat_interval: - description: repeat interval - type: string - routeSelector: - description: |- - selects GrafanaNotificationPolicyRoutes to merge in when specified - mutually exclusive with Routes - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - routes: - description: routes, mutually exclusive with RouteSelector - x-kubernetes-preserve-unknown-fields: true - required: - - receiver - type: object - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - required: - - instanceSelector - - route - type: object - x-kubernetes-validations: - - message: spec.editable is immutable - rule: ((!has(oldSelf.editable) && !has(self.editable)) || (has(oldSelf.editable) - && has(self.editable))) - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: GrafanaNotificationPolicyStatus defines the observed state - of GrafanaNotificationPolicy - properties: - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - discoveredRoutes: - items: - type: string - type: array - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafananotificationpolicyroutes.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafananotificationpolicyroutes.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaNotificationPolicyRoute - listKind: GrafanaNotificationPolicyRouteList - plural: grafananotificationpolicyroutes - singular: grafananotificationpolicyroute - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaNotificationPolicyRoute is the Schema for the grafananotificationpolicyroutes - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaNotificationPolicyRouteSpec defines the desired state - of GrafanaNotificationPolicyRoute - properties: - continue: - description: continue - type: boolean - group_by: - description: group by - items: - type: string - type: array - group_interval: - description: group interval - type: string - group_wait: - description: group wait - type: string - match_re: - additionalProperties: - type: string - description: match re - type: object - matchers: - description: matchers - items: - properties: - isEqual: - description: is equal - type: boolean - isRegex: - description: is regex - type: boolean - name: - description: name - type: string - value: - description: value - type: string - required: - - isRegex - - value - type: object - type: array - mute_time_intervals: - description: mute time intervals - items: - type: string - type: array - object_matchers: - description: object matchers - items: - description: |- - ObjectMatcher ObjectMatcher is a matcher that can be used to filter alerts. - - swagger:model ObjectMatcher - items: - type: string - type: array - type: array - provenance: - description: provenance - type: string - receiver: - description: receiver - minLength: 1 - type: string - repeat_interval: - description: repeat interval - type: string - routeSelector: - description: |- - selects GrafanaNotificationPolicyRoutes to merge in when specified - mutually exclusive with Routes - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - routes: - description: routes, mutually exclusive with RouteSelector - x-kubernetes-preserve-unknown-fields: true - required: - - receiver - type: object - status: - description: The most recent observed state of a Grafana resource - properties: - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafananotificationtemplates.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafananotificationtemplates.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaNotificationTemplate - listKind: GrafanaNotificationTemplateList - plural: grafananotificationtemplates - singular: grafananotificationtemplate - scope: Namespaced - versions: - - additionalPrinterColumns: - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaNotificationTemplate is the Schema for the GrafanaNotificationTemplate - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaNotificationTemplateSpec defines the desired state - of GrafanaNotificationTemplate - properties: - allowCrossNamespaceImport: - default: false - description: Allow the Operator to match this resource with Grafanas - outside the current namespace - type: boolean - editable: - description: Whether to enable or disable editing of the notification - template in Grafana UI - type: boolean - x-kubernetes-validations: - - message: spec.editable is immutable - rule: self == oldSelf - instanceSelector: - description: Selects Grafana instances for import - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: spec.instanceSelector is immutable - rule: self == oldSelf - name: - description: Template name - type: string - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - suspend: - description: Suspend pauses synchronizing attempts and tells the operator - to ignore changes - type: boolean - template: - description: Template content - type: string - required: - - instanceSelector - - name - type: object - x-kubernetes-validations: - - message: spec.editable is immutable - rule: ((!has(oldSelf.editable) && !has(self.editable)) || (has(oldSelf.editable) - && has(self.editable))) - - message: disabling spec.allowCrossNamespaceImport requires a recreate - to ensure desired state - rule: '!oldSelf.allowCrossNamespaceImport || (oldSelf.allowCrossNamespaceImport - && self.allowCrossNamespaceImport)' - status: - description: The most recent observed state of a Grafana resource - properties: - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanas.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanas.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: Grafana - listKind: GrafanaList - plural: grafanas - singular: grafana - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.version - name: Version - type: string - - jsonPath: .status.stage - name: Stage - type: string - - jsonPath: .status.stageStatus - name: Stage status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Grafana is the Schema for the grafanas API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaSpec defines the desired state of Grafana - properties: - client: - description: Client defines how the grafana-operator talks to the grafana instance. - properties: - headers: - additionalProperties: - type: string - description: Custom HTTP headers to use when interacting with this Grafana. - type: object - preferIngress: - description: If the operator should send it's request through the grafana instances ingress object instead of through the service. - nullable: true - type: boolean - timeout: - nullable: true - type: integer - tls: - description: TLS Configuration used to talk with the grafana instance. - properties: - certSecretRef: - description: Use a secret as a reference to give TLS Certificate information - properties: - name: - description: name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: namespace defines the space within which the secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - insecureSkipVerify: - description: Disable the CA check of the server - type: boolean - type: object - x-kubernetes-validations: - - message: insecureSkipVerify and certSecretRef cannot be set at the same time - rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify))) - type: object - config: - additionalProperties: - additionalProperties: - type: string - type: object - description: Config defines how your grafana ini file should looks like. - type: object - x-kubernetes-preserve-unknown-fields: true - deployment: - description: Deployment sets how the deployment object should look like with your grafana instance, contains a number of defaults. - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - spec: - properties: - minReadySeconds: - format: int32 - type: integer - paused: - type: boolean - progressDeadlineSeconds: - format: int32 - type: integer - replicas: - format: int32 - type: integer - revisionHistoryLimit: - format: int32 - type: integer - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - strategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - spec: - properties: - activeDeadlineSeconds: - format: int64 - type: integer - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - automountServiceAccountToken: - type: boolean - containers: - items: - properties: - args: - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - items: - properties: - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - properties: - key: - type: string - optional: - default: false - type: boolean - path: - type: string - volumeName: - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - items: - properties: - configMapRef: - properties: - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - type: string - secretRef: - properties: - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - type: string - imagePullPolicy: - type: string - lifecycle: - properties: - postStart: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - sleep: - properties: - seconds: - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - sleep: - properties: - seconds: - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - type: string - type: object - livenessProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - name: - type: string - ports: - items: - properties: - containerPort: - format: int32 - type: integer - hostIP: - type: string - hostPort: - format: int32 - type: integer - name: - type: string - protocol: - default: TCP - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - resizePolicy: - items: - properties: - resourceName: - type: string - restartPolicy: - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - properties: - claims: - items: - properties: - name: - type: string - request: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - restartPolicy: - type: string - restartPolicyRules: - items: - properties: - action: - type: string - exitCodes: - properties: - operator: - type: string - values: - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - properties: - allowPrivilegeEscalation: - type: boolean - appArmorProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - capabilities: - properties: - add: - items: - type: string - type: array - x-kubernetes-list-type: atomic - drop: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - seccompProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - windowsOptions: - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - type: object - type: object - startupProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - stdin: - type: boolean - stdinOnce: - type: boolean - terminationMessagePath: - type: string - terminationMessagePolicy: - type: string - tty: - type: boolean - volumeDevices: - items: - properties: - devicePath: - type: string - name: - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - items: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - recursiveReadOnly: - type: string - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - type: string - required: - - name - type: object - type: array - dnsConfig: - properties: - nameservers: - items: - type: string - type: array - x-kubernetes-list-type: atomic - options: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - x-kubernetes-list-type: atomic - searches: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - dnsPolicy: - type: string - enableServiceLinks: - type: boolean - ephemeralContainers: - items: - properties: - args: - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - items: - properties: - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - properties: - key: - type: string - optional: - default: false - type: boolean - path: - type: string - volumeName: - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - items: - properties: - configMapRef: - properties: - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - type: string - secretRef: - properties: - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - type: string - imagePullPolicy: - type: string - lifecycle: - properties: - postStart: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - sleep: - properties: - seconds: - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - sleep: - properties: - seconds: - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - type: string - type: object - livenessProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - name: - type: string - ports: - items: - properties: - containerPort: - format: int32 - type: integer - hostIP: - type: string - hostPort: - format: int32 - type: integer - name: - type: string - protocol: - default: TCP - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - resizePolicy: - items: - properties: - resourceName: - type: string - restartPolicy: - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - properties: - claims: - items: - properties: - name: - type: string - request: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - restartPolicy: - type: string - restartPolicyRules: - items: - properties: - action: - type: string - exitCodes: - properties: - operator: - type: string - values: - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - properties: - allowPrivilegeEscalation: - type: boolean - appArmorProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - capabilities: - properties: - add: - items: - type: string - type: array - x-kubernetes-list-type: atomic - drop: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - seccompProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - windowsOptions: - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - type: object - type: object - startupProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - stdin: - type: boolean - stdinOnce: - type: boolean - targetContainerName: - type: string - terminationMessagePath: - type: string - terminationMessagePolicy: - type: string - tty: - type: boolean - volumeDevices: - items: - properties: - devicePath: - type: string - name: - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - items: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - recursiveReadOnly: - type: string - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - type: string - required: - - name - type: object - type: array - hostAliases: - items: - properties: - hostnames: - items: - type: string - type: array - x-kubernetes-list-type: atomic - ip: - type: string - required: - - ip - type: object - type: array - hostIPC: - type: boolean - hostNetwork: - type: boolean - hostPID: - type: boolean - hostUsers: - type: boolean - hostname: - type: string - imagePullSecrets: - items: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - type: array - initContainers: - items: - properties: - args: - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - items: - properties: - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - properties: - key: - type: string - optional: - default: false - type: boolean - path: - type: string - volumeName: - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - properties: - key: - type: string - name: - default: "" - type: string - optional: - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - items: - properties: - configMapRef: - properties: - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - type: string - secretRef: - properties: - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - type: string - imagePullPolicy: - type: string - lifecycle: - properties: - postStart: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - sleep: - properties: - seconds: - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - sleep: - properties: - seconds: - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - type: string - type: object - livenessProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - name: - type: string - ports: - items: - properties: - containerPort: - format: int32 - type: integer - hostIP: - type: string - hostPort: - format: int32 - type: integer - name: - type: string - protocol: - default: TCP - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - resizePolicy: - items: - properties: - resourceName: - type: string - restartPolicy: - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - properties: - claims: - items: - properties: - name: - type: string - request: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - restartPolicy: - type: string - restartPolicyRules: - items: - properties: - action: - type: string - exitCodes: - properties: - operator: - type: string - values: - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - properties: - allowPrivilegeEscalation: - type: boolean - appArmorProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - capabilities: - properties: - add: - items: - type: string - type: array - x-kubernetes-list-type: atomic - drop: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - seccompProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - windowsOptions: - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - type: object - type: object - startupProbe: - properties: - exec: - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - required: - - port - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - stdin: - type: boolean - stdinOnce: - type: boolean - terminationMessagePath: - type: string - terminationMessagePolicy: - type: string - tty: - type: boolean - volumeDevices: - items: - properties: - devicePath: - type: string - name: - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - items: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - recursiveReadOnly: - type: string - subPath: - type: string - subPathExpr: - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - type: string - required: - - name - type: object - type: array - nodeName: - type: string - nodeSelector: - additionalProperties: - type: string - type: object - x-kubernetes-map-type: atomic - os: - properties: - name: - type: string - required: - - name - type: object - overhead: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - preemptionPolicy: - type: string - priority: - format: int32 - type: integer - priorityClassName: - type: string - readinessGates: - items: - properties: - conditionType: - type: string - required: - - conditionType - type: object - type: array - restartPolicy: - type: string - runtimeClassName: - type: string - schedulerName: - type: string - securityContext: - properties: - appArmorProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxChangePolicy: - type: string - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - seccompProfile: - properties: - localhostProfile: - type: string - type: - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - type: string - sysctls: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - type: object - type: object - serviceAccount: - type: string - serviceAccountName: - type: string - setHostnameAsFQDN: - type: boolean - shareProcessNamespace: - type: boolean - subdomain: - type: string - terminationGracePeriodSeconds: - format: int64 - type: integer - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - x-kubernetes-list-map-keys: - - topologyKey - - whenUnsatisfiable - x-kubernetes-list-type: map - volumes: - items: - properties: - awsElasticBlockStore: - properties: - fsType: - type: string - partition: - format: int32 - type: integer - readOnly: - type: boolean - volumeID: - type: string - required: - - volumeID - type: object - azureDisk: - properties: - cachingMode: - type: string - diskName: - type: string - diskURI: - type: string - fsType: - default: ext4 - type: string - kind: - type: string - readOnly: - default: false - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - properties: - readOnly: - type: boolean - secretName: - type: string - shareName: - type: string - required: - - secretName - - shareName - type: object - cephfs: - properties: - monitors: - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - type: string - readOnly: - type: boolean - secretFile: - type: string - secretRef: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - user: - type: string - required: - - monitors - type: object - cinder: - properties: - fsType: - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - type: string - required: - - volumeID - type: object - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - downwardAPI: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - properties: - medium: - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - properties: - volumeClaimTemplate: - properties: - metadata: - type: object - spec: - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - properties: - apiGroup: - type: string - kind: - type: string - name: - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - properties: - apiGroup: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - volumeAttributesClassName: - type: string - volumeMode: - type: string - volumeName: - type: string - type: object - required: - - spec - type: object - type: object - fc: - properties: - fsType: - type: string - lun: - format: int32 - type: integer - readOnly: - type: boolean - targetWWNs: - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - properties: - driver: - type: string - fsType: - type: string - options: - additionalProperties: - type: string - type: object - readOnly: - type: boolean - secretRef: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - properties: - datasetName: - type: string - datasetUUID: - type: string - type: object - gcePersistentDisk: - properties: - fsType: - type: string - partition: - format: int32 - type: integer - pdName: - type: string - readOnly: - type: boolean - required: - - pdName - type: object - gitRepo: - properties: - directory: - type: string - repository: - type: string - revision: - type: string - required: - - repository - type: object - glusterfs: - properties: - endpoints: - type: string - path: - type: string - readOnly: - type: boolean - required: - - endpoints - - path - type: object - hostPath: - properties: - path: - type: string - type: - type: string - required: - - path - type: object - image: - properties: - pullPolicy: - type: string - reference: - type: string - type: object - iscsi: - properties: - chapAuthDiscovery: - type: boolean - chapAuthSession: - type: boolean - fsType: - type: string - initiatorName: - type: string - iqn: - type: string - iscsiInterface: - default: default - type: string - lun: - format: int32 - type: integer - portals: - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - type: boolean - secretRef: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - type: string - nfs: - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - properties: - fsType: - type: string - pdID: - type: string - required: - - pdID - type: object - portworxVolume: - properties: - fsType: - type: string - readOnly: - type: boolean - volumeID: - type: string - required: - - volumeID - type: object - projected: - properties: - defaultMode: - format: int32 - type: integer - sources: - items: - properties: - clusterTrustBundle: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - optional: - type: boolean - path: - type: string - signerName: - type: string - required: - - path - type: object - configMap: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - properties: - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - properties: - certificateChainPath: - type: string - credentialBundlePath: - type: string - keyPath: - type: string - keyType: - type: string - maxExpirationSeconds: - format: int32 - type: integer - signerName: - type: string - required: - - keyType - - signerName - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - properties: - audience: - type: string - expirationSeconds: - format: int64 - type: integer - path: - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - properties: - group: - type: string - readOnly: - type: boolean - registry: - type: string - tenant: - type: string - user: - type: string - volume: - type: string - required: - - registry - - volume - type: object - rbd: - properties: - fsType: - type: string - image: - type: string - keyring: - default: /etc/ceph/keyring - type: string - monitors: - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - type: string - required: - - image - - monitors - type: object - scaleIO: - properties: - fsType: - default: xfs - type: string - gateway: - type: string - protectionDomain: - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - type: boolean - storageMode: - default: ThinProvisioned - type: string - storagePool: - type: string - system: - type: string - volumeName: - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - type: boolean - secretName: - type: string - type: object - storageos: - properties: - fsType: - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - default: "" - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - type: string - volumeNamespace: - type: string - type: object - vsphereVolume: - properties: - fsType: - type: string - storagePolicyID: - type: string - storagePolicyName: - type: string - volumePath: - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - type: object - type: object - type: object - disableDefaultAdminSecret: - description: DisableDefaultAdminSecret prevents operator from creating default admin-credentials secret - type: boolean - disableDefaultSecurityContext: - description: DisableDefaultSecurityContext prevents the operator from populating securityContext on deployments - enum: - - Pod - - Container - - All - type: string - external: - description: External enables you to configure external grafana instances that is not managed by the operator. - properties: - adminPassword: - description: AdminPassword key to talk to the external grafana instance. - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - adminUser: - description: AdminUser key to talk to the external grafana instance. - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - apiKey: - description: The API key to talk to the external grafana instance, you need to define ether apiKey or adminUser/adminPassword. - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tls: - description: DEPRECATED, use top level `tls` instead. - properties: - certSecretRef: - description: Use a secret as a reference to give TLS Certificate information - properties: - name: - description: name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: namespace defines the space within which the secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - insecureSkipVerify: - description: Disable the CA check of the server - type: boolean - type: object - x-kubernetes-validations: - - message: insecureSkipVerify and certSecretRef cannot be set at the same time - rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify))) - url: - description: URL of the external grafana instance you want to manage. - type: string - required: - - url - type: object - ingress: - description: Ingress sets how the ingress object should look like with your grafana instance. - properties: - metadata: - description: ObjectMeta contains only a [subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta). - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - spec: - description: IngressSpec describes the Ingress the user wishes to exist. - properties: - defaultBackend: - description: |- - defaultBackend is the backend that should handle requests that don't - match any rule. If Rules are not specified, DefaultBackend must be specified. - If DefaultBackend is not set, the handling of requests that do not match any - of the rules will be up to the Ingress controller. - properties: - resource: - description: |- - resource is an ObjectRef to another Kubernetes resource in the namespace - of the Ingress object. If resource is specified, a service.Name and - service.Port must not be specified. - This is a mutually exclusive setting with "Service". - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - service: - description: |- - service references a service as a backend. - This is a mutually exclusive setting with "Resource". - properties: - name: - description: |- - name is the referenced service. The service must exist in - the same namespace as the Ingress object. - type: string - port: - description: |- - port of the referenced service. A port name or port number - is required for a IngressServiceBackend. - properties: - name: - description: |- - name is the name of the port on the Service. - This is a mutually exclusive setting with "Number". - type: string - number: - description: |- - number is the numerical port number (e.g. 80) on the Service. - This is a mutually exclusive setting with "Name". - format: int32 - type: integer - type: object - x-kubernetes-map-type: atomic - required: - - name - type: object - type: object - ingressClassName: - description: |- - ingressClassName is the name of an IngressClass cluster resource. Ingress - controller implementations use this field to know whether they should be - serving this Ingress resource, by a transitive connection - (controller -> IngressClass -> Ingress resource). Although the - `kubernetes.io/ingress.class` annotation (simple constant name) was never - formally defined, it was widely supported by Ingress controllers to create - a direct binding between Ingress controller and Ingress resources. Newly - created Ingress resources should prefer using the field. However, even - though the annotation is officially deprecated, for backwards compatibility - reasons, ingress controllers should still honor that annotation if present. - type: string - rules: - description: |- - rules is a list of host rules used to configure the Ingress. If unspecified, - or no rule matches, all traffic is sent to the default backend. - items: - description: |- - IngressRule represents the rules mapping the paths under a specified host to - the related backend services. Incoming requests are first evaluated for a host - match, then routed to the backend associated with the matching IngressRuleValue. - properties: - host: - description: "host is the fully qualified domain name of a network host, as defined by RFC 3986.\nNote the following deviations from the \"host\" part of the\nURI as defined in RFC 3986:\n1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future.\nIncoming requests are matched against the host before the\nIngressRuleValue. If the host is unspecified, the Ingress routes all\ntraffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of\na network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name\nprefixed with a single wildcard label (e.g. \"*.foo.com\").\nThe wildcard character '*' must appear by itself as the first DNS label and\nmatches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\").\nRequests will be matched against the Host field in the following way:\n1. If host is precise, the request matches this rule if the http host header is equal to Host.\n2. If host is a wildcard, then the request matches this rule if the http host header\nis to equal to the suffix (removing the first label) of the wildcard rule." - type: string - http: - description: |- - HTTPIngressRuleValue is a list of http selectors pointing to backends. - In the example: http:///? -> backend where - where parts of the url correspond to RFC 3986, this resource will be used - to match against everything after the last '/' and before the first '?' - or '#'. - properties: - paths: - description: paths is a collection of paths that map requests to backends. - items: - description: |- - HTTPIngressPath associates a path with a backend. Incoming urls matching the - path are forwarded to the backend. - properties: - backend: - description: |- - backend defines the referenced service endpoint to which the traffic - will be forwarded to. - properties: - resource: - description: |- - resource is an ObjectRef to another Kubernetes resource in the namespace - of the Ingress object. If resource is specified, a service.Name and - service.Port must not be specified. - This is a mutually exclusive setting with "Service". - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - service: - description: |- - service references a service as a backend. - This is a mutually exclusive setting with "Resource". - properties: - name: - description: |- - name is the referenced service. The service must exist in - the same namespace as the Ingress object. - type: string - port: - description: |- - port of the referenced service. A port name or port number - is required for a IngressServiceBackend. - properties: - name: - description: |- - name is the name of the port on the Service. - This is a mutually exclusive setting with "Number". - type: string - number: - description: |- - number is the numerical port number (e.g. 80) on the Service. - This is a mutually exclusive setting with "Name". - format: int32 - type: integer - type: object - x-kubernetes-map-type: atomic - required: - - name - type: object - type: object - path: - description: |- - path is matched against the path of an incoming request. Currently it can - contain characters disallowed from the conventional "path" part of a URL - as defined by RFC 3986. Paths must begin with a '/' and must be present - when using PathType with value "Exact" or "Prefix". - type: string - pathType: - description: |- - pathType determines the interpretation of the path matching. PathType can - be one of the following values: - * Exact: Matches the URL path exactly. - * Prefix: Matches based on a URL path prefix split by '/'. Matching is - done on a path element by element basis. A path element refers is the - list of labels in the path split by the '/' separator. A request is a - match for path p if every p is an element-wise prefix of p of the - request path. Note that if the last element of the path is a substring - of the last element in request path, it is not a match (e.g. /foo/bar - matches /foo/bar/baz, but does not match /foo/barbaz). - * ImplementationSpecific: Interpretation of the Path matching is up to - the IngressClass. Implementations can treat this as a separate PathType - or treat it identically to Prefix or Exact path types. - Implementations are required to support all path types. - type: string - required: - - backend - - pathType - type: object - type: array - x-kubernetes-list-type: atomic - required: - - paths - type: object - type: object - type: array - x-kubernetes-list-type: atomic - tls: - description: |- - tls represents the TLS configuration. Currently the Ingress only supports a - single TLS port, 443. If multiple members of this list specify different hosts, - they will be multiplexed on the same port according to the hostname specified - through the SNI TLS extension, if the ingress controller fulfilling the - ingress supports SNI. - items: - description: IngressTLS describes the transport layer security associated with an ingress. - properties: - hosts: - description: |- - hosts is a list of hosts included in the TLS certificate. The values in - this list must match the name/s used in the tlsSecret. Defaults to the - wildcard host setting for the loadbalancer controller fulfilling this - Ingress, if left unspecified. - items: - type: string - type: array - x-kubernetes-list-type: atomic - secretName: - description: |- - secretName is the name of the secret used to terminate TLS traffic on - port 443. Field is left optional to allow TLS routing based on SNI - hostname alone. If the SNI host in a listener conflicts with the "Host" - header field used by an IngressRule, the SNI host is used for termination - and value of the "Host" header is used for routing. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - jsonnet: - properties: - libraryLabelSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - persistentVolumeClaim: - description: PersistentVolumeClaim creates a PVC if you need to attach one to your grafana instance. - properties: - metadata: - description: ObjectMeta contains only a [subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta). - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - spec: - properties: - accessModes: - items: - type: string - type: array - dataSource: - description: |- - TypedLocalObjectReference contains enough information to let you locate the - typed referenced object inside the same namespace. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - TypedLocalObjectReference contains enough information to let you locate the - typed referenced object inside the same namespace. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - resources: - description: ResourceRequirements describes the compute resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - volumeMode: - description: PersistentVolumeMode describes how a volume is intended to be consumed, either Block or Filesystem. - type: string - volumeName: - description: VolumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - preferences: - description: Preferences holds the Grafana Preferences settings - properties: - homeDashboardUid: - type: string - type: object - route: - description: Route sets how the ingress object should look like with your grafana instance, this only works in Openshift. - properties: - metadata: - description: ObjectMeta contains only a [subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta). - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - spec: - properties: - alternateBackends: - items: - description: |- - RouteTargetReference specifies the target that resolve into endpoints. Only the 'Service' - kind is allowed. Use 'weight' field to emphasize one over others. - properties: - kind: - default: Service - description: The kind of target that the route is referring to. Currently, only 'Service' is allowed - enum: - - Service - - "" - type: string - name: - description: name of the service/target that is being referred to. e.g. name of the service - minLength: 1 - type: string - weight: - default: 100 - description: |- - weight as an integer between 0 and 256, default 100, that specifies the target's relative weight - against other target reference objects. 0 suppresses requests to this backend. - format: int32 - maximum: 256 - minimum: 0 - type: integer - required: - - kind - - name - type: object - type: array - host: - type: string - path: - type: string - port: - description: RoutePort defines a port mapping from a router to an endpoint in the service endpoints. - properties: - targetPort: - anyOf: - - type: integer - - type: string - description: |- - The target port on pods selected by the service this route points to. - If this is a string, it will be looked up as a named port in the target - endpoints port list. Required - x-kubernetes-int-or-string: true - required: - - targetPort - type: object - subdomain: - type: string - tls: - description: TLSConfig defines config used to secure a route and provide termination - properties: - caCertificate: - description: caCertificate provides the cert authority certificate contents - type: string - certificate: - description: |- - certificate provides certificate contents. This should be a single serving certificate, not a certificate - chain. Do not include a CA certificate. - type: string - destinationCACertificate: - description: |- - destinationCACertificate provides the contents of the ca certificate of the final destination. When using reencrypt - termination this file should be provided in order to have routers use it for health checks on the secure connection. - If this field is not specified, the router may provide its own destination CA and perform hostname validation using - the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically - verify. - type: string - externalCertificate: - description: |- - externalCertificate provides certificate contents as a secret reference. - This should be a single serving certificate, not a certificate - chain. Do not include a CA certificate. The secret referenced should - be present in the same namespace as that of the Route. - Forbidden when `certificate` is set. - The router service account needs to be granted with read-only access to this secret, - please refer to openshift docs for additional details. - properties: - name: - description: |- - name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - insecureEdgeTerminationPolicy: - description: |- - insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While - each router may make its own decisions on which ports to expose, this is normally port 80. - - If a route does not specify insecureEdgeTerminationPolicy, then the default behavior is "None". - - * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only). - - * None - no traffic is allowed on the insecure port (default). - - * Redirect - clients are redirected to the secure port. - enum: - - Allow - - None - - Redirect - - "" - type: string - key: - description: key provides key file contents - type: string - termination: - description: |- - termination indicates termination type. - - * edge - TLS termination is done by the router and http is used to communicate with the backend (default) - * passthrough - Traffic is sent straight to the destination without the router providing TLS termination - * reencrypt - TLS termination is done by the router and https is used to communicate with the backend - - Note: passthrough termination is incompatible with httpHeader actions - enum: - - edge - - reencrypt - - passthrough - type: string - required: - - termination - type: object - x-kubernetes-validations: - - message: 'cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow' - rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow'')) : true' - to: - description: |- - RouteTargetReference specifies the target that resolve into endpoints. Only the 'Service' - kind is allowed. Use 'weight' field to emphasize one over others. - properties: - kind: - default: Service - description: The kind of target that the route is referring to. Currently, only 'Service' is allowed - enum: - - Service - - "" - type: string - name: - description: name of the service/target that is being referred to. e.g. name of the service - minLength: 1 - type: string - weight: - default: 100 - description: |- - weight as an integer between 0 and 256, default 100, that specifies the target's relative weight - against other target reference objects. 0 suppresses requests to this backend. - format: int32 - maximum: 256 - minimum: 0 - type: integer - required: - - kind - - name - type: object - wildcardPolicy: - description: WildcardPolicyType indicates the type of wildcard support needed by routes. - type: string - type: object - type: object - service: - description: Service sets how the service object should look like with your grafana instance, contains a number of defaults. - properties: - metadata: - description: ObjectMeta contains only a [subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta). - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - spec: - description: ServiceSpec describes the attributes that a user creates on a service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic - is distributed to Service endpoints. Implementations can use this field - as a hint, but are not required to guarantee strict adherence. If the - field is not set, the implementation will apply its default routing - strategy. If set to "PreferClose", implementations should prioritize - endpoints that are in the same zone. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - serviceAccount: - description: ServiceAccount sets how the ServiceAccount object should look like with your grafana instance, contains a number of defaults. - properties: - automountServiceAccountToken: - type: boolean - imagePullSecrets: - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - metadata: - description: ObjectMeta contains only a [subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta). - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - secrets: - items: - description: ObjectReference contains enough information to let you inspect or modify the referred object. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - type: object - suspend: - description: Suspend pauses reconciliation of owned resources like deployments, Services, Etc. upon changes - type: boolean - version: - description: Version specifies the version of Grafana to use for this deployment. It follows the same format as the docker.io/grafana/grafana tags - type: string - type: object - status: - description: GrafanaStatus defines the observed state of Grafana - properties: - adminUrl: - type: string - alertRuleGroups: - items: - type: string - type: array - conditions: - items: - description: Condition contains details for one aspect of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contactPoints: - items: - type: string - type: array - dashboards: - items: - type: string - type: array - datasources: - items: - type: string - type: array - folders: - items: - type: string - type: array - lastMessage: - type: string - libraryPanels: - items: - type: string - type: array - muteTimings: - items: - type: string - type: array - notificationTemplates: - items: - type: string - type: array - serviceaccounts: - items: - type: string - type: array - stage: - type: string - stageStatus: - type: string - version: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/charts/crds/crds/grafana.integreatly.org_grafanaserviceaccounts.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.3 - name: grafanaserviceaccounts.grafana.integreatly.org -spec: - group: grafana.integreatly.org - names: - categories: - - grafana-operator - kind: GrafanaServiceAccount - listKind: GrafanaServiceAccountList - plural: grafanaserviceaccounts - singular: grafanaserviceaccount - scope: Namespaced - versions: - - additionalPrinterColumns: - - format: date-time - jsonPath: .status.lastResync - name: Last resync - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GrafanaServiceAccount is the Schema for the grafanaserviceaccounts - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrafanaServiceAccountSpec defines the desired state of a - GrafanaServiceAccount. - properties: - instanceName: - description: Name of the Grafana instance to create the service account - for - minLength: 1 - type: string - x-kubernetes-validations: - - message: spec.instanceName is immutable - rule: self == oldSelf - isDisabled: - default: false - description: Whether the service account is disabled - type: boolean - name: - description: Name of the service account in Grafana - minLength: 1 - type: string - x-kubernetes-validations: - - message: spec.name is immutable - rule: self == oldSelf - resyncPeriod: - default: 10m0s - description: How often the resource is synced, defaults to 10m0s if - not set - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - x-kubernetes-validations: - - message: spec.resyncPeriod must be greater than 0 - rule: duration(self) > duration('0s') - role: - description: Role of the service account (Viewer, Editor, Admin) - enum: - - Viewer - - Editor - - Admin - type: string - suspend: - default: false - description: Suspend pauses reconciliation of the service account - type: boolean - tokens: - description: Tokens to create for the service account - items: - description: GrafanaServiceAccountTokenSpec defines a token for - a service account - properties: - expires: - description: Expiration date of the token. If not set, the token - never expires - format: date-time - type: string - name: - description: Name of the token - minLength: 1 - type: string - secretName: - description: Name of the secret to store the token. If not set, - a name will be generated - minLength: 1 - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - instanceName - - name - - role - type: object - status: - description: GrafanaServiceAccountStatus defines the observed state of - a GrafanaServiceAccount - properties: - account: - description: Info contains the Grafana service account information - properties: - id: - description: ID of the service account in Grafana - format: int64 - type: integer - isDisabled: - description: IsDisabled indicates if the service account is disabled - type: boolean - login: - type: string - name: - type: string - role: - description: Role is the Grafana role for the service account - (Viewer, Editor, Admin) - type: string - tokens: - description: Information about tokens - items: - description: GrafanaServiceAccountTokenStatus describes a token - created in Grafana. - properties: - expires: - description: |- - Expiration time of the token - N.B. There's possible discrepancy with the expiration time in spec - It happens because Grafana API accepts TTL in seconds then calculates the expiration time against the current time - format: date-time - type: string - id: - description: ID of the token in Grafana - format: int64 - type: integer - name: - type: string - secret: - description: Name of the secret containing the token - properties: - name: - type: string - namespace: - type: string - type: object - required: - - id - - name - type: object - type: array - required: - - id - - isDisabled - - login - - name - - role - type: object - conditions: - description: Results when synchonizing resource with Grafana instances - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastResync: - description: Last time the resource was synchronized with Grafana - instances - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: grafana-operator/charts/grafana-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: grafana-operator - namespace: grafana-operator - labels: - helm.sh/chart: grafana-operator-v5.20.0 - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.20.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/component: operator -automountServiceAccountToken: true ---- -# Source: grafana-operator/charts/grafana-operator/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: grafana-operator - labels: - helm.sh/chart: grafana-operator-v5.20.0 - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.20.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/component: operator -rules: - - apiGroups: - - "" - resources: - - configmaps - - persistentvolumeclaims - - secrets - - serviceaccounts - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - watch - - apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - grafana.integreatly.org - resources: - - grafanaalertrulegroups - - grafanacontactpoints - - grafanadashboards - - grafanadatasources - - grafanafolders - - grafanalibrarypanels - - grafanamutetimings - - grafananotificationpolicies - - grafananotificationpolicyroutes - - grafananotificationtemplates - - grafanas - - grafanaserviceaccounts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - grafana.integreatly.org - resources: - - grafanaalertrulegroups/finalizers - - grafanacontactpoints/finalizers - - grafanadashboards/finalizers - - grafanadatasources/finalizers - - grafanafolders/finalizers - - grafanalibrarypanels/finalizers - - grafanamutetimings/finalizers - - grafananotificationpolicies/finalizers - - grafananotificationpolicyroutes/finalizers - - grafananotificationtemplates/finalizers - - grafanas/finalizers - - grafanaserviceaccounts/finalizers - verbs: - - update - - apiGroups: - - grafana.integreatly.org - resources: - - grafanaalertrulegroups/status - - grafanacontactpoints/status - - grafanadashboards/status - - grafanadatasources/status - - grafanafolders/status - - grafanalibrarypanels/status - - grafanamutetimings/status - - grafananotificationpolicies/status - - grafananotificationpolicyroutes/status - - grafananotificationtemplates/status - - grafanas/status - - grafanaserviceaccounts/status - verbs: - - get - - patch - - update - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -# Source: grafana-operator/charts/grafana-operator/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: grafana-operator - labels: - helm.sh/chart: grafana-operator-v5.20.0 - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.20.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/component: operator -subjects: - - kind: ServiceAccount - name: grafana-operator - namespace: grafana-operator -roleRef: - kind: ClusterRole - name: grafana-operator - apiGroup: rbac.authorization.k8s.io ---- -# Source: grafana-operator/charts/grafana-operator/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: grafana-operator-metrics-service - namespace: grafana-operator - labels: - helm.sh/chart: grafana-operator-v5.20.0 - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.20.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/component: operator -spec: - type: ClusterIP - ports: - - port: 9090 - targetPort: metrics - protocol: TCP - name: metrics - - port: 8888 - targetPort: pprof - protocol: TCP - name: pprof - selector: - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator ---- -# Source: grafana-operator/charts/grafana-operator/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grafana-operator - namespace: grafana-operator - labels: - helm.sh/chart: grafana-operator-v5.20.0 - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.20.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/component: operator -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - template: - metadata: - labels: - helm.sh/chart: grafana-operator-v5.20.0 - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.20.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/component: operator - spec: - serviceAccountName: grafana-operator - containers: - - name: grafana-operator - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: "ghcr.io/grafana/grafana-operator:v5.20.0" - imagePullPolicy: IfNotPresent - env: - - name: WATCH_NAMESPACE - value: - - name: WATCH_NAMESPACE_SELECTOR - value: "" - - name: WATCH_LABEL_SELECTORS - value: "" - - name: ENFORCE_CACHE_LABELS - value: "safe" - - - name: CLUSTER_DOMAIN - value: "" - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=0.0.0.0:9090 - - --pprof-addr=0.0.0.0:8888 - - --zap-encoder=console - - --zap-log-level=info - - --zap-time-encoding=rfc3339 - - --leader-elect - - --max-concurrent-reconciles=1 - volumeMounts: - - name: dashboards-dir - mountPath: /tmp/dashboards - ports: - - containerPort: 9090 - name: metrics - protocol: TCP - - containerPort: 8888 - name: pprof - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: 8081 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - resources: - requests: - cpu: 10m - memory: 64Mi - volumes: - - name: dashboards-dir - emptyDir: {} ---- -# Source: grafana-operator/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: grafana-operator-postgresql-17-cluster - namespace: grafana-operator - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: grafana-operator-postgresql-17 - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "grafana-operator-postgresql-17-external-backup" - serverName: "grafana-operator-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "grafana-operator-postgresql-17-garage-local-backup" - serverName: "grafana-operator-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "grafana-operator-postgresql-17-recovery" - serverName: grafana-operator-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: grafana-operator-postgresql-17-backup-1 - - externalClusters: - - name: grafana-operator-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "grafana-operator-postgresql-17-recovery" - serverName: grafana-operator-postgresql-17-backup-1 ---- -# Source: grafana-operator/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: grafana-auth-secret - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-auth-secret - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: admin-user - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/grafana/auth - metadataPolicy: None - property: admin-user - - secretKey: admin-password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/grafana/auth - metadataPolicy: None - property: admin-password ---- -# Source: grafana-operator/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: grafana-oauth-secret - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-oauth-secret - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AUTH_CLIENT_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/grafana - metadataPolicy: None - property: client - - secretKey: AUTH_CLIENT_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/grafana - metadataPolicy: None - property: secret ---- -# Source: grafana-operator/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: grafana-operator-postgresql-17-cluster-backup-secret - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-operator-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: grafana-operator/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: grafana-operator-postgresql-17-cluster-backup-secret-garage - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-operator-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: grafana-operator/templates/grafana.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: Grafana -metadata: - name: grafana-main - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-main - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - app: grafana-main -spec: - config: - analytics: - enabled: "false" - check_for_updates: "false" - reporting_enabled: "false" - server: - domain: alexlebens.net - root_url: https://grafana.alexlebens.net - log: - mode: "console" - users: - auto_assign_org: "true" - auto_assign_org_id: "1" - auth: - disable_login_form: "true" - auto_login: "true" - signout_redirect_url: https://authentik.alexlebens.net/application/o/grafana/end-session/ - auth.generic_oauth: - enabled: "true" - name: Authentik - allow_sign_up: "true" - client_id: ${AUTH_CLIENT_ID} - client_secret: ${AUTH_CLIENT_SECRET} - scopes: openid profile email - auth_url: https://authentik.alexlebens.net/application/o/authorize/ - token_url: https://authentik.alexlebens.net/application/o/token/ - api_url: https://authentik.alexlebens.net/application/o/userinfo/ - role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer' - database: - type: postgres - host: "${DB_HOST}:${DB_PORT}" - name: ${DB_DATABASE} - user: ${DB_USER} - password: ${DB_PASSWORD} - remote_cache: - type: redis - connstr: addr=redis-replication-remote-cache-master.grafana-operator:6379,pool_size=100,db=0,ssl=false - unified_alerting: - enabled: "true" - ha_redis_address: redis-replication-unified-alerting-master.grafana-operator:6379 - deployment: - spec: - replicas: 3 - template: - spec: - containers: - - name: grafana - image: grafana/grafana:12.0.0 - resources: - requests: - cpu: 100m - memory: 128Mi - env: - - name: AUTH_CLIENT_ID - valueFrom: - secretKeyRef: - name: grafana-oauth-secret - key: AUTH_CLIENT_ID - - name: AUTH_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: grafana-oauth-secret - key: AUTH_CLIENT_SECRET - - name: ADMIN_USER - valueFrom: - secretKeyRef: - name: grafana-auth-secret - key: admin-user - - name: ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: grafana-auth-secret - key: admin-password - - name: DB_HOST - valueFrom: - secretKeyRef: - name: grafana-operator-postgresql-17-cluster-app - key: host - - name: DB_DATABASE - valueFrom: - secretKeyRef: - name: grafana-operator-postgresql-17-cluster-app - key: dbname - - name: DB_PORT - valueFrom: - secretKeyRef: - name: grafana-operator-postgresql-17-cluster-app - key: port - - name: DB_USER - valueFrom: - secretKeyRef: - name: grafana-operator-postgresql-17-cluster-app - key: user - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: grafana-operator-postgresql-17-cluster-app - key: password ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-ceph - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-ceph - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-system - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/ceph.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-coredns - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-coredns - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-system - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/coredns.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-etcd - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-etcd - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-system - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/etcd.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-garage - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-garage - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-system - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/garage.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-loki - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-loki - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-system - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/loki.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-node-full - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-node-full - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-system - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/node-full.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-node-short - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-node-short - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-system - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/node-short.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-argocd - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-argocd - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/argocd.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-blocky - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-blocky - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/blocky.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-cert-manager - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-cert-manager - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/cert-manager.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-cloudnative-pg - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-cloudnative-pg - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/cloudnative-pg.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-descheduler - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-descheduler - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/descheduler.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-gatus - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-gatus - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/gatus.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-operator - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/grafana-operator.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-harbor - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-harbor - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/harbor.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-redis-replication - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-redis-replication - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/redis-replication.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-redis-operator - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-redis-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/redis-operator.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-speedtest-exporter - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-speedtest-exporter - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/speedtest-exporter.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-spegel - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-spegel - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/spegel.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-traefik - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-traefik - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/traefik.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-trivy - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-trivy - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/trivy.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-unpoller - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-unpoller - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/unpoller.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-volsync - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-volsync - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-service - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/volsync.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-s3 - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-s3 - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-platform - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/s3.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-authentik - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-authentik - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-platform - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/authentik.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-gitea - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-gitea - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-platform - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/gitea.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-ntfy - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-ntfy - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-platform - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/ntfy.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-qbittorrent - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-qbittorrent - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-platform - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/qbittorrent.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-vault - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-vault - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-platform - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/vault.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-airgradient - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-airgradient - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-iot - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/iot/airgradient.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-server-power-consumption - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-server-power-consumption - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-iot - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/iot/server-power-consumption.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-immich - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-immich - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-application - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/immich.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-radarr - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-radarr - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-application - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/radarr.json ---- -# Source: grafana-operator/templates/grafana-dashboard.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: grafana-dashboard-sonarr - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-dashboard-sonarr - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - contentCacheDuration: 1h - folderUID: grafana-folder-application - resyncPeriod: 1h - url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/sonarr.json ---- -# Source: grafana-operator/templates/grafana-datasource.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDatasource -metadata: - name: grafana-datasource-prometheus - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-datasource-prometheus - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - datasource: - name: Prometheus - type: prometheus - url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090/ - access: proxy - isDefault: true - jsonData: - timeInterval: 30s - instanceSelector: - matchLabels: - app: grafana-main - plugins: - - name: camptocamp-prometheus-alertmanager-datasource - version: 2.1.0 - resyncPeriod: 30s - uid: kube-prometheus-stack ---- -# Source: grafana-operator/templates/grafana-datasource.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDatasource -metadata: - name: grafana-datasource-loki - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-datasource-loki - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - datasource: - name: Loki - type: loki - url: http://loki.loki:3100/ - access: proxy - instanceSelector: - matchLabels: - app: grafana-main - resyncPeriod: 30s - uid: loki ---- -# Source: grafana-operator/templates/grafana-folder.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaFolder -metadata: - name: grafana-folder-application - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-folder-application - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - title: Application - uid: grafana-folder-application - resyncPeriod: 30s - permissions: | - { - "items": [ - { - "role": "Admin", - "permission": 4 - }, - { - "role": "Editor", - "permission": 2 - }, - { - "role": "Viewer", - "permission": 1 - } - ] - } ---- -# Source: grafana-operator/templates/grafana-folder.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaFolder -metadata: - name: grafana-folder-iot - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-folder-iot - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - title: IoT - uid: grafana-folder-iot - resyncPeriod: 30s - permissions: | - { - "items": [ - { - "role": "Admin", - "permission": 4 - }, - { - "role": "Editor", - "permission": 2 - }, - { - "role": "Viewer", - "permission": 1 - } - ] - } ---- -# Source: grafana-operator/templates/grafana-folder.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaFolder -metadata: - name: grafana-folder-platform - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-folder-platform - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - title: Platform - uid: grafana-folder-platform - resyncPeriod: 30s - permissions: | - { - "items": [ - { - "role": "Admin", - "permission": 4 - }, - { - "role": "Editor", - "permission": 2 - }, - { - "role": "Viewer", - "permission": 1 - } - ] - } ---- -# Source: grafana-operator/templates/grafana-folder.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaFolder -metadata: - name: grafana-folder-service - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-folder-service - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app: grafana-main - title: Service - uid: grafana-folder-service - resyncPeriod: 30s - permissions: | - { - "items": [ - { - "role": "Admin", - "permission": 4 - }, - { - "role": "Editor", - "permission": 2 - }, - { - "role": "Viewer", - "permission": 1 - } - ] - } ---- -# Source: grafana-operator/templates/grafana-folder.yaml -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaFolder -metadata: - name: grafana-folder-system - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-folder-system - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - instanceSelector: - matchLabels: - app.kubernetes.io/name: grafana-main - title: System - uid: grafana-folder-system - resyncPeriod: 30s - permissions: | - { - "items": [ - { - "role": "Admin", - "permission": 4 - }, - { - "role": "Editor", - "permission": 2 - }, - { - "role": "Viewer", - "permission": 1 - } - ] - } ---- -# Source: grafana-operator/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-grafana - namespace: grafana-operator - labels: - app.kubernetes.io/name: http-route-grafana - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - grafana.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: grafana-main-service - port: 3000 - weight: 100 ---- -# Source: grafana-operator/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "grafana-operator-postgresql-17-external-backup" - namespace: grafana-operator - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: grafana-operator-postgresql-17 - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/grafana-operator/grafana-operator-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: grafana-operator-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: grafana-operator-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: grafana-operator/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "grafana-operator-postgresql-17-garage-local-backup" - namespace: grafana-operator - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: grafana-operator-postgresql-17 - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/grafana-operator/grafana-operator-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: grafana-operator-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: grafana-operator-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: grafana-operator-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: grafana-operator/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "grafana-operator-postgresql-17-recovery" - namespace: grafana-operator - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: grafana-operator-postgresql-17 - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/grafana-operator/grafana-operator-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: grafana-operator-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: grafana-operator-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: grafana-operator/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: grafana-operator-postgresql-17-alert-rules - namespace: grafana-operator - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: grafana-operator-postgresql-17 - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/grafana-operator-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="grafana-operator"} - cnpg_pg_replication_is_wal_receiver_up{namespace="grafana-operator"}) < 1 - for: 5m - labels: - severity: critical - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="grafana-operator"} - cnpg_pg_replication_is_wal_receiver_up{namespace="grafana-operator"}) < 2 - for: 5m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "grafana-operator/grafana-operator-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="grafana-operator", pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="grafana-operator", pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "grafana-operator/grafana-operator-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="grafana-operator", pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="grafana-operator", pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "grafana-operator/grafana-operator-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="grafana-operator",pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "grafana-operator/grafana-operator-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="grafana-operator", pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "grafana-operator/grafana-operator-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "grafana-operator/grafana-operator-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="grafana-operator", persistentvolumeclaim=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "grafana-operator/grafana-operator-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="grafana-operator",pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "grafana-operator/grafana-operator-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="grafana-operator", pod=~"grafana-operator-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: grafana-operator - cnpg_cluster: grafana-operator-postgresql-17-cluster ---- -# Source: grafana-operator/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-unified-alerting - namespace: grafana-operator - labels: - app.kubernetes.io/name: redis-replication-unified-alerting - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: grafana-operator/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-remote-cache - namespace: grafana-operator - labels: - app.kubernetes.io/name: redis-replication-remote-cache - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: grafana-operator/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "grafana-operator-postgresql-17-daily-backup-scheduled-backup" - namespace: grafana-operator - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: grafana-operator-postgresql-17 - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: grafana-operator-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "grafana-operator-postgresql-17-external-backup" ---- -# Source: grafana-operator/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "grafana-operator-postgresql-17-live-backup-scheduled-backup" - namespace: grafana-operator - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: grafana-operator-postgresql-17 - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: grafana-operator-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "grafana-operator-postgresql-17-garage-local-backup" ---- -# Source: grafana-operator/charts/grafana-operator/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: grafana-operator - namespace: grafana-operator - labels: - helm.sh/chart: grafana-operator-v5.20.0 - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.20.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: grafana-operator - app.kubernetes.io/component: operator -spec: - jobLabel: grafana-operator - namespaceSelector: - matchNames: - - grafana-operator - selector: - matchLabels: - app.kubernetes.io/name: grafana-operator - app.kubernetes.io/instance: grafana-operator - endpoints: - - port: metrics - path: /metrics - interval: 1m - scrapeTimeout: 10s ---- -# Source: grafana-operator/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-grafana-operator - namespace: grafana-operator - labels: - app.kubernetes.io/name: redis-replication-grafana-operator - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/harbor/harbor.yaml b/clusters/cl01tl/manifests/harbor/harbor.yaml deleted file mode 100644 index 523e791d2..000000000 --- a/clusters/cl01tl/manifests/harbor/harbor.yaml +++ /dev/null @@ -1,2660 +0,0 @@ ---- -# Source: harbor/charts/harbor/templates/core/core-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: harbor-core - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -type: Opaque -data: ---- -# Source: harbor/charts/harbor/templates/exporter/exporter-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: harbor-exporter - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -type: Opaque -data: ---- -# Source: harbor/charts/harbor/templates/jobservice/jobservice-secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "harbor-jobservice" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -type: Opaque -data: ---- -# Source: harbor/charts/harbor/templates/nginx/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: harbor-nginx - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -type: Opaque -data: - tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRekNDQWl1Z0F3SUJBZ0lSQU1ydDI5OVF3OExsWkZIV08zUjFxNjh3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSmFHRnlZbTl5TFdOaE1CNFhEVEkxTVRJd05EQXhNRFkxT0ZvWERUSTJNVEl3TkRBeApNRFkxT0Zvd0lERWVNQndHQTFVRUF4TVZhR0Z5WW05eUxtRnNaWGhzWldKbGJuTXVibVYwTUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBMGpSTzAxRVJkWFF0eFZwZ2lvLzF1MHV4cURyeUtuRTcKN2dqRFgwS2k0eFltbVcveTBwTFZ0eTA1WTlTcFlpT1NJUCtFNkdRQllDV3l3SmdNaXZ2dXhndjYybUlFYVBTQgpLeVUzTjVqQXdJaE9rOXdHbkdOS0JQZm53QkRRZGJETHl1V3djQWpCUURpSlBXbjhaWTQvMzJGcDJVNnN3NjlWClR6ejZ5VFdJWnlNVkFpR0xHNGprTWNKcEhLOGVmTG5pN0M4aFhZU1VuamlaaG9PVXpocENqSDhsMElnaldyM0oKVkpVSjRwak8ydEJ4NHZSdDNxOWpvMElYbmV5c1FNdkRIMk5ZeHAzNE14ZFg4WjVCS0twemVpM0pZMTI3VTg2NQplMERxejY5bUg4ek5lZ1FVei9BaEJEd1BBWVN4ZTVWb2FFejVqVUdtQzFoRTZNWmZjdm9WU3dJREFRQUJvNEdECk1JR0FNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTbTVaRjVzVkx4UldjNjg2RUcvQlprMXJpWApvekFnQmdOVkhSRUVHVEFYZ2hWb1lYSmliM0l1WVd4bGVHeGxZbVZ1Y3k1dVpYUXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQUlySUI0UXkwakthd1BnZUNyL05GKytZU0JabHpRYWZVU3hpYkxNMi9jWmNJSGlyM3lRdEFmVWMKS2crYVRDVnN1RDJWZW5hN0NLYjh3MEtpUERHL3lDcEtmZ0F1R0g4L1F0RlI2cHZSTE9TSjA4cnN5S1hiUEYyMAovdHJZbFZjdXJ4T1NXaDhyKzZGUTdXQTBEV3hPMzhEdmptM3poZW0wbjk3RWRHUDAxdGRadUJJT0NmUGNsMFF6CmQrSGdMRWpHRHR0QlV3ayttK05QYnNWS1FYSU0xSVp0UFFENU0zVHRuelJhUDJlaDQxUkw4OFdpcmk0Q1ZzcTUKMkxjbFFrTFc4emQyNGZWSExJamFWeVdhRUo1cGh0NVZLNW5wV0x3d0xCclBGRDltalorRHJpN1B4d0ZWNFEybQpCeURybjBhUXB4SVJseU96TUtseEI0a0lOd0xCTUFzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" - tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMGpSTzAxRVJkWFF0eFZwZ2lvLzF1MHV4cURyeUtuRTc3Z2pEWDBLaTR4WW1tVy95CjBwTFZ0eTA1WTlTcFlpT1NJUCtFNkdRQllDV3l3SmdNaXZ2dXhndjYybUlFYVBTQkt5VTNONWpBd0loT2s5d0cKbkdOS0JQZm53QkRRZGJETHl1V3djQWpCUURpSlBXbjhaWTQvMzJGcDJVNnN3NjlWVHp6NnlUV0laeU1WQWlHTApHNGprTWNKcEhLOGVmTG5pN0M4aFhZU1VuamlaaG9PVXpocENqSDhsMElnaldyM0pWSlVKNHBqTzJ0Qng0dlJ0CjNxOWpvMElYbmV5c1FNdkRIMk5ZeHAzNE14ZFg4WjVCS0twemVpM0pZMTI3VTg2NWUwRHF6NjltSDh6TmVnUVUKei9BaEJEd1BBWVN4ZTVWb2FFejVqVUdtQzFoRTZNWmZjdm9WU3dJREFRQUJBb0lCQUFtNlkvK0JtL1k4bHpXdgo5aEhUa2NMR1FRV1JITTM4Q1pMOWt0VWd4MXNORm1JNWZScGpzMEpUOUhqN1NZK0NKK3doQnl5ZUhEWXY2SExqClZvbEVHWXZPMkNBdE14a01YOEg0YWZMSHZmdnJFdi9peWVlSTdNOElEaENrZHBGTHlsS3NpSnJXdk9MVSt2ejkKbjdHdmdLTTg1ZUlwc3ZNbmRTSkNwelNTcHFwbkxzR1pJNTBENkwydDY1alc3eHROWmRta1czNHgzdzFhSHFZUApaVzN0MHB3anM4cUVRZ1hDUXp6QmU5eWk5SGtCQjdBc3JIVXpBMnJIZExSWUtyOUs1WnVTbVhGb3pXZWhXcFNnCk1tQ0duT1Z4Y2xHbXptcGpPamhzRmdYUnVXNzM0aUVFRzhqRDQvRmo0OTVyQ0F4cy9ISEs0N251bHhxczVvS2oKdjg2WlJuRUNnWUVBN3UvQnRWY2lTNDI2Uk9lR1dFSEltOFZidmVSY2RHbTlDS0hhUmZIeVl6NkdMcjNscjlTeAo1NWp4K1VOajNwRjZNZ1dNalV4TUh1b1hmVVdRZ0p4eUFFSlFKdjNWQXRYZW5OSmRTNnV5d0lSMXBXcTBaTXV5ClcwTDdWcVRIdCtSMWFSZFlUb0tmM2NiQys3S2U5OUMzYUhiV1FHYU8zQzFWR0xPZnRPTXM1K01DZ1lFQTRUZEUKbzRpRGU3bC96ZUc0OFVHOG1LNzBDcmVWNm11VnBhUkJzN0pGQitnUnlUanpSQUNVQnZRMk53UVdDWWJvK0p3aApXSVdhVlRNa1pvbVVOU1FWMHR4aDI4Wm1wSGUrdjROSzFZV3BnU2YrNUZKZmovNjYxRDlXQUF1SEdaN3BrcnR4CjQ4VWNqQTdQcHlqVzFLTnZ4eWhNZWgyajdpT1B4b25mSXpzNGlYa0NnWUVBblprZ29KYXZkVHd2UDJHaTJEWFQKdHdNUEJ3cEgvVFQ5VFdOTVVGUk10eTgzWEQ4Kzc2SVFFaDFzaFNmeENJM1dGb1pZZFo1OG11dDJ3TmNRZi9RdwpzWUVMMHh3YjB2bjBFbVlpeVZXZjJxSEQ0MjZsTzlLcmVzeU1jVkxRdExlSXhkOXpESjNXQ25jZWh0d0RSSnV6ClRjRU1nbi9pL05FZHp1UXpsQ0UvcmxjQ2dZQkYzZXBxUFJCbEVvL21ZODhHOFJpNzJSS1dQSXZDZEd1eFBqcXYKcjI4ZzI4cWd2UTBpbkhkUGpQVkFyZ0RVSmNraVR2VTlTLzByenpqTW9vT2ExTDM4Y3lmY2tUa0licWw3S2hUTwpGckFXQkQxYndYNHA0cUU4OVFVTjhJV1IyaTJsdW9iRFhVUFU0MGRpR1JaRVV3dDdJakpQYytDR0lQd2FZRzBiCnRlUjlLUUtCZ1FDNWJISlRJVStvQ1V2Zk44bjdRTnowSGsyWWVzYjdBYnRtazZNRjRGQ3NHd2tnbmVoQUlWRjIKU05EeExqbVdXK1lQS3l1NndWaDZ6UW94dmZxMSt4amc5d3hnRC9ydFEzSXVTTHI5Ry9KdmNPczY5UWVReEV0WgpxbTI2WG9ad2E4ai84N1h4QzVINFhvMVBWUnFSa011TVdWeCtuZ1V3QlVPU2M4KytITlViYlE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" - ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBiekpPaldGZmIwRmEyT2NidndSNE13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSmFHRnlZbTl5TFdOaE1CNFhEVEkxTVRJd05EQXhNRFkxT0ZvWERUSTJNVEl3TkRBeApNRFkxT0Zvd0ZERVNNQkFHQTFVRUF4TUphR0Z5WW05eUxXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF5eFFvR24velZkWndiNHVRYmcyUi9JT044eEJHYmVhV0hHVzdmS2lJTk54Y2U4dWoKVFVVMFVGZGNNUFlxUXY5aE1kRzBOVVhPNzFqMHB2ZXJpTkVWVndOZUxQQmhSa0VjYWowSW9GSzdMLzVKckhsUAp0ZTFZd2hpRmhoVmtORXEzaVpjcEVIcDdLZ2NlNzAxMkZrM0xVQVFOU3hsMmpCOS96YjZUUWVPaUdjTkUvclROCnBYMlJLaHZPc2ZvOElkcENMT3E2RXBPZ3BJOENZaTZ6aWk5ZVJ6cHVsb3g1Mm1LZ01mOHNYaTRkd3VsOTBLS0gKQWxIRjlIM0gxRStZS0Z3Z1l3cDBFdWdYMnlKRXJ0OVVBNkhxVlV4Ymk1UVdHbXRCV1dTeW1tS3VLRUhhMm8zNApiNGQxT3c2cjJ6QUdDNWY4OHBOS3l4QVBBbVBHWVVnQzlRY0k3d0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGS2Jsa1hteFV2RkZaenJ6b1FiOEZtVFd1SmVqTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQUpVUXRYbm5TUzI0c3lQNm4zaVFESnVMeVI3OGtTOXZIbE1TNThKbndsa3AxbldQa2FFQWhCCm1NTlRSalRIcjNFcVFtODUySGRDZ1phK2ZHOFhoQWxpYXRQWjM4djlUNWlmQTdjZUlocDB4T1JnSkhzZXErSkYKcmNQT1FzR2w3c0ROQlNhcXYzSGR6MmNRL0hseG1vZUlIcnAxemF1cVdDQ0p0REpXejJaV0JCbVF1OHJwZHVXTQo4NGQ2M3JENy83RHREVVNtaHBuZ0l0ekNtSjdSb2Y5ZW1jZWFUWUdHNWFsRHRRaXhaQ3huMDZEMzJxV2NOQnZ0CllDa0V5MWZlS0phOE5QYW9nRitDWlJJQTZXLzBNZXY1WVkzQ216RHMvSm1KalFHRi9zMTRLREhpZUZJTzFhQnAKZ1FPVWRJTjFVVmYvQjloeVN5d3RhNU1mN0VSVGNaR2sKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" ---- -# Source: harbor/charts/harbor/templates/registry/registry-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "harbor-registry" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -type: Opaque -data: - REGISTRY_REDIS_PASSWORD: "" ---- -# Source: harbor/charts/harbor/templates/registry/registryctl-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "harbor-registryctl" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -type: Opaque -data: ---- -# Source: harbor/charts/harbor/templates/trivy/trivy-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: harbor-trivy - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -type: Opaque -data: - redisURL: cmVkaXM6Ly9yZWRpcy1yZXBsaWNhdGlvbi1oYXJib3ItbWFzdGVyLmhhcmJvcjo2Mzc5LzU/aWRsZV90aW1lb3V0X3NlY29uZHM9MzA= - gitHubToken: "" ---- -# Source: harbor/charts/harbor/templates/core/core-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: harbor-core - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -data: - app.conf: |+ - appname = Harbor - runmode = prod - enablegzip = true - - [prod] - httpport = 8080 - PORT: "8080" - DATABASE_TYPE: "postgresql" - POSTGRESQL_HOST: "harbor-postgresql-17-cluster-rw" - POSTGRESQL_PORT: "5432" - POSTGRESQL_USERNAME: "app" - POSTGRESQL_DATABASE: "app" - POSTGRESQL_SSLMODE: "disable" - POSTGRESQL_MAX_IDLE_CONNS: "100" - POSTGRESQL_MAX_OPEN_CONNS: "900" - EXT_ENDPOINT: "https://harbor.alexlebens.net" - CORE_URL: "http://harbor-core:80" - JOBSERVICE_URL: "http://harbor-jobservice" - REGISTRY_URL: "http://harbor-registry:5000" - TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" - CORE_LOCAL_URL: "http://127.0.0.1:8080" - WITH_TRIVY: "true" - TRIVY_ADAPTER_URL: "http://harbor-trivy:8080" - REGISTRY_STORAGE_PROVIDER_NAME: "filesystem" - LOG_LEVEL: "info" - CONFIG_PATH: "/etc/core/app.conf" - CHART_CACHE_DRIVER: "redis" - _REDIS_URL_CORE: "redis://redis-replication-harbor-master.harbor:6379/0?idle_timeout_seconds=30" - _REDIS_URL_REG: "redis://redis-replication-harbor-master.harbor:6379/2?idle_timeout_seconds=30" - PORTAL_URL: "http://harbor-portal" - REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080" - REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user" - HTTP_PROXY: "" - HTTPS_PROXY: "" - NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" - PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,ali-acr,aws-ecr,google-gcr,docker-registry,github-ghcr,jfrog-artifactory" - REPLICATION_ADAPTER_WHITELIST: "ali-acr,aws-ecr,azure-acr,docker-hub,docker-registry,github-ghcr,google-gcr,harbor,huawei-SWR,jfrog-artifactory,tencent-tcr,volcengine-cr" - METRIC_ENABLE: "true" - METRIC_PATH: "/metrics" - METRIC_PORT: "8001" - METRIC_NAMESPACE: harbor - METRIC_SUBSYSTEM: core - CACHE_ENABLED: "true" - CACHE_EXPIRE_HOURS: "24" - QUOTA_UPDATE_PROVIDER: "db" ---- -# Source: harbor/charts/harbor/templates/exporter/exporter-cm-env.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-exporter-env" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -data: - HTTP_PROXY: "" - HTTPS_PROXY: "" - NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" - LOG_LEVEL: "info" - HARBOR_EXPORTER_PORT: "8001" - HARBOR_EXPORTER_METRICS_PATH: "/metrics" - HARBOR_EXPORTER_METRICS_ENABLED: "true" - HARBOR_EXPORTER_CACHE_TIME: "23" - HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "14400" - HARBOR_METRIC_NAMESPACE: harbor - HARBOR_METRIC_SUBSYSTEM: exporter - HARBOR_REDIS_URL: "redis://redis-replication-harbor-master.harbor:6379/1" - HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace - HARBOR_REDIS_TIMEOUT: "3600" - HARBOR_SERVICE_SCHEME: "http" - HARBOR_SERVICE_HOST: "harbor-core" - HARBOR_SERVICE_PORT: "80" - HARBOR_DATABASE_HOST: "harbor-postgresql-17-cluster-rw" - HARBOR_DATABASE_PORT: "5432" - HARBOR_DATABASE_USERNAME: "app" - HARBOR_DATABASE_DBNAME: "app" - HARBOR_DATABASE_SSLMODE: "disable" - HARBOR_DATABASE_MAX_IDLE_CONNS: "100" - HARBOR_DATABASE_MAX_OPEN_CONNS: "900" ---- -# Source: harbor/charts/harbor/templates/jobservice/jobservice-cm-env.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-jobservice-env" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -data: - CORE_URL: "http://harbor-core:80" - TOKEN_SERVICE_URL: "http://harbor-core:80/service/token" - REGISTRY_URL: "http://harbor-registry:5000" - REGISTRY_CONTROLLER_URL: "http://harbor-registry:8080" - REGISTRY_CREDENTIAL_USERNAME: "harbor_registry_user" - - JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "3" - JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "3" - - LOG_LEVEL: "info" - HTTP_PROXY: "" - HTTPS_PROXY: "" - NO_PROXY: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" - METRIC_NAMESPACE: harbor - METRIC_SUBSYSTEM: jobservice - _REDIS_URL_CORE: "redis://redis-replication-harbor-master.harbor:6379/0?idle_timeout_seconds=30" - CACHE_ENABLED: "true" - CACHE_EXPIRE_HOURS: "24" ---- -# Source: harbor/charts/harbor/templates/jobservice/jobservice-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-jobservice" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -data: - config.yml: |+ - #Server listening port - protocol: "http" - port: 8080 - worker_pool: - workers: 10 - backend: "redis" - redis_pool: - redis_url: "redis://redis-replication-harbor-master.harbor:6379/1" - namespace: "harbor_job_service_namespace" - idle_timeout_second: 3600 - job_loggers: - - name: "STD_OUTPUT" - level: INFO - metric: - enabled: true - path: /metrics - port: 8001 - #Loggers for the job service - loggers: - - name: "STD_OUTPUT" - level: INFO - reaper: - # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 - max_update_hours: 24 - # the max time for execution in running state without new task created - max_dangling_hours: 168 ---- -# Source: harbor/charts/harbor/templates/nginx/configmap-https.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: harbor-nginx - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - - events { - worker_connections 3096; - use epoll; - multi_accept on; - } - - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - tcp_nodelay on; - - # this is necessary for us to be able to disable request buffering in all cases - proxy_http_version 1.1; - - upstream core { - server "harbor-core:80"; - } - - upstream portal { - server "harbor-portal:80"; - } - - log_format timed_combined '[$time_local]:$remote_addr - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$request_time $upstream_response_time $pipe'; - - access_log /dev/stdout timed_combined; - - map $http_x_forwarded_proto $x_forwarded_proto { - default $http_x_forwarded_proto; - "" $scheme; - } - - server { - listen 8443 ssl; - # server_name harbordomain.com; - server_tokens off; - # SSL - ssl_certificate /etc/nginx/cert/tls.crt; - ssl_certificate_key /etc/nginx/cert/tls.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) - chunked_transfer_encoding on; - - # Add extra headers - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - add_header X-Frame-Options DENY; - add_header Content-Security-Policy "frame-ancestors 'none'"; - - location / { - proxy_pass http://portal/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; HttpOnly; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /api/ { - proxy_pass http://core/api/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /c/ { - proxy_pass http://core/c/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /v1/ { - return 404; - } - - location /v2/ { - proxy_pass http://core/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - proxy_buffering off; - proxy_request_buffering off; - proxy_send_timeout 900; - proxy_read_timeout 900; - } - - location /service/ { - proxy_pass http://core/service/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $x_forwarded_proto; - - proxy_cookie_path / "/; Secure"; - - proxy_buffering off; - proxy_request_buffering off; - } - - location /service/notifications { - return 404; - } - } - server { - listen 8080; - #server_name harbordomain.com; - return 301 https://$host$request_uri; - } - } ---- -# Source: harbor/charts/harbor/templates/portal/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-portal" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -data: - nginx.conf: |+ - worker_processes auto; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - client_body_temp_path /tmp/client_body_temp; - proxy_temp_path /tmp/proxy_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - server { - listen 8080; - server_name localhost; - root /usr/share/nginx/html; - index index.html index.htm; - include /etc/nginx/mime.types; - gzip on; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; - location /devcenter-api-2.0 { - try_files $uri $uri/ /swagger-ui-index.html; - } - location / { - try_files $uri $uri/ /index.html; - } - location = /index.html { - add_header Cache-Control "no-store, no-cache, must-revalidate"; - } - } - } ---- -# Source: harbor/charts/harbor/templates/registry/registry-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-registry" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -data: - config.yml: |+ - version: 0.1 - log: - level: info - fields: - service: registry - storage: - filesystem: - rootdirectory: /storage - cache: - layerinfo: redis - maintenance: - uploadpurging: - enabled: true - age: 72h - interval: 24h - dryrun: false - delete: - enabled: true - redirect: - disable: false - redis: - addr: redis-replication-harbor-master.harbor:6379 - db: 2 - readtimeout: 10s - writetimeout: 10s - dialtimeout: 10s - enableTLS: false - pool: - maxidle: 100 - maxactive: 500 - idletimeout: 60s - http: - addr: :5000 - relativeurls: true - # set via environment variable - # secret: placeholder - debug: - addr: :8001 - prometheus: - enabled: true - path: /metrics - auth: - htpasswd: - realm: harbor-registry-basic-realm - path: /etc/registry/passwd - validation: - disabled: true - compatibility: - schema1: - enabled: true - ctl-config.yml: |+ - --- - protocol: "http" - port: 8080 - log_level: info - registry_config: "/etc/registry/config.yml" ---- -# Source: harbor/charts/harbor/templates/registry/registryctl-cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: "harbor-registryctl" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -data: ---- -# Source: harbor/charts/harbor/templates/registry/registry-pvc.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: harbor-registry - namespace: "harbor" - annotations: - helm.sh/resource-policy: keep - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: registry - app.kubernetes.io/component: registry -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 100Gi - storageClassName: ceph-block ---- -# Source: harbor/charts/harbor/templates/core/core-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: harbor-core - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -spec: - ports: - - name: http-web - port: 80 - targetPort: 8080 - - name: http-metrics - port: 8001 - selector: - release: harbor - app: "harbor" - component: core ---- -# Source: harbor/charts/harbor/templates/exporter/exporter-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-exporter" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -spec: - ports: - - name: http-metrics - port: 8001 - selector: - release: harbor - app: "harbor" - component: exporter ---- -# Source: harbor/charts/harbor/templates/jobservice/jobservice-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-jobservice" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -spec: - ports: - - name: http-jobservice - port: 80 - targetPort: 8080 - - name: http-metrics - port: 8001 - selector: - release: harbor - app: "harbor" - component: jobservice ---- -# Source: harbor/charts/harbor/templates/nginx/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: harbor - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -spec: - type: ClusterIP - ports: - - name: http - port: 80 - targetPort: 8080 - - name: https - port: 443 - targetPort: 8443 - selector: - release: harbor - app: "harbor" - component: nginx ---- -# Source: harbor/charts/harbor/templates/portal/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-portal" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -spec: - ports: - - port: 80 - targetPort: 8080 - selector: - release: harbor - app: "harbor" - component: portal ---- -# Source: harbor/charts/harbor/templates/registry/registry-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-registry" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -spec: - ports: - - name: http-registry - port: 5000 - - - name: http-controller - port: 8080 - - name: http-metrics - port: 8001 - selector: - release: harbor - app: "harbor" - component: registry ---- -# Source: harbor/charts/harbor/templates/trivy/trivy-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: "harbor-trivy" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -spec: - ports: - - name: http-trivy - protocol: TCP - port: 8080 - selector: - release: harbor - app: "harbor" - component: trivy ---- -# Source: harbor/charts/harbor/templates/core/core-dpl.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: harbor-core - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: core - app.kubernetes.io/component: core -spec: - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - release: harbor - app: "harbor" - component: core - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: core - app.kubernetes.io/component: core - annotations: - checksum/configmap: 2ab1f59e0aae82905a44ed3392436bca450fadb6f9db40cba116688647e9673e - checksum/secret: 5e00a5c189bdc7836b8fa02b61f7369eef2d6813f8d4b425beac262244f541a0 - checksum/secret-jobservice: 38121c345921c661c7e6f9de4bb5f6446c41c255babf1b8416a36627193ed5a7 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - terminationGracePeriodSeconds: 120 - containers: - - name: core - image: goharbor/harbor-core:v2.14.1 - imagePullPolicy: IfNotPresent - startupProbe: - httpGet: - path: /api/v2.0/ping - scheme: HTTP - port: 8080 - failureThreshold: 360 - initialDelaySeconds: 10 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /api/v2.0/ping - scheme: HTTP - port: 8080 - failureThreshold: 2 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v2.0/ping - scheme: HTTP - port: 8080 - failureThreshold: 2 - periodSeconds: 10 - envFrom: - - configMapRef: - name: "harbor-core" - - secretRef: - name: "harbor-core" - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: harbor-secret - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: harbor-secret - key: JOBSERVICE_SECRET - - name: HARBOR_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-secret - key: HARBOR_ADMIN_PASSWORD - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-postgresql-17-cluster-app - key: password - - name: REGISTRY_CREDENTIAL_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-secret - key: REGISTRY_PASSWD - - name: CSRF_KEY - valueFrom: - secretKeyRef: - name: harbor-secret - key: CSRF_KEY - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - containerPort: 8080 - volumeMounts: - - name: config - mountPath: /etc/core/app.conf - subPath: app.conf - - name: secret-key - mountPath: /etc/core/key - subPath: key - - name: token-service-private-key - mountPath: /etc/core/private_key.pem - subPath: tls.key - - name: ca-download - mountPath: /etc/core/ca - - name: psc - mountPath: /etc/core/token - volumes: - - name: config - configMap: - name: harbor-core - items: - - key: app.conf - path: app.conf - - name: secret-key - secret: - secretName: harbor-secret - items: - - key: secretKey - path: key - - name: token-service-private-key - secret: - secretName: harbor-secret - - name: ca-download - secret: - secretName: harbor-nginx - - name: psc - emptyDir: {} ---- -# Source: harbor/charts/harbor/templates/exporter/exporter-dpl.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: harbor-exporter - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: exporter - app.kubernetes.io/component: exporter -spec: - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - release: harbor - app: "harbor" - component: exporter - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: exporter - app.kubernetes.io/component: exporter - annotations: - checksum/configmap: a3f8e56f85d2e991fa50b6a694cd385741220bafa53790826d86cc3301097bdd - checksum/secret: ee0f7cc018ee30f536120b83238e2679ba83ac6fb0a47f5319ec09ddd21e7a46 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: exporter - image: goharbor/harbor-exporter:v2.14.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8001 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - port: 8001 - initialDelaySeconds: 30 - periodSeconds: 10 - args: ["-log-level", "info"] - envFrom: - - configMapRef: - name: "harbor-exporter-env" - - secretRef: - name: "harbor-exporter" - env: - - name: HARBOR_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-postgresql-17-cluster-app - key: password - - name: HARBOR_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-secret - key: HARBOR_ADMIN_PASSWORD - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - containerPort: 8001 - volumeMounts: - volumes: - - name: config - secret: - secretName: "harbor-exporter" ---- -# Source: harbor/charts/harbor/templates/jobservice/jobservice-dpl.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "harbor-jobservice" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: jobservice - app.kubernetes.io/component: jobservice -spec: - replicas: 2 - revisionHistoryLimit: 10 - strategy: - type: Recreate - rollingUpdate: null - selector: - matchLabels: - release: harbor - app: "harbor" - component: jobservice - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: jobservice - app.kubernetes.io/component: jobservice - annotations: - checksum/configmap: 02840b388e1331297a14b21ecc01301f71b3dd10b0c3e8ba7f33e106740caa1e - checksum/configmap-env: 70eaac0af19c1296afdd9b67e01e3732a4bde89f91e5fbb376e531a67bdf1986 - checksum/secret: 38121c345921c661c7e6f9de4bb5f6446c41c255babf1b8416a36627193ed5a7 - checksum/secret-core: 5e00a5c189bdc7836b8fa02b61f7369eef2d6813f8d4b425beac262244f541a0 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - terminationGracePeriodSeconds: 120 - containers: - - name: jobservice - image: goharbor/harbor-jobservice:v2.14.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/v1/stats - scheme: HTTP - port: 8080 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/v1/stats - scheme: HTTP - port: 8080 - initialDelaySeconds: 20 - periodSeconds: 10 - env: - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: harbor-secret - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: harbor-secret - key: JOBSERVICE_SECRET - - name: REGISTRY_CREDENTIAL_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-secret - key: REGISTRY_PASSWD - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - envFrom: - - configMapRef: - name: "harbor-jobservice-env" - - secretRef: - name: "harbor-jobservice" - ports: - - containerPort: 8080 - volumeMounts: - - name: jobservice-config - mountPath: /etc/jobservice/config.yml - subPath: config.yml - - name: job-logs - mountPath: /var/log/jobs - subPath: - volumes: - - name: jobservice-config - configMap: - name: "harbor-jobservice" - - name: job-logs - emptyDir: {} ---- -# Source: harbor/charts/harbor/templates/nginx/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: harbor-nginx - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: nginx - app.kubernetes.io/component: nginx -spec: - replicas: 0 - revisionHistoryLimit: 10 - selector: - matchLabels: - release: harbor - app: "harbor" - component: nginx - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: nginx - app.kubernetes.io/component: nginx - annotations: - checksum/configmap: 55921b41f4478ded4d60da7edb83b828382ba722214816271ce3ffd2a77aed35 - checksum/secret: a60583d64d5f3610d2581d66278105ccdaaf2a48330cce7969ccffd7e52eba48 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: nginx - image: "goharbor/nginx-photon:v2.14.1" - imagePullPolicy: "IfNotPresent" - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 1 - periodSeconds: 10 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - containerPort: 8080 - - containerPort: 8443 - volumeMounts: - - name: config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - - name: certificate - mountPath: /etc/nginx/cert - volumes: - - name: config - configMap: - name: harbor-nginx - - name: certificate - secret: - secretName: harbor-nginx ---- -# Source: harbor/charts/harbor/templates/portal/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "harbor-portal" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: portal - app.kubernetes.io/component: portal -spec: - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - release: harbor - app: "harbor" - component: portal - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: portal - app.kubernetes.io/component: portal - annotations: - checksum/configmap: 88f60f7e1b77f88d1d57ceccace7127f138ce8e15397579095fdf08c6decbe0d - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: portal - image: goharbor/harbor-portal:v2.14.1 - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - livenessProbe: - httpGet: - path: / - scheme: HTTP - port: 8080 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: HTTP - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 10 - ports: - - containerPort: 8080 - volumeMounts: - - name: portal-config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - volumes: - - name: portal-config - configMap: - name: "harbor-portal" ---- -# Source: harbor/charts/harbor/templates/registry/registry-dpl.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "harbor-registry" - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: registry - app.kubernetes.io/component: registry -spec: - replicas: 1 - revisionHistoryLimit: 10 - strategy: - type: Recreate - rollingUpdate: null - selector: - matchLabels: - release: harbor - app: "harbor" - component: registry - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: registry - app.kubernetes.io/component: registry - annotations: - checksum/configmap: 87c58b25a3419837f72faa3a2690b9f1523e038d974222105459836926be3d03 - checksum/secret: 54660cd152eb2befec78a32a5c59307dc1c09a9f1bd3b78150fe5035c5c33a90 - checksum/secret-jobservice: 38121c345921c661c7e6f9de4bb5f6446c41c255babf1b8416a36627193ed5a7 - checksum/secret-core: 5e00a5c189bdc7836b8fa02b61f7369eef2d6813f8d4b425beac262244f541a0 - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - fsGroupChangePolicy: OnRootMismatch - automountServiceAccountToken: false - terminationGracePeriodSeconds: 120 - containers: - - name: registry - image: goharbor/registry-photon:v2.14.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - scheme: HTTP - port: 5000 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: / - scheme: HTTP - port: 5000 - initialDelaySeconds: 1 - periodSeconds: 10 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - envFrom: - - secretRef: - name: "harbor-registry" - env: - - name: REGISTRY_HTTP_SECRET - valueFrom: - secretKeyRef: - name: harbor-secret - key: REGISTRY_HTTP_SECRET - ports: - - containerPort: 5000 - - containerPort: 8001 - volumeMounts: - - name: registry-data - mountPath: /storage - subPath: - - name: registry-htpasswd - mountPath: /etc/registry/passwd - subPath: passwd - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - - name: registryctl - image: goharbor/harbor-registryctl:v2.14.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - scheme: HTTP - port: 8080 - initialDelaySeconds: 300 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /api/health - scheme: HTTP - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 10 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - envFrom: - - configMapRef: - name: "harbor-registryctl" - - secretRef: - name: "harbor-registry" - - secretRef: - name: "harbor-registryctl" - env: - - name: REGISTRY_HTTP_SECRET - valueFrom: - secretKeyRef: - name: harbor-secret - key: REGISTRY_HTTP_SECRET - - name: CORE_SECRET - valueFrom: - secretKeyRef: - name: harbor-secret - key: secret - - name: JOBSERVICE_SECRET - valueFrom: - secretKeyRef: - name: harbor-secret - key: JOBSERVICE_SECRET - ports: - - containerPort: 8080 - volumeMounts: - - name: registry-data - mountPath: /storage - subPath: - - name: registry-config - mountPath: /etc/registry/config.yml - subPath: config.yml - - name: registry-config - mountPath: /etc/registryctl/config.yml - subPath: ctl-config.yml - volumes: - - name: registry-htpasswd - secret: - secretName: harbor-secret - items: - - key: REGISTRY_HTPASSWD - path: passwd - - name: registry-config - configMap: - name: "harbor-registry" - - name: registry-data - persistentVolumeClaim: - claimName: harbor-registry ---- -# Source: harbor/charts/harbor/templates/trivy/trivy-sts.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: harbor-trivy - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: trivy - app.kubernetes.io/component: trivy -spec: - replicas: 1 - serviceName: harbor-trivy - selector: - matchLabels: - release: harbor - app: "harbor" - component: trivy - template: - metadata: - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: trivy - app.kubernetes.io/component: trivy - annotations: - checksum/secret: 3e2dedee1ec33c5ef3e227c0b8122b7d124687f85691d5fdac5791a081fb3d2c - spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - automountServiceAccountToken: false - containers: - - name: trivy - image: goharbor/trivy-adapter-photon:v2.14.0 - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - env: - - name: HTTP_PROXY - value: "" - - name: HTTPS_PROXY - value: "" - - name: NO_PROXY - value: "harbor-core,harbor-jobservice,harbor-database,harbor-registry,harbor-portal,harbor-trivy,harbor-exporter,127.0.0.1,localhost,.local,.internal" - - name: "SCANNER_LOG_LEVEL" - value: "info" - - name: "SCANNER_TRIVY_CACHE_DIR" - value: "/home/scanner/.cache/trivy" - - name: "SCANNER_TRIVY_REPORTS_DIR" - value: "/home/scanner/.cache/reports" - - name: "SCANNER_TRIVY_DEBUG_MODE" - value: "false" - - name: "SCANNER_TRIVY_VULN_TYPE" - value: "os,library" - - name: "SCANNER_TRIVY_TIMEOUT" - value: "5m0s" - - name: "SCANNER_TRIVY_GITHUB_TOKEN" - valueFrom: - secretKeyRef: - name: harbor-trivy - key: gitHubToken - - name: "SCANNER_TRIVY_SEVERITY" - value: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - - name: "SCANNER_TRIVY_IGNORE_UNFIXED" - value: "false" - - name: "SCANNER_TRIVY_SKIP_UPDATE" - value: "false" - - name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" - value: "false" - - name: "SCANNER_TRIVY_DB_REPOSITORY" - value: "mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db" - - name: "SCANNER_TRIVY_JAVA_DB_REPOSITORY" - value: "mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db" - - name: "SCANNER_TRIVY_OFFLINE_SCAN" - value: "false" - - name: "SCANNER_TRIVY_SECURITY_CHECKS" - value: "vuln" - - name: "SCANNER_TRIVY_INSECURE" - value: "false" - - name: SCANNER_API_SERVER_ADDR - value: ":8080" - - name: "SCANNER_REDIS_URL" - valueFrom: - secretKeyRef: - name: harbor-trivy - key: redisURL - - name: "SCANNER_STORE_REDIS_URL" - valueFrom: - secretKeyRef: - name: harbor-trivy - key: redisURL - - name: "SCANNER_JOB_QUEUE_REDIS_URL" - valueFrom: - secretKeyRef: - name: harbor-trivy - key: redisURL - ports: - - name: api-server - containerPort: 8080 - volumeMounts: - - name: data - mountPath: /home/scanner/.cache - subPath: - readOnly: false - livenessProbe: - httpGet: - scheme: HTTP - path: /probe/healthy - port: api-server - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - readinessProbe: - httpGet: - scheme: HTTP - path: /probe/ready - port: api-server - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - resources: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 200m - memory: 512Mi - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: data - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - annotations: - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: "5Gi" ---- -# Source: harbor/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: harbor-postgresql-17-cluster - namespace: harbor - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: harbor-postgresql-17 - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "harbor-postgresql-17-external-backup" - serverName: "harbor-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "harbor-postgresql-17-garage-local-backup" - serverName: "harbor-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "harbor-postgresql-17-recovery" - serverName: harbor-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: harbor-postgresql-17-backup-1 - - externalClusters: - - name: harbor-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "harbor-postgresql-17-recovery" - serverName: harbor-postgresql-17-backup-1 ---- -# Source: harbor/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: harbor-secret - namespace: harbor - labels: - app.kubernetes.io/name: harbor-secret - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: HARBOR_ADMIN_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/config - metadataPolicy: None - property: admin-password - - secretKey: secretKey - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/config - metadataPolicy: None - property: secretKey - - secretKey: CSRF_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/core - metadataPolicy: None - property: CSRF_KEY - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/core - metadataPolicy: None - property: secret - - secretKey: tls.crt - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/core - metadataPolicy: None - property: tls.crt - - secretKey: tls.key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/core - metadataPolicy: None - property: tls.key - - secretKey: JOBSERVICE_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/jobservice - metadataPolicy: None - property: JOBSERVICE_SECRET - - secretKey: REGISTRY_HTTP_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/registry - metadataPolicy: None - property: REGISTRY_HTTP_SECRET - - secretKey: REGISTRY_REDIS_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/registry - metadataPolicy: None - property: REGISTRY_REDIS_PASSWORD - - secretKey: REGISTRY_HTPASSWD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/registry - metadataPolicy: None - property: REGISTRY_HTPASSWD - - secretKey: REGISTRY_CREDENTIAL_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/registry - metadataPolicy: None - property: REGISTRY_CREDENTIAL_PASSWORD - - secretKey: REGISTRY_PASSWD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/registry - metadataPolicy: None - property: REGISTRY_CREDENTIAL_PASSWORD ---- -# Source: harbor/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: harbor-nginx-secret - namespace: harbor - labels: - app.kubernetes.io/name: harbor-nginx-secret - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ca.crt - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/nginx - metadataPolicy: None - property: ca.crt - - secretKey: tls.crt - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/nginx - metadataPolicy: None - property: tls.crt - - secretKey: tls.key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/harbor/nginx - metadataPolicy: None - property: tls.key ---- -# Source: harbor/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: harbor-postgresql-17-cluster-backup-secret - namespace: harbor - labels: - app.kubernetes.io/name: harbor-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: harbor/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: harbor-postgresql-17-cluster-backup-secret-garage - namespace: harbor - labels: - app.kubernetes.io/name: harbor-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: harbor/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-harbor - namespace: harbor - labels: - app.kubernetes.io/name: http-route-harbor - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - harbor.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: /api/ - - path: - type: PathPrefix - value: /service/ - - path: - type: PathPrefix - value: /v2/ - - path: - type: PathPrefix - value: /c/ - backendRefs: - - group: '' - kind: Service - name: harbor-core - port: 80 - weight: 100 - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: harbor-portal - port: 80 - weight: 100 ---- -# Source: harbor/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "harbor-postgresql-17-external-backup" - namespace: harbor - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: harbor-postgresql-17 - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: harbor-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: harbor-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: harbor/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "harbor-postgresql-17-garage-local-backup" - namespace: harbor - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: harbor-postgresql-17 - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: harbor-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: harbor-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: harbor-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: harbor/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "harbor-postgresql-17-recovery" - namespace: harbor - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: harbor-postgresql-17 - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: harbor-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: harbor-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: harbor/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: harbor-postgresql-17-alert-rules - namespace: harbor - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: harbor-postgresql-17 - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/harbor-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="harbor"} - cnpg_pg_replication_is_wal_receiver_up{namespace="harbor"}) < 1 - for: 5m - labels: - severity: critical - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="harbor"} - cnpg_pg_replication_is_wal_receiver_up{namespace="harbor"}) < 2 - for: 5m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "harbor/harbor-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="harbor", pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="harbor", pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "harbor/harbor-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="harbor", pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="harbor", pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "harbor/harbor-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="harbor",pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "harbor/harbor-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="harbor", pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "harbor/harbor-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "harbor/harbor-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="harbor", persistentvolumeclaim=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "harbor/harbor-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="harbor",pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "harbor/harbor-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="harbor", pod=~"harbor-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: harbor - cnpg_cluster: harbor-postgresql-17-cluster ---- -# Source: harbor/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-harbor - namespace: harbor - labels: - app.kubernetes.io/name: redis-replication-harbor - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: harbor/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "harbor-postgresql-17-daily-backup-scheduled-backup" - namespace: harbor - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: harbor-postgresql-17 - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: harbor-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "harbor-postgresql-17-external-backup" ---- -# Source: harbor/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "harbor-postgresql-17-live-backup-scheduled-backup" - namespace: harbor - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: harbor-postgresql-17 - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: harbor-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "harbor-postgresql-17-garage-local-backup" ---- -# Source: harbor/charts/harbor/templates/metrics/metrics-svcmon.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: harbor - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" -spec: - jobLabel: app.kubernetes.io/name - endpoints: - - port: http-metrics - honorLabels: true - selector: - matchLabels: - release: harbor - app: "harbor" ---- -# Source: harbor/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-harbor - namespace: harbor - labels: - app.kubernetes.io/name: redis-replication-harbor - app.kubernetes.io/instance: harbor - app.kubernetes.io/part-of: harbor - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s ---- -# Source: harbor/charts/harbor/templates/core/core-pre-upgrade-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: migration-job - namespace: "harbor" - labels: - heritage: Helm - release: harbor - chart: harbor - app: "harbor" - app.kubernetes.io/instance: harbor - app.kubernetes.io/name: harbor - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: harbor - app.kubernetes.io/version: "2.14.0" - component: migrator - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "-5" -spec: - template: - metadata: - labels: - release: harbor - app: "harbor" - component: migrator - spec: - restartPolicy: Never - securityContext: - runAsUser: 10000 - fsGroup: 10000 - terminationGracePeriodSeconds: 120 - containers: - - name: core-job - image: goharbor/harbor-core:v2.14.1 - imagePullPolicy: IfNotPresent - command: ["/harbor/harbor_core", "-mode=migrate"] - envFrom: - - configMapRef: - name: "harbor-core" - - secretRef: - name: "harbor-core" - env: - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: harbor-postgresql-17-cluster-app - key: password - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: config - mountPath: /etc/core/app.conf - subPath: app.conf - volumes: - - name: config - configMap: - name: harbor-core - items: - - key: app.conf - path: app.conf diff --git a/clusters/cl01tl/manifests/headlamp/headlamp.yaml b/clusters/cl01tl/manifests/headlamp/headlamp.yaml deleted file mode 100644 index aa276631d..000000000 --- a/clusters/cl01tl/manifests/headlamp/headlamp.yaml +++ /dev/null @@ -1,308 +0,0 @@ ---- -# Source: headlamp/charts/headlamp/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: headlamp - namespace: headlamp - labels: - helm.sh/chart: headlamp-0.38.0 - app.kubernetes.io/name: headlamp - app.kubernetes.io/instance: headlamp - app.kubernetes.io/version: "0.38.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: headlamp/templates/service-account.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: headlamp-admin - namespace: headlamp - labels: - app.kubernetes.io/name: headlamp-admin - app.kubernetes.io/instance: headlamp - app.kubernetes.io/part-of: headlamp ---- -# Source: headlamp/charts/headlamp/templates/plugin-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: headlamp-plugin-config - namespace: headlamp - labels: - helm.sh/chart: headlamp-0.38.0 - app.kubernetes.io/name: headlamp - app.kubernetes.io/instance: headlamp - app.kubernetes.io/version: "0.38.0" - app.kubernetes.io/managed-by: Helm -data: - plugin.yml: | - plugins: - - name: cert-manager - source: https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_cert-manager - version: 0.1.0 - - name: trivy - source: https://artifacthub.io/packages/headlamp/headlamp-trivy/headlamp_trivy - version: 0.3.1 - installOptions: - parallel: true - maxConcurrent: 2 ---- -# Source: headlamp/charts/headlamp/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: headlamp-admin - labels: - helm.sh/chart: headlamp-0.38.0 - app.kubernetes.io/name: headlamp - app.kubernetes.io/instance: headlamp - app.kubernetes.io/version: "0.38.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: headlamp - namespace: headlamp ---- -# Source: headlamp/templates/cluster-role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cluster-admin-oidc - namespace: headlamp - labels: - app.kubernetes.io/name: cluster-admin-oidc - app.kubernetes.io/instance: headlamp - app.kubernetes.io/part-of: headlamp -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: User - name: alexanderlebens@gmail.com - apiGroup: rbac.authorization.k8s.io - - kind: ServiceAccount - name: headlamp-admin - namespace: headlamp ---- -# Source: headlamp/charts/headlamp/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: headlamp - namespace: headlamp - labels: - helm.sh/chart: headlamp-0.38.0 - app.kubernetes.io/name: headlamp - app.kubernetes.io/instance: headlamp - app.kubernetes.io/version: "0.38.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - - ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: headlamp - app.kubernetes.io/instance: headlamp ---- -# Source: headlamp/charts/headlamp/templates/deployment.yaml -# This block of code is used to extract the values from the env. -# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: headlamp - namespace: headlamp - labels: - helm.sh/chart: headlamp-0.38.0 - app.kubernetes.io/name: headlamp - app.kubernetes.io/instance: headlamp - app.kubernetes.io/version: "0.38.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: headlamp - app.kubernetes.io/instance: headlamp - template: - metadata: - labels: - app.kubernetes.io/name: headlamp - app.kubernetes.io/instance: headlamp - spec: - serviceAccountName: headlamp - automountServiceAccountToken: true - securityContext: - {} - containers: - - name: headlamp - securityContext: - privileged: false - runAsGroup: 101 - runAsNonRoot: true - runAsUser: 100 - image: "ghcr.io/headlamp-k8s/headlamp:v0.38.0" - imagePullPolicy: IfNotPresent - - # Check if externalSecret is enabled - envFrom: - - secretRef: - name: headlamp-oidc-secret - args: - - "-in-cluster" - - "-watch-plugins-changes" - - "-plugins-dir=/headlamp/plugins" - - "-oidc-client-id=$(OIDC_CLIENT_ID)" - - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)" - - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)" - - "-oidc-scopes=$(OIDC_SCOPES)" - ports: - - name: http - containerPort: 4466 - protocol: TCP - livenessProbe: - httpGet: - path: "/" - port: http - readinessProbe: - httpGet: - path: "/" - port: http - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - name: plugins-dir - mountPath: /headlamp/plugins - - name: headlamp-plugin - image: node:lts-alpine - command: ["/bin/sh", "-c"] - args: - - | - if [ -f "/config/plugin.yml" ]; then - echo "Installing plugins from config..." - cat /config/plugin.yml - # Use a writable cache directory - export NPM_CONFIG_CACHE=/tmp/npm-cache - # Use a writable config directory - export NPM_CONFIG_USERCONFIG=/tmp/npm-userconfig - mkdir -p /tmp/npm-cache /tmp/npm-userconfig - npx --yes @headlamp-k8s/pluginctl@latest install --config /config/plugin.yml --folderName /headlamp/plugins --watch - fi - volumeMounts: - - name: plugins-dir - mountPath: /headlamp/plugins - - name: plugin-config - mountPath: /config - resources: - null - securityContext: - readOnlyRootFilesystem: false - runAsNonRoot: false - runAsUser: 0 - volumes: - - name: plugins-dir - emptyDir: {} - - name: plugin-config - configMap: - name: headlamp-plugin-config ---- -# Source: headlamp/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: headlamp-oidc-secret - namespace: headlamp - labels: - app.kubernetes.io/name: headlamp-oidc-secret - app.kubernetes.io/instance: headlamp - app.kubernetes.io/part-of: headlamp -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: OIDC_CLIENT_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/headlamp - metadataPolicy: None - property: client - - secretKey: OIDC_CLIENT_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/headlamp - metadataPolicy: None - property: secret - - secretKey: OIDC_ISSUER_URL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/headlamp - metadataPolicy: None - property: issuer - - secretKey: OIDC_SCOPES - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/headlamp - metadataPolicy: None - property: scopes - - secretKey: OIDC_VALIDATOR_ISSUER_URL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/headlamp - metadataPolicy: None - property: validator-issuer-url - - secretKey: OIDC_VALIDATOR_CLIENT_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/headlamp - metadataPolicy: None - property: validator-client-id ---- -# Source: headlamp/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: https-route-headlamp - namespace: headlamp - labels: - app.kubernetes.io/name: https-route-headlamp - app.kubernetes.io/instance: headlamp - app.kubernetes.io/part-of: headlamp -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - headlamp.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: headlamp - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/home-assistant/home-assistant.yaml b/clusters/cl01tl/manifests/home-assistant/home-assistant.yaml deleted file mode 100644 index 8d878265d..000000000 --- a/clusters/cl01tl/manifests/home-assistant/home-assistant.yaml +++ /dev/null @@ -1,283 +0,0 @@ ---- -# Source: home-assistant/charts/home-assistant/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: home-assistant-config - labels: - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: home-assistant - helm.sh/chart: home-assistant-4.4.0 - namespace: home-assistant -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: home-assistant/charts/home-assistant/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: home-assistant-main - labels: - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: home-assistant - app.kubernetes.io/service: home-assistant-main - helm.sh/chart: home-assistant-4.4.0 - namespace: home-assistant -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8123 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/name: home-assistant ---- -# Source: home-assistant/charts/home-assistant/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: home-assistant-code-server - labels: - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: home-assistant - app.kubernetes.io/service: home-assistant-code-server - helm.sh/chart: home-assistant-4.4.0 - namespace: home-assistant -spec: - type: ClusterIP - ports: - - port: 8443 - targetPort: 8443 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/name: home-assistant ---- -# Source: home-assistant/charts/home-assistant/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: home-assistant - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: home-assistant - helm.sh/chart: home-assistant-4.4.0 - namespace: home-assistant -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: home-assistant - app.kubernetes.io/instance: home-assistant - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/name: home-assistant - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - - name: DEFAULT_WORKSPACE - value: /config - envFrom: - - secretRef: - name: home-assistant-code-server-password-secret - image: ghcr.io/linuxserver/code-server:4.106.3@sha256:aab9520fe923b2d93dccc2c806f3dc60649c2f4a2847fcd40c942227d0f1ae8f - imagePullPolicy: IfNotPresent - name: code-server - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config/home-assistant - name: config - - env: - - name: TZ - value: US/Central - image: ghcr.io/home-assistant/home-assistant:2025.12.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 50m - memory: 512Mi - volumeMounts: - - mountPath: /config - name: config - volumes: - - name: config - persistentVolumeClaim: - claimName: home-assistant-config ---- -# Source: home-assistant/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: home-assistant-code-server-password-secret - namespace: home-assistant - labels: - app.kubernetes.io/name: home-assistant-code-server-password-secret - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/part-of: home-assistant -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/home-assistant/code-server/auth - metadataPolicy: None - property: PASSWORD - - secretKey: SUDO_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/home-assistant/code-server/auth - metadataPolicy: None - property: SUDO_PASSWORD ---- -# Source: home-assistant/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: home-assistant-token-secret - namespace: home-assistant - labels: - app.kubernetes.io/name: home-assistant-token-secret - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/part-of: home-assistant -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: bearer-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/home-assistant/auth - metadataPolicy: None - property: bearer-token ---- -# Source: home-assistant/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-home-assistant - namespace: home-assistant - labels: - app.kubernetes.io/name: http-route-home-assistant - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/part-of: home-assistant -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - home-assistant.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: home-assistant-main - port: 80 - weight: 100 ---- -# Source: home-assistant/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-home-assistant-code-server - namespace: home-assistant - labels: - app.kubernetes.io/name: http-route-home-assistant-code-server - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/part-of: home-assistant -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - home-assistant-code-server.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: home-assistant-code-server - port: 8443 - weight: 100 ---- -# Source: home-assistant/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: home-assistant - namespace: home-assistant - labels: - app.kubernetes.io/name: home-assistant - app.kubernetes.io/instance: home-assistant - app.kubernetes.io/part-of: home-assistant -spec: - selector: - matchLabels: - app.kubernetes.io/name: home-assistant - app.kubernetes.io/service: home-assistant-main - app.kubernetes.io/instance: home-assistant - endpoints: - - port: http - interval: 3m - scrapeTimeout: 1m - path: /api/prometheus - bearerTokenSecret: - name: home-assistant-token-secret - key: bearer-token diff --git a/clusters/cl01tl/manifests/homepage-dev/homepage-dev.yaml b/clusters/cl01tl/manifests/homepage-dev/homepage-dev.yaml deleted file mode 100644 index 42641b60c..000000000 --- a/clusters/cl01tl/manifests/homepage-dev/homepage-dev.yaml +++ /dev/null @@ -1,307 +0,0 @@ ---- -# Source: homepage/charts/homepage/templates/common.yaml ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: homepage-dev - labels: - app.kubernetes.io/instance: homepage-dev - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: homepage - helm.sh/chart: homepage-4.4.0 - namespace: homepage-dev -data: - bookmarks.yaml: "" - docker.yaml: "" - kubernetes.yaml: "" - services.yaml: | - - Applications: - - Auth: - icon: sh-authentik.webp - description: Authentik - href: https://auth.alexlebens.dev - siteMonitor: https://auth.alexlebens.dev - statusStyle: dot - - Gitea: - icon: sh-gitea.webp - description: Gitea - href: https://gitea.alexlebens.dev - siteMonitor: https://gitea.alexlebens.dev - statusStyle: dot - - Code: - icon: sh-visual-studio-code.webp - description: VS Code - href: https://codeserver.alexlebens.dev - siteMonitor: https://codeserver.alexlebens.dev - statusStyle: dot - - Site: - icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png - description: Profile Website - href: https://www.alexlebens.dev - siteMonitor: https://www.alexlebens.dev - statusStyle: dot - - Content Management: - icon: directus.png - description: Directus - href: https://directus.alexlebens.dev - siteMonitor: https://directus.alexlebens.dev - statusStyle: dot - - Social Media Management: - icon: sh-postiz.webp - description: Postiz - href: https://postiz.alexlebens.dev - siteMonitor: https://postiz.alexlebens.dev - statusStyle: dot - - Chat: - icon: sh-element.webp - description: Matrix - href: https://chat.alexlebens.dev - siteMonitor: https://chat.alexlebens.dev - statusStyle: dot - - Wiki: - icon: sh-outline.webp - description: Outline - href: https://wiki.alexlebens.dev - siteMonitor: https://wiki.alexlebens.dev - statusStyle: dot - - Passwords: - icon: sh-vaultwarden-light.webp - description: Vaultwarden - href: https://passwords.alexlebens.dev - siteMonitor: https://passwords.alexlebens.dev - statusStyle: dot - - Bookmarks: - icon: sh-karakeep-light.webp - description: Karakeep - href: https://karakeep.alexlebens.dev - siteMonitor: https://karakeep.alexlebens.dev - statusStyle: dot - - RSS: - icon: sh-freshrss.webp - description: FreshRSS - href: https://rss.alexlebens.dev - siteMonitor: https://rss.alexlebens.dev - statusStyle: dot - settings.yaml: | - favicon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.svg - headerStyle: clean - hideVersion: true - color: zinc - background: - image: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background.jpg - brightness: 50 - theme: dark - disableCollapse: true - widgets.yaml: | - - logo: - icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png - - datetime: - text_size: xl - format: - dateStyle: long - timeStyle: short - hour12: false - - openmeteo: - label: St. Paul - latitude: 44.954445 - longitude: -93.091301 - timezone: America/Chicago - units: metric - cache: 5 - format: - maximumFractionDigits: 0 ---- -# Source: homepage/charts/homepage/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: homepage-dev - labels: - app.kubernetes.io/instance: homepage-dev - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: homepage - app.kubernetes.io/service: homepage-dev - helm.sh/chart: homepage-4.4.0 - namespace: homepage-dev -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 3000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: homepage-dev - app.kubernetes.io/name: homepage ---- -# Source: homepage/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: homepage-dev-cloudflared - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: homepage-dev - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: homepage-dev -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: homepage-dev - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: homepage-dev - app.kubernetes.io/name: cloudflared - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: homepage-dev-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: homepage/charts/homepage/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: homepage-dev - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: homepage-dev - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: homepage - helm.sh/chart: homepage-4.4.0 - annotations: - reloader.stakater.com/auto: "true" - namespace: homepage-dev -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: homepage - app.kubernetes.io/instance: homepage-dev - template: - metadata: - annotations: - checksum/configMaps: d1306b9af923c5b3f02566a43c7a141c7168ebf8a74e5ff1a2d5d8082001c1a1 - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: homepage-dev - app.kubernetes.io/name: homepage - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: HOMEPAGE_ALLOWED_HOSTS - value: home.alexlebens.dev - image: ghcr.io/gethomepage/homepage:v1.7.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /app/config/bookmarks.yaml - mountPropagation: None - name: config - readOnly: true - subPath: bookmarks.yaml - - mountPath: /app/config/docker.yaml - mountPropagation: None - name: config - readOnly: true - subPath: docker.yaml - - mountPath: /app/config/kubernetes.yaml - mountPropagation: None - name: config - readOnly: true - subPath: kubernetes.yaml - - mountPath: /app/config/services.yaml - mountPropagation: None - name: config - readOnly: true - subPath: services.yaml - - mountPath: /app/config/settings.yaml - mountPropagation: None - name: config - readOnly: true - subPath: settings.yaml - - mountPath: /app/config/widgets.yaml - mountPropagation: None - name: config - readOnly: true - subPath: widgets.yaml - volumes: - - configMap: - name: homepage-dev - name: config ---- -# Source: homepage/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: homepage-dev-cloudflared-secret - namespace: homepage-dev - labels: - app.kubernetes.io/name: homepage-dev-cloudflared-secret - app.kubernetes.io/instance: homepage-dev - app.kubernetes.io/part-of: homepage-dev -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/homepage-dev - metadataPolicy: None - property: token diff --git a/clusters/cl01tl/manifests/homepage/homepage.yaml b/clusters/cl01tl/manifests/homepage/homepage.yaml deleted file mode 100644 index 97261bdad..000000000 --- a/clusters/cl01tl/manifests/homepage/homepage.yaml +++ /dev/null @@ -1,1132 +0,0 @@ ---- -# Source: homepage/charts/homepage/templates/common.yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: homepage - labels: - app.kubernetes.io/instance: homepage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: homepage - helm.sh/chart: homepage-4.4.0 - namespace: homepage -secrets: - - name: homepage-homepage-sa-token ---- -# Source: homepage/charts/homepage/templates/common.yaml -apiVersion: v1 -kind: Secret -type: kubernetes.io/service-account-token -metadata: - name: homepage-homepage-sa-token - labels: - app.kubernetes.io/instance: homepage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: homepage - helm.sh/chart: homepage-4.4.0 - annotations: - kubernetes.io/service-account.name: homepage - namespace: homepage ---- -# Source: homepage/charts/homepage/templates/common.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: homepage - labels: - app.kubernetes.io/instance: homepage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: homepage - helm.sh/chart: homepage-4.4.0 - namespace: homepage -data: - bookmarks.yaml: | - - External Services: - - Github: - - abbr: GH - href: https://github.com/alexlebens - - Digital Ocean: - - abbr: DO - href: https://www.digitalocean.com/ - - AWS: - - abbr: AW - href: https://aws.amazon.com/console/ - - Cloudflare: - - abbr: CF - href: https://dash.cloudflare.com/b76e303258b84076ee01fd0f515c0768 - - Tailscale: - - abbr: TS - href: https://login.tailscale.com/admin/machines - - ProtonVPN: - - abbr: PV - href: https://account.protonvpn.com/ - - Unifi: - - abbr: UF - href: https://unifi.ui.com/ - - Pushover: - - abbr: PO - href: https://pushover.net - - ReCaptcha: - - abbr: RC - href: https://www.google.com/recaptcha/admin/site/698983587 - - Trackers: - - Torrentleech: - - abbr: TL - href: https://www.torrentleech.org - - Avistaz: - - abbr: AV - href: https://avistaz.to - - Cinemaz: - - abbr: CM - href: https://cinemaz.to - - Cathode Ray Tube: - - abbr: CRT - href: https://www.cathode-ray.tube - - Alpha Ratio: - - abbr: AL - href: https://alpharatio.cc/ - - MV Group: - - abbr: MV - href: https://forums.mvgroup.org - docker.yaml: "" - kubernetes.yaml: | - mode: cluster - services.yaml: | - - Media: - - Plex: - icon: sh-plex.webp - description: Media server - href: https://plex.alexlebens.net - siteMonitor: http://plex.plex:32400 - statusStyle: dot - - Jellyfin: - icon: sh-jellyfin.webp - description: Media server - href: https://jellyfin.alexlebens.net - siteMonitor: http://jellyfin.jellyfin:80 - statusStyle: dot - - Media Requests: - icon: sh-overseerr.webp - description: Overseer - href: https://overseerr.alexlebens.net - siteMonitor: http://overseerr.overseerr:80 - statusStyle: dot - - Media Tracking: - icon: sh-yamtrack.webp - description: Yamtrack - href: https://yamtrack.alexlebens.net - siteMonitor: http://yamtrack.yamtrack:80 - statusStyle: dot - - Youtube Archive: - icon: sh-tube-archivist-light.webp - description: TubeAchivist - href: https://tubearchivist.alexlebens.net/login - siteMonitor: http://tubearchivist.tubearchivist:80 - statusStyle: dot - - Photos: - icon: sh-immich.webp - description: Immich - href: https://immich.alexlebens.net - siteMonitor: http://immich-main.immich:2283 - statusStyle: dot - - Pictures: - icon: sh-photoview.webp - description: Photoview - href: https://photoview.alexlebens.net - siteMonitor: http://photoview.photoview:80 - statusStyle: dot - - Podcasts and Audiobooks: - icon: sh-audiobookshelf.webp - description: Audiobookshelf - href: https://audiobookshelf.alexlebens.net - siteMonitor: http://audiobookshelf.audiobookshelf:80 - statusStyle: dot - - Books: - icon: sh-booklore.webp - description: Booklore - href: https://booklore.alexlebens.net - siteMonitor: http://booklore.booklore:80 - statusStyle: dot - - Public: - - Site: - icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png - description: Profile Website - href: https://www.alexlebens.dev - siteMonitor: https://www.alexlebens.dev - statusStyle: dot - - Content Management: - icon: directus.png - description: Directus - href: https://directus.alexlebens.dev - siteMonitor: https://directus.alexlebens.dev - statusStyle: dot - - Social Media Management: - icon: sh-postiz.webp - description: Postiz - href: https://postiz.alexlebens.dev - siteMonitor: https://postiz.alexlebens.dev - statusStyle: dot - - Chat: - icon: sh-element.webp - description: Matrix - href: https://chat.alexlebens.dev - siteMonitor: https://chat.alexlebens.dev - statusStyle: dot - - Wiki: - icon: sh-outline.webp - description: Outline - href: https://wiki.alexlebens.dev - siteMonitor: https://wiki.alexlebens.dev - statusStyle: dot - - Passwords: - icon: sh-vaultwarden-light.webp - description: Vaultwarden - href: https://passwords.alexlebens.dev - siteMonitor: https://passwords.alexlebens.dev - statusStyle: dot - - Bookmarks: - icon: sh-karakeep-light.webp - description: Karakeep - href: https://karakeep.alexlebens.dev - siteMonitor: https://karakeep.alexlebens.dev - statusStyle: dot - - RSS: - icon: sh-freshrss.webp - description: FreshRSS - href: https://rss.alexlebens.dev - siteMonitor: https://rss.alexlebens.dev - statusStyle: dot - - Internal: - - Home Automation: - icon: sh-home-assistant.webp - description: Home Assistant - href: https://home-assistant.alexlebens.net - siteMonitor: http://home-assistant-main.home-assistant:80 - statusStyle: dot - - Budgeting: - icon: sh-actual-budget.webp - description: Actual - href: https://actual.alexlebens.net - siteMonitor: http://actual.actual:80 - statusStyle: dot - - AI: - icon: sh-ollama.webp - description: Ollama - href: https://ollama.alexlebens.net - siteMonitor: http://ollama-web.ollama:80 - statusStyle: dot - - AI Image: - icon: https://user-images.githubusercontent.com/36368048/196280761-1535f413-a91e-4b6a-af6a-b890f8ae204c.png - description: Stable Diffusion - href: https://stable-diffusion-pd05wd.boreal-beaufort.ts.net - siteMonitor: https://stable-diffusion-pd05wd.boreal-beaufort.ts.net - statusStyle: dot - - Search: - icon: sh-searxng.webp - description: Searxng - href: https://searxng.alexlebens.net/ - siteMonitor: http://searxng-browser.searxng:80 - statusStyle: dot - - Email: - icon: sh-roundcube.webp - description: Roundcube - href: https://mail.alexlebens.net - siteMonitor: http://roundcube.roundcube:80 - statusStyle: dot - - Wiki: - icon: sh-kiwix-light.webp - description: Kiwix - href: https://kiwix.alexlebens.net - siteMonitor: http://kiwix.kiwix:80 - statusStyle: dot - - Code: - - Code (Public): - icon: sh-gitea.webp - description: Gitea - href: https://gitea.alexlebens.dev - siteMonitor: https://gitea.alexlebens.dev - statusStyle: dot - - Code (Local): - icon: sh-gitea.webp - description: Gitea - href: https://gitea.alexlebens.net - siteMonitor: https://gitea.alexlebens.net - statusStyle: dot - - Code (ps10rp): - icon: sh-gitea.webp - description: Gitea - href: https://gitea-ps10rp.boreal-beaufort.ts.net - siteMonitor: https://gitea-ps10rp.boreal-beaufort.ts.net - statusStyle: dot - - IDE (Public): - icon: sh-visual-studio-code.webp - description: VS Code - href: https://codeserver.alexlebens.dev - siteMonitor: https://codeserver.alexlebens.dev - statusStyle: dot - - IDE (Home Assistant): - icon: sh-visual-studio-code.webp - description: Edit config for Home Assistant - href: https://home-assistant-code-server.alexlebens.net - siteMonitor: http://home-assistant-code-server.home-assistant:8443 - statusStyle: dot - - Continuous Deployment: - icon: sh-argo-cd.webp - description: ArgoCD - href: https://argocd.alexlebens.net - siteMonitor: http://argocd-server.argocd:80 - statusStyle: dot - - Docker Deployment: - icon: sh-komodo-light.webp - description: Komodo - href: https://komodo.alexlebens.net - siteMonitor: http://komodo-main.komodo:80 - statusStyle: dot - - Automation: - - Deployment Workflows: - icon: sh-argo-cd.webp - description: Argo Workflows - href: https://argo-workflows.alexlebens.net - siteMonitor: http://argo-workflows-server.argo-workflows:2746 - statusStyle: dot - - API Workflows: - icon: sh-n8n.webp - description: n8n - href: https://n8n.alexlebens.net - siteMonitor: http://n8n-main.n8n:80 - statusStyle: dot - - Jobs: - icon: https://raw.githubusercontent.com/mshade/kronic/main/static/android-chrome-192x192.png - description: Kronic - href: https://kronic.alexlebens.net - siteMonitor: http://kronic.kronic:80 - statusStyle: dot - - Uptime: - icon: sh-gatus.webp - description: Gatus - href: https://gatus.alexlebens.net - siteMonitor: http://gatus.gatus:80 - statusStyle: dot - - Tools: - icon: sh-omnitools.webp - description: OmniTools - href: https://omni-tools.alexlebens.net - siteMonitor: http://omni-tools.omni-tools:80 - statusStyle: dot - - Monitoring: - - Kubernetes: - icon: sh-headlamp.webp - description: Headlamp - href: https://headlamp.alexlebens.net - siteMonitor: http://headlamp.headlamp:80 - statusStyle: dot - - Network Monitoring: - icon: sh-cilium.webp - description: Hubble for Cilium - href: https://hubble.alexlebens.net - siteMonitor: http://hubble-ui.kube-system:80 - statusStyle: dot - - Dashboard: - icon: sh-grafana.webp - description: Grafana - href: https://grafana.alexlebens.net - siteMonitor: http://grafana-main-service.grafana-operator:3000/api/health - statusStyle: dot - - Metrics: - icon: sh-prometheus.webp - description: Prometheus - href: https://prometheus.alexlebens.net - siteMonitor: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090 - statusStyle: dot - widget: - type: prometheus - url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090 - - Alerting: - icon: sh-prometheus-light.webp - description: Alertmanager - href: https://alertmanager.alexlebens.net - siteMonitor: http://kube-prometheus-stack-alertmanager.kube-prometheus-stack:9093 - statusStyle: dot - widget: - type: prometheusmetric - url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090 - refreshInterval: 120s - metrics: - - label: Alerts Active - query: alertmanager_alerts{state="active"} - - label: Metric Database Size - query: prometheus_tsdb_storage_blocks_bytes - format: - type: bytes - - Tautulli: - icon: sh-tautulli.webp - description: Plex Monitoring - href: https://tautulli.alexlebens.net - siteMonitor: http://tautulli.tautulli:80 - statusStyle: dot - - Jellystat: - icon: sh-jellystat.webp - description: Jellyfin Monitoring - href: https://jellystat.alexlebens.net - siteMonitor: http://jellystat.jellystat:80 - statusStyle: dot - - Services: - - Auth (Public): - icon: sh-authentik.webp - description: Authentik - href: https://auth.alexlebens.dev - siteMonitor: https://auth.alexlebens.dev - statusStyle: dot - - Auth (Local): - icon: sh-authentik.webp - description: Authentik - href: https://authentik.alexlebens.net - siteMonitor: http://authentik-server.authentik:80 - statusStyle: dot - - Email: - icon: sh-stalwart.webp - description: Stalwart - href: https://stalwart.alexlebens.net - siteMonitor: http://stalwart.stalwart:80 - statusStyle: dot - - Notifications: - icon: sh-ntfy.webp - description: ntfy - href: https://ntfy.alexlebens.net - siteMonitor: http://ntfy.ntfy:80 - statusStyle: dot - - Reverse Proxy: - icon: sh-traefik.webp - description: Traefik - href: https://traefik-cl01tl.alexlebens.net/dashboard/#/ - siteMonitor: https://traefik-cl01tl.alexlebens.net/dashboard/#/ - statusStyle: dot - widget: - type: traefik - url: https://traefik-cl01tl.alexlebens.net - - Image Cache: - icon: sh-harbor.webp - description: Harbor - href: https://harbor.alexlebens.net - siteMonitor: http://harbor-portal.harbor:80 - statusStyle: dot - - Hardware: - - Network Management (alexlebens.net): - icon: sh-ubiquiti-unifi.webp - description: Unifi - href: https://unifi.alexlebens.net - siteMonitor: https://unifi.alexlebens.net - statusStyle: dot - - Network Attached Storage: - icon: sh-synology-light.webp - description: Synology - href: https://synology.alexlebens.net - siteMonitor: https://synology.alexlebens.net - statusStyle: dot - widget: - type: diskstation - url: https://synology.alexlebens.net - username: {{HOMEPAGE_VAR_SYNOLOGY_USER}} - password: {{HOMEPAGE_VAR_SYNOLOGY_PASSWORD}} - volume: volume_2 - - TV Tuner: - icon: sh-hdhomerun.webp - description: HD Homerun - href: http://hdhr.alexlebens.net - siteMonitor: http://hdhr.alexlebens.net - statusStyle: dot - widget: - type: hdhomerun - url: http://hdhr.alexlebens.net - tuner: 0 - fields: ["channels", "hd"] - - KVM: - icon: sh-pikvm-light.webp - description: Pi KVM - href: https://pikvm.alexlebens.net - siteMonitor: https://pikvm.alexlebens.net - statusStyle: dot - - Server Plug: - icon: sh-shelly.webp - description: Shelly - href: http://it05sp.alexlebens.net - siteMonitor: http://it05sp.alexlebens.net - statusStyle: dot - - Storage: - - Cluster Storage: - icon: sh-ceph.webp - description: Ceph - href: https://ceph.alexlebens.net - siteMonitor: http://rook-ceph-mgr-dashboard.rook-ceph:7000 - statusStyle: dot - - Object Storage (NAS): - icon: sh-garage.webp - description: Garage - href: https://garage-webui.alexlebens.net - siteMonitor: http://garage-webui.garage:3909 - statusStyle: dot - - Object Storage (ps10rp): - icon: sh-garage.webp - description: Garage - href: https://garage-ui-ps10rp.boreal-beaufort.ts.net - siteMonitor: https://garage-ui-ps10rp.boreal-beaufort.ts.net - statusStyle: dot - - Database: - icon: sh-pgadmin-light.webp - description: PGAdmin - href: https://pgadmin.alexlebens.net - siteMonitor: http://pgadmin.pgadmin:80 - statusStyle: dot - - Database: - icon: sh-whodb.webp - description: WhoDB - href: https://whodb.alexlebens.net - siteMonitor: http://whodb.whodb:80 - statusStyle: dot - - Secrets: - icon: sh-hashicorp-vault.webp - description: Vault - href: https://vault.alexlebens.net - siteMonitor: http://vault.vault:8200 - statusStyle: dot - - Backups: - icon: sh-backrest-light.webp - description: Backrest - href: https://backrest.alexlebens.net - siteMonitor: http://backrest.backrest:80 - statusStyle: dot - - Content: - - qUI: - icon: https://raw.githubusercontent.com/autobrr/qui/8487c818886df9abb2b1456f43b54e0ba180a2bd/web/public/icons.svg - description: qbitorrent - href: https://qui.alexlebens.net - siteMonitor: http://qbittorrent-qui.qbittorrent:80 - statusStyle: dot - widget: - type: qbittorrent - url: http://qbittorrent.qbittorrent:8080 - enableLeechProgress: true - - Prowlarr: - icon: sh-prowlarr.webp - description: Indexers - href: https://prowlarr.alexlebens.net - siteMonitor: http://prowlarr.prowlarr:80 - statusStyle: dot - - Huntarr: - icon: https://raw.githubusercontent.com/plexguide/Huntarr.io/main/frontend/static/logo/128.png - description: Content upgrader - href: https://huntarr.alexlebens.net - siteMonitor: http://huntarr.huntarr:80 - statusStyle: dot - - Bazarr: - icon: sh-bazarr.webp - description: Subtitles - href: https://bazarr.alexlebens.net - siteMonitor: http://bazarr.bazarr:80 - statusStyle: dot - - Tdarr: - icon: sh-tdarr.webp - description: Media transcoding and health checks - href: https://tdarr.alexlebens.net - siteMonitor: http://tdarr-web.tdarr:8265 - statusStyle: dot - widget: - type: tdarr - url: http://tdarr-web.tdarr:8265 - - TV Shows: - - Sonarr: - icon: sh-sonarr.webp - description: TV Shows - href: https://sonarr.alexlebens.net - siteMonitor: http://sonarr.sonarr:80 - statusStyle: dot - widget: - type: sonarr - url: http://sonarr.sonarr:80 - key: {{HOMEPAGE_VAR_SONARR_KEY}} - fields: ["wanted", "queued", "series"] - enableQueue: false - - Sonarr 4K: - icon: sh-sonarr.webp - description: TV Shows 4K - href: https://sonarr-4k.alexlebens.net - siteMonitor: http://sonarr-4k.sonarr-4k:80 - statusStyle: dot - widget: - type: sonarr - url: http://sonarr-4k.sonarr-4k:80 - key: {{HOMEPAGE_VAR_SONARR4K_KEY}} - fields: ["wanted", "queued", "series"] - enableQueue: false - - Sonarr Anime: - icon: sh-sonarr.webp - description: Anime Shows - href: https://sonarr-anime.alexlebens.net - siteMonitor: http://sonarr-anime.sonarr-anime:80 - statusStyle: dot - widget: - type: sonarr - url: http://sonarr-anime.sonarr-anime:80 - key: {{HOMEPAGE_VAR_SONARRANIME_KEY}} - fields: ["wanted", "queued", "series"] - enableQueue: false - - Movies: - - Radarr: - icon: sh-radarr.webp - description: Movies - href: https://radarr.alexlebens.net - siteMonitor: http://radarr.radarr:80 - statusStyle: dot - widget: - type: radarr - url: http://radarr.radarr:80 - key: {{HOMEPAGE_VAR_RADARR_KEY}} - fields: ["wanted", "queued", "movies"] - enableQueue: false - - Radarr 4K: - icon: sh-radarr-4k.webp - description: Movies 4K - href: https://radarr-4k.alexlebens.net - siteMonitor: http://radarr-4k.radarr-4k:80 - statusStyle: dot - widget: - type: radarr - url: http://radarr-4k.radarr-4k:80 - key: {{HOMEPAGE_VAR_RADARR4K_KEY}} - fields: ["wanted", "queued", "movies"] - enableQueue: false - - Radarr Anime: - icon: sh-radarr-anime.webp - description: Anime Movies - href: https://radarr-anime.alexlebens.net - siteMonitor: http://radarr-anime.radarr-anime:80 - statusStyle: dot - widget: - type: radarr - url: http://radarr-anime.radarr-anime:80 - key: {{HOMEPAGE_VAR_RADARRANIME_KEY}} - fields: ["wanted", "queued", "movies"] - enableQueue: false - - Radarr Stand Up: - icon: sh-radarr-light-hybrid.webp - description: Stand Up - href: https://radarr-standup.alexlebens.net - siteMonitor: http://radarr-standup.radarr-standup:80 - statusStyle: dot - widget: - type: radarr - url: http://radarr-standup.radarr-standup:80 - key: {{HOMEPAGE_VAR_RADARRSTANDUP_KEY}} - fields: ["wanted", "queued", "movies"] - enableQueue: false - - Music: - - Lidarr: - icon: sh-lidarr.webp - description: Music - href: https://lidarr.alexlebens.net - siteMonitor: http://lidarr.lidarr:80 - statusStyle: dot - widget: - type: lidarr - url: http://lidarr.lidarr:80 - key: {{HOMEPAGE_VAR_LIDARR_KEY}} - fields: ["wanted", "queued", "artists"] - - LidaTube: - icon: sh-lidatube.webp - description: Searches for Music - href: https://lidatube.alexlebens.net - siteMonitor: http://lidatube.lidatube:80 - statusStyle: dot - - Soulseek: - icon: sh-slskd.webp - description: slskd - href: https://slskd.alexlebens.net - siteMonitor: http://slskd.slskd:5030 - statusStyle: dot - - Books: - - Ephemera: - icon: sh-ephemera.webp - description: Books - href: https://ephemera.alexlebens.net - siteMonitor: http://ephemera.ephemera:80 - statusStyle: dot - - Listenarr: - icon: sh-audiobookrequest.webp - description: Audiobooks - href: https://listenarr.alexlebens.net - siteMonitor: http://listenarr.listenarr:80 - statusStyle: dot - - Other Homes: - - Dev: - icon: sh-homepage.webp - description: Public Homepage - href: https://home.alexlebens.dev - siteMonitor: https://home.alexlebens.dev - statusStyle: dot - - Lebens Home: - icon: sh-homepage.webp - description: Lebens Homepage - href: https://home-ps10rp.boreal-beaufort.ts.net - siteMonitor: https://home-ps10rp.boreal-beaufort.ts.net - statusStyle: dot - settings.yaml: | - favicon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.svg - headerStyle: clean - hideVersion: true - color: zinc - background: - image: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background.jpg - brightness: 50 - theme: dark - disableCollapse: true - layout: - - Media: - tab: Applications - icon: mdi-multimedia-#ffffff - - Public: - tab: Applications - icon: mdi-earth-#ffffff - - Internal: - tab: Applications - icon: mdi-security-network-#ffffff - - Code: - tab: Tools - icon: mdi-code-block-braces-#ffffff - - Automation: - tab: Tools - icon: mdi-wrench-#ffffff - - Monitoring: - tab: Tools - icon: mdi-chart-line-#ffffff - - Services: - tab: Services - icon: mdi-toolbox-outline-#ffffff - - Hardware: - tab: Services - icon: mdi-server-network-#ffffff - - Storage: - tab: Services - icon: mdi-database-#ffffff - - Content: - tab: Services - icon: mdi-multimedia-#ffffff - - TV Shows: - tab: Content - icon: mdi-television-#ffffff - - Movies: - tab: Content - icon: mdi-filmstrip-#ffffff - - Music: - tab: Content - icon: mdi-music-box-multiple-#ffffff - - Books: - tab: Content - icon: mdi-book-open-variant-#ffffff - - External Services: - tab: Bookmarks - icon: mdi-cloud-#ffffff - - Other Homes: - tab: Bookmarks - icon: mdi-cloud-#ffffff - - Trackers: - tab: Bookmarks - icon: mdi-cloud-#ffffff - widgets.yaml: | - - logo: - icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png - - kubernetes: - cluster: - show: true - cpu: true - memory: true - showLabel: false - label: "Cluster" - nodes: - show: false - - datetime: - text_size: xl - format: - dateStyle: long - timeStyle: short - hour12: false - - openmeteo: - label: St. Paul - latitude: 44.954445 - longitude: -93.091301 - timezone: America/Chicago - units: metric - cache: 5 - format: - maximumFractionDigits: 0 ---- -# Source: homepage/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: homepage - namespace: homepage - labels: - app.kubernetes.io/name: homepage - app.kubernetes.io/instance: homepage - app.kubernetes.io/part-of: homepage -rules: - - apiGroups: - - "" - resources: - - namespaces - - pods - - nodes - verbs: - - get - - list - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - apiGroups: - - traefik.io - resources: - - ingressroutes - verbs: - - get - - list - - apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes - - gateways - verbs: - - get - - list - - apiGroups: - - metrics.k8s.io - resources: - - nodes - - pods - verbs: - - get - - list ---- -# Source: homepage/templates/cluster-role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: homepage - namespace: homepage - labels: - app.kubernetes.io/name: homepage - app.kubernetes.io/instance: homepage - app.kubernetes.io/part-of: homepage -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: homepage -subjects: - - kind: ServiceAccount - name: homepage - namespace: homepage ---- -# Source: homepage/charts/homepage/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: homepage - labels: - app.kubernetes.io/instance: homepage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: homepage - app.kubernetes.io/service: homepage - helm.sh/chart: homepage-4.4.0 - namespace: homepage -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 3000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: homepage - app.kubernetes.io/name: homepage ---- -# Source: homepage/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: gitea-ps10rp - namespace: homepage - labels: - app.kubernetes.io/name: gitea-ps10rp - app.kubernetes.io/instance: homepage - app.kubernetes.io/part-of: homepage - annotations: - tailscale.com/tailnet-fqdn: gitea-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: homepage/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: home-ps10rp - namespace: homepage - labels: - app.kubernetes.io/name: home-ps10rp - app.kubernetes.io/instance: homepage - app.kubernetes.io/part-of: homepage - annotations: - tailscale.com/tailnet-fqdn: home-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: homepage/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: garage-ui-ps10rp - namespace: homepage - labels: - app.kubernetes.io/name: garage-ps10rp - app.kubernetes.io/instance: homepage - app.kubernetes.io/part-of: homepage - annotations: - tailscale.com/tailnet-fqdn: garage-ui-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: homepage/charts/homepage/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: homepage - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: homepage - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: homepage - helm.sh/chart: homepage-4.4.0 - annotations: - reloader.stakater.com/auto: "true" - namespace: homepage -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: homepage - app.kubernetes.io/instance: homepage - template: - metadata: - annotations: - checksum/configMaps: 5b025903635dfc4abfcdb07fac7674f70d46a2d7bbeeeb1c7cd95e68e03f53ea - checksum/secrets: d3ba83f111cd32f92c909268c55ad8bbd4f9e299b74b35b33c1a011180d8b378 - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: homepage - app.kubernetes.io/name: homepage - spec: - enableServiceLinks: false - serviceAccountName: homepage - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: HOMEPAGE_ALLOWED_HOSTS - value: home.alexlebens.net - envFrom: - - secretRef: - name: homepage-keys-secret - image: ghcr.io/gethomepage/homepage:v1.7.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /app/config/bookmarks.yaml - mountPropagation: None - name: config - readOnly: true - subPath: bookmarks.yaml - - mountPath: /app/config/docker.yaml - mountPropagation: None - name: config - readOnly: true - subPath: docker.yaml - - mountPath: /app/config/kubernetes.yaml - mountPropagation: None - name: config - readOnly: true - subPath: kubernetes.yaml - - mountPath: /app/config/services.yaml - mountPropagation: None - name: config - readOnly: true - subPath: services.yaml - - mountPath: /app/config/settings.yaml - mountPropagation: None - name: config - readOnly: true - subPath: settings.yaml - - mountPath: /app/config/widgets.yaml - mountPropagation: None - name: config - readOnly: true - subPath: widgets.yaml - volumes: - - configMap: - name: homepage - name: config ---- -# Source: homepage/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: homepage-keys-secret - namespace: homepage - labels: - app.kubernetes.io/name: homepage-keys-secret - app.kubernetes.io/instance: homepage - app.kubernetes.io/part-of: homepage -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: HOMEPAGE_VAR_SYNOLOGY_USER - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /synology/auth/cl01tl - metadataPolicy: None - property: user - - secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /synology/auth/cl01tl - metadataPolicy: None - property: password - - secretKey: HOMEPAGE_VAR_UNIFI_USER - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /unifi/auth/cl01tl - metadataPolicy: None - property: user - - secretKey: HOMEPAGE_VAR_UNIFI_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /unifi/auth/cl01tl - metadataPolicy: None - property: password - - secretKey: HOMEPAGE_VAR_SONARR_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/sonarr4/key - metadataPolicy: None - property: key - - secretKey: HOMEPAGE_VAR_SONARR4K_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/sonarr4-4k/key - metadataPolicy: None - property: key - - secretKey: HOMEPAGE_VAR_SONARRANIME_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/sonarr4-anime/key - metadataPolicy: None - property: key - - secretKey: HOMEPAGE_VAR_RADARR_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/radarr5/key - metadataPolicy: None - property: key - - secretKey: HOMEPAGE_VAR_RADARR4K_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/radarr5-4k/key - metadataPolicy: None - property: key - - secretKey: HOMEPAGE_VAR_RADARRANIME_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/radarr5-anime/key - metadataPolicy: None - property: key - - secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/radarr5-standup/key - metadataPolicy: None - property: key - - secretKey: HOMEPAGE_VAR_LIDARR_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/lidarr2/key - metadataPolicy: None - property: key - - secretKey: HOMEPAGE_VAR_PROWLARR_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/prowlarr/key - metadataPolicy: None - property: key ---- -# Source: homepage/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-homepage - namespace: homepage - labels: - app.kubernetes.io/name: http-route-homepage - app.kubernetes.io/instance: homepage - app.kubernetes.io/part-of: homepage -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - home.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: homepage - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/huntarr/huntarr.yaml b/clusters/cl01tl/manifests/huntarr/huntarr.yaml deleted file mode 100644 index 7b375e62a..000000000 --- a/clusters/cl01tl/manifests/huntarr/huntarr.yaml +++ /dev/null @@ -1,129 +0,0 @@ ---- -# Source: huntarr/charts/huntarr/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: huntarr-config - labels: - app.kubernetes.io/instance: huntarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: huntarr - helm.sh/chart: huntarr-4.4.0 - namespace: huntarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: huntarr/charts/huntarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: huntarr - labels: - app.kubernetes.io/instance: huntarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: huntarr - app.kubernetes.io/service: huntarr - helm.sh/chart: huntarr-4.4.0 - namespace: huntarr -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 9705 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: huntarr - app.kubernetes.io/name: huntarr ---- -# Source: huntarr/charts/huntarr/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: huntarr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: huntarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: huntarr - helm.sh/chart: huntarr-4.4.0 - namespace: huntarr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: huntarr - app.kubernetes.io/instance: huntarr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: huntarr - app.kubernetes.io/name: huntarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - image: ghcr.io/plexguide/huntarr:8.2.10 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - volumes: - - name: config - persistentVolumeClaim: - claimName: huntarr-config ---- -# Source: huntarr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-huntarr - namespace: huntarr - labels: - app.kubernetes.io/name: http-route-huntarr - app.kubernetes.io/instance: huntarr - app.kubernetes.io/part-of: huntarr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - huntarr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: huntarr - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/immich/immich.yaml b/clusters/cl01tl/manifests/immich/immich.yaml deleted file mode 100644 index 4e3dd420d..000000000 --- a/clusters/cl01tl/manifests/immich/immich.yaml +++ /dev/null @@ -1,1025 +0,0 @@ ---- -# Source: immich/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: immich-nfs-storage - namespace: immich - labels: - app.kubernetes.io/name: immich-nfs-storage - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Immich - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: immich/charts/immich/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: immich - labels: - app.kubernetes.io/instance: immich - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: immich - helm.sh/chart: immich-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: immich -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: immich/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: immich-nfs-storage - namespace: immich - labels: - app.kubernetes.io/name: immich-nfs-storage - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - volumeName: immich-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: immich/charts/immich/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: immich-machine-learning - labels: - app.kubernetes.io/instance: immich - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: immich - app.kubernetes.io/service: immich-machine-learning - helm.sh/chart: immich-4.4.0 - namespace: immich -spec: - type: ClusterIP - ports: - - port: 3003 - targetPort: 3003 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: machine-learning - app.kubernetes.io/instance: immich - app.kubernetes.io/name: immich ---- -# Source: immich/charts/immich/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: immich-main - labels: - app.kubernetes.io/instance: immich - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: immich - app.kubernetes.io/service: immich-main - helm.sh/chart: immich-4.4.0 - namespace: immich -spec: - type: ClusterIP - ports: - - port: 2283 - targetPort: 2283 - protocol: TCP - name: http - - port: 8081 - targetPort: 8081 - protocol: TCP - name: metrics-api - - port: 8082 - targetPort: 8082 - protocol: TCP - name: metrics-ms - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: immich - app.kubernetes.io/name: immich ---- -# Source: immich/charts/immich/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: immich-machine-learning - labels: - app.kubernetes.io/controller: machine-learning - app.kubernetes.io/instance: immich - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: immich - helm.sh/chart: immich-4.4.0 - namespace: immich -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: machine-learning - app.kubernetes.io/name: immich - app.kubernetes.io/instance: immich - template: - metadata: - labels: - app.kubernetes.io/controller: machine-learning - app.kubernetes.io/instance: immich - app.kubernetes.io/name: immich - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TRANSFORMERS_CACHE - value: /cache - image: ghcr.io/immich-app/immich-machine-learning:v2.3.1 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 3003 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - name: main - readinessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 3003 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - limits: - gpu.intel.com/i915: 1 - requests: - cpu: 10m - gpu.intel.com/i915: 1 - memory: 256Mi - volumeMounts: - - mountPath: /cache - name: cache - volumes: - - name: cache - persistentVolumeClaim: - claimName: immich ---- -# Source: immich/charts/immich/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: immich-main - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: immich - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: immich - helm.sh/chart: immich-4.4.0 - namespace: immich -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: immich - app.kubernetes.io/instance: immich - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: immich - app.kubernetes.io/name: immich - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: IMMICH_TELEMETRY_INCLUDE - value: all - - name: IMMICH_CONFIG_FILE - value: /config/immich.json - - name: IMMICH_MACHINE_LEARNING_URL - value: http://immich-machine-learning.immich:3003 - - name: REDIS_HOSTNAME - value: redis-replication-immich-master - - name: DB_VECTOR_EXTENSION - value: vectorchord - - name: DB_HOSTNAME - valueFrom: - secretKeyRef: - key: host - name: immich-postgresql-17-cluster-app - - name: DB_DATABASE_NAME - valueFrom: - secretKeyRef: - key: dbname - name: immich-postgresql-17-cluster-app - - name: DB_PORT - valueFrom: - secretKeyRef: - key: port - name: immich-postgresql-17-cluster-app - - name: DB_USERNAME - valueFrom: - secretKeyRef: - key: user - name: immich-postgresql-17-cluster-app - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: immich-postgresql-17-cluster-app - image: ghcr.io/immich-app/immich-server:v2.3.1 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /api/server/ping - port: 2283 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - name: main - readinessProbe: - failureThreshold: 3 - httpGet: - path: /api/server/ping - port: 2283 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - limits: - gpu.intel.com/i915: 1 - requests: - cpu: 10m - gpu.intel.com/i915: 1 - memory: 512Mi - startupProbe: - failureThreshold: 30 - httpGet: - path: /api/server/ping - port: 2283 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - volumeMounts: - - mountPath: /config/immich.json - mountPropagation: None - name: config - readOnly: true - subPath: immich.json - - mountPath: /usr/src/app/upload - name: media - volumes: - - name: config - secret: - secretName: immich-config-secret - - name: media - persistentVolumeClaim: - claimName: immich-nfs-storage ---- -# Source: immich/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: immich-postgresql-17-cluster - namespace: immich - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: immich-postgresql-17 - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/tensorchord/cloudnative-vectorchord:17.5-0.4.3" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "immich-postgresql-17-external-backup" - serverName: "immich-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "immich-postgresql-17-garage-local-backup" - serverName: "immich-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "immich-postgresql-17-recovery" - serverName: immich-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - shared_preload_libraries: - - vchord.so - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 256MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: immich-postgresql-17-backup-1 - - externalClusters: - - name: immich-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "immich-postgresql-17-recovery" - serverName: immich-postgresql-17-backup-1 ---- -# Source: immich/templates/external-secrets.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: immich-config-secret - namespace: immich - labels: - app.kubernetes.io/name: immich-config-secret - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: immich.json - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/immich/config - metadataPolicy: None - property: immich.json ---- -# Source: immich/templates/external-secrets.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: immich-postgresql-17-cluster-backup-secret - namespace: immich - labels: - app.kubernetes.io/name: immich-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: immich/templates/external-secrets.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: immich-postgresql-17-cluster-backup-secret-garage - namespace: immich - labels: - app.kubernetes.io/name: immich-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: immich/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-immich - namespace: immich - labels: - app.kubernetes.io/name: http-route-immich - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - immich.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: immich-main - port: 2283 - weight: 100 ---- -# Source: immich/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "immich-postgresql-17-external-backup" - namespace: immich - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: immich-postgresql-17 - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/immich/immich-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: immich-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: immich-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: immich/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "immich-postgresql-17-garage-local-backup" - namespace: immich - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: immich-postgresql-17 - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/immich/immich-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: immich-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: immich-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: immich-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: immich/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "immich-postgresql-17-recovery" - namespace: immich - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: immich-postgresql-17 - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/immich/immich-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: immich-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: immich-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: immich/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: immich-postgresql-17-alert-rules - namespace: immich - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: immich-postgresql-17 - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/immich-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="immich"} - cnpg_pg_replication_is_wal_receiver_up{namespace="immich"}) < 1 - for: 5m - labels: - severity: critical - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="immich"} - cnpg_pg_replication_is_wal_receiver_up{namespace="immich"}) < 2 - for: 5m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "immich/immich-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="immich", pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="immich", pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "immich/immich-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="immich", pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="immich", pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "immich/immich-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="immich",pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "immich/immich-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="immich", pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "immich/immich-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "immich/immich-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="immich", persistentvolumeclaim=~"immich-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "immich/immich-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="immich",pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "immich/immich-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="immich", pod=~"immich-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: immich - cnpg_cluster: immich-postgresql-17-cluster ---- -# Source: immich/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-immich - namespace: immich - labels: - app.kubernetes.io/name: redis-replication-immich - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: immich/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "immich-postgresql-17-daily-backup-scheduled-backup" - namespace: immich - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: immich-postgresql-17 - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: immich-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "immich-postgresql-17-external-backup" ---- -# Source: immich/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "immich-postgresql-17-live-backup-scheduled-backup" - namespace: immich - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: immich-postgresql-17 - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: immich-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "immich-postgresql-17-garage-local-backup" ---- -# Source: immich/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: immich - namespace: immich - labels: - app.kubernetes.io/name: immich - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - selector: - matchLabels: - app.kubernetes.io/name: immich - app.kubernetes.io/instance: immich - endpoints: - - port: metrics-api - interval: 3m - scrapeTimeout: 1m - path: /metrics - - port: metrics-ms - interval: 3m - scrapeTimeout: 1m - path: /metrics ---- -# Source: immich/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-immich - namespace: immich - labels: - app.kubernetes.io/name: redis-replication-immich - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/intel-device-plugin/intel-device-plugin.yaml b/clusters/cl01tl/manifests/intel-device-plugin/intel-device-plugin.yaml deleted file mode 100644 index 7f8332544..000000000 --- a/clusters/cl01tl/manifests/intel-device-plugin/intel-device-plugin.yaml +++ /dev/null @@ -1,2557 +0,0 @@ ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/deviceplugin.intel.com_dlbdeviceplugins.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: dlbdeviceplugins.deviceplugin.intel.com -spec: - group: deviceplugin.intel.com - names: - kind: DlbDevicePlugin - listKind: DlbDevicePluginList - plural: dlbdeviceplugins - singular: dlbdeviceplugin - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.desiredNumberScheduled - name: Desired - type: integer - - jsonPath: .status.numberReady - name: Ready - type: integer - - jsonPath: .spec.nodeSelector - name: Node Selector - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - DEPRECATED: DlbDevicePlugin is the Schema for the dlbdeviceplugins API. It represents - the DLB device plugin responsible for advertising Intel DLB hardware resources to - the kubelet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DlbDevicePluginSpec defines the desired state of DlbDevicePlugin. - properties: - image: - description: Image is a container image with DLB device plugin executable. - type: string - initImage: - description: InitImage is a container image with a script that initializes - devices. - type: string - logLevel: - description: LogLevel sets the plugin's log level. - minimum: 0 - type: integer - nodeSelector: - additionalProperties: - type: string - description: NodeSelector provides a simple way to constrain device - plugin pods to nodes with particular labels. - type: object - tolerations: - description: Specialized nodes (e.g., with accelerators) can be Tainted - to make sure unwanted pods are not scheduled on them. Tolerations - can be set for the plugin pod to neutralize the Taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - status: - description: DlbDevicePluginStatus defines the observed state of DlbDevicePlugin. - properties: - controlledDaemonSet: - description: ControlledDaemoSet references the DaemonSet controlled - by the operator. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - desiredNumberScheduled: - description: |- - The total number of nodes that should be running the device plugin - pod (including nodes correctly running the device plugin pod). - format: int32 - type: integer - nodeNames: - description: The list of Node names where the device plugin pods are - running. - items: - type: string - type: array - numberReady: - description: |- - The number of nodes that should be running the device plugin pod and have one - or more of the device plugin pod running and ready. - format: int32 - type: integer - required: - - desiredNumberScheduled - - numberReady - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/deviceplugin.intel.com_dsadeviceplugins.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: dsadeviceplugins.deviceplugin.intel.com -spec: - group: deviceplugin.intel.com - names: - kind: DsaDevicePlugin - listKind: DsaDevicePluginList - plural: dsadeviceplugins - singular: dsadeviceplugin - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.desiredNumberScheduled - name: Desired - type: integer - - jsonPath: .status.numberReady - name: Ready - type: integer - - jsonPath: .spec.nodeSelector - name: Node Selector - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - DsaDevicePlugin is the Schema for the dsadeviceplugins API. It represents - the DSA device plugin responsible for advertising Intel DSA hardware resources to - the kubelet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DsaDevicePluginSpec defines the desired state of DsaDevicePlugin. - properties: - image: - description: Image is a container image with DSA device plugin executable. - type: string - initImage: - description: InitImage is an initcontainer image to configure and - enable DSA devices and workqueues with idxd-config (accel-config) - utility - type: string - logLevel: - description: LogLevel sets the plugin's log level. - minimum: 0 - type: integer - nodeSelector: - additionalProperties: - type: string - description: NodeSelector provides a simple way to constrain device - plugin pods to nodes with particular labels. - type: object - provisioningConfig: - description: ProvisioningConfig is a ConfigMap used to pass the DSA - devices and workqueues configuration into idxd-config initcontainer. - type: string - sharedDevNum: - description: SharedDevNum is a number of containers that can share - the same DSA device. - minimum: 1 - type: integer - tolerations: - description: Specialized nodes (e.g., with accelerators) can be Tainted - to make sure unwanted pods are not scheduled on them. Tolerations - can be set for the plugin pod to neutralize the Taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - status: - description: DsaDevicePluginStatus defines the observed state of DsaDevicePlugin. - properties: - controlledDaemonSet: - description: ControlledDaemoSet references the DaemonSet controlled - by the operator. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - desiredNumberScheduled: - description: |- - The total number of nodes that should be running the device plugin - pod (including nodes correctly running the device plugin pod). - format: int32 - type: integer - nodeNames: - description: The list of Node names where the device plugin pods are - running. - items: - type: string - type: array - numberReady: - description: |- - The number of nodes that should be running the device plugin pod and have one - or more of the device plugin pod running and ready. - format: int32 - type: integer - required: - - desiredNumberScheduled - - numberReady - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/deviceplugin.intel.com_fpgadeviceplugins.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: fpgadeviceplugins.deviceplugin.intel.com -spec: - group: deviceplugin.intel.com - names: - kind: FpgaDevicePlugin - listKind: FpgaDevicePluginList - plural: fpgadeviceplugins - singular: fpgadeviceplugin - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.desiredNumberScheduled - name: Desired - type: integer - - jsonPath: .status.numberReady - name: Ready - type: integer - - jsonPath: .spec.nodeSelector - name: Node Selector - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - DEPRECATED: FpgaDevicePlugin is the Schema for the fpgadeviceplugins API. It represents - the FPGA device plugin responsible for advertising Intel FPGA hardware resources to - the kubelet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FpgaDevicePluginSpec defines the desired state of FpgaDevicePlugin. - properties: - image: - description: Image is a container image with FPGA device plugin executable. - type: string - initImage: - description: InitImage is a container image with tools used to initialize - the host before starting FPGA workloads on it. - type: string - logLevel: - description: LogLevel sets the plugin's log level. - minimum: 0 - type: integer - mode: - description: Mode is a mode of the plugin's operation. - enum: - - af - - region - - regiondevel - type: string - nodeSelector: - additionalProperties: - type: string - description: NodeSelector provides a simple way to constrain device - plugin pods to nodes with particular labels. - type: object - tolerations: - description: Specialized nodes (e.g., with accelerators) can be Tainted - to make sure unwanted pods are not scheduled on them. Tolerations - can be set for the plugin pod to neutralize the Taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - status: - description: FpgaDevicePluginStatus defines the observed state of FpgaDevicePlugin. - properties: - controlledDaemonSet: - description: ControlledDaemoSet references the DaemonSet controlled - by the operator. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - desiredNumberScheduled: - description: |- - The total number of nodes that should be running the device plugin - pod (including nodes correctly running the device plugin pod). - format: int32 - type: integer - nodeNames: - description: The list of Node names where the device plugin pods are - running. - items: - type: string - type: array - numberReady: - description: |- - The number of nodes that should be running the device plugin pod and have one - or more of the device plugin pod running and ready. - format: int32 - type: integer - required: - - desiredNumberScheduled - - numberReady - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/deviceplugin.intel.com_gpudeviceplugins.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: gpudeviceplugins.deviceplugin.intel.com -spec: - group: deviceplugin.intel.com - names: - kind: GpuDevicePlugin - listKind: GpuDevicePluginList - plural: gpudeviceplugins - singular: gpudeviceplugin - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.desiredNumberScheduled - name: Desired - type: integer - - jsonPath: .status.numberReady - name: Ready - type: integer - - jsonPath: .spec.nodeSelector - name: Node Selector - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - GpuDevicePlugin is the Schema for the gpudeviceplugins API. It represents - the GPU device plugin responsible for advertising Intel GPU hardware resources to - the kubelet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GpuDevicePluginSpec defines the desired state of GpuDevicePlugin. - properties: - allowIDs: - description: |- - AllowIDs is a comma-separated list of PCI IDs of GPU devices that should only be advertised by the plugin. - If not set, all devices are advertised. - The list can contain IDs in the form of '0x1234,0x49a4,0x50b4'. - Cannot be used together with DenyIDs. - type: string - denyIDs: - description: |- - DenyIDs is a comma-separated list of PCI IDs of GPU devices that should only be denied by the plugin. - If not set, all devices are advertised. - The list can contain IDs in the form of '0x1234,0x49a4,0x50b4'. - Cannot be used together with AllowIDs. - type: string - enableMonitoring: - description: |- - EnableMonitoring enables the monitoring resource ('i915_monitoring') - which gives access to all GPU devices on given node. Typically used with Intel XPU-Manager. - type: boolean - image: - description: Image is a container image with GPU device plugin executable. - type: string - initImage: - description: InitImage is a container image with tools (e.g., GPU - NFD source hook) installed on each node. - type: string - logLevel: - description: LogLevel sets the plugin's log level. - minimum: 0 - type: integer - nodeSelector: - additionalProperties: - type: string - description: NodeSelector provides a simple way to constrain device - plugin pods to nodes with particular labels. - type: object - preferredAllocationPolicy: - description: |- - PreferredAllocationPolicy sets the mode of allocating GPU devices on a node. - See documentation for detailed description of the policies. Only valid when SharedDevNum > 1 is set. - enum: - - balanced - - packed - - none - type: string - sharedDevNum: - description: SharedDevNum is a number of containers that can share - the same GPU device. - minimum: 1 - type: integer - tolerations: - description: Specialized nodes (e.g., with accelerators) can be Tainted - to make sure unwanted pods are not scheduled on them. Tolerations - can be set for the plugin pod to neutralize the Taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - status: - description: GpuDevicePluginStatus defines the observed state of GpuDevicePlugin. - properties: - controlledDaemonSet: - description: ControlledDaemoSet references the DaemonSet controlled - by the operator. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - desiredNumberScheduled: - description: |- - The total number of nodes that should be running the device plugin - pod (including nodes correctly running the device plugin pod). - format: int32 - type: integer - nodeNames: - description: The list of Node names where the device plugin pods are - running. - items: - type: string - type: array - numberReady: - description: |- - The number of nodes that should be running the device plugin pod and have one - or more of the device plugin pod running and ready. - format: int32 - type: integer - required: - - desiredNumberScheduled - - numberReady - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/deviceplugin.intel.com_iaadeviceplugins.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: iaadeviceplugins.deviceplugin.intel.com -spec: - group: deviceplugin.intel.com - names: - kind: IaaDevicePlugin - listKind: IaaDevicePluginList - plural: iaadeviceplugins - singular: iaadeviceplugin - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.desiredNumberScheduled - name: Desired - type: integer - - jsonPath: .status.numberReady - name: Ready - type: integer - - jsonPath: .spec.nodeSelector - name: Node Selector - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - IaaDevicePlugin is the Schema for the iaadeviceplugins API. It represents - the IAA device plugin responsible for advertising Intel IAA hardware resources to - the kubelet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IaaDevicePluginSpec defines the desired state of IaaDevicePlugin. - properties: - image: - description: Image is a container image with IAA device plugin executable. - type: string - initImage: - description: InitImage is an initcontainer image to configure and - enable IAA devices and workqueues with accel-config utility - type: string - logLevel: - description: LogLevel sets the plugin's log level. - minimum: 0 - type: integer - nodeSelector: - additionalProperties: - type: string - description: NodeSelector provides a simple way to constrain device - plugin pods to nodes with particular labels. - type: object - provisioningConfig: - description: ProvisioningConfig is a ConfigMap used to pass the IAA - configuration into idxd initcontainer. - type: string - sharedDevNum: - description: SharedDevNum is a number of containers that can share - the same IAA device. - minimum: 1 - type: integer - tolerations: - description: Specialized nodes (e.g., with accelerators) can be Tainted - to make sure unwanted pods are not scheduled on them. Tolerations - can be set for the plugin pod to neutralize the Taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - status: - description: IaaDevicePluginStatus defines the observed state of IaaDevicePlugin. - properties: - controlledDaemonSet: - description: ControlledDaemoSet references the DaemonSet controlled - by the operator. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - desiredNumberScheduled: - description: |- - The total number of nodes that should be running the device plugin - pod (including nodes correctly running the device plugin pod). - format: int32 - type: integer - nodeNames: - description: The list of Node names where the device plugin pods are - running. - items: - type: string - type: array - numberReady: - description: |- - The number of nodes that should be running the device plugin pod and have one - or more of the device plugin pod running and ready. - format: int32 - type: integer - required: - - desiredNumberScheduled - - numberReady - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/deviceplugin.intel.com_npudeviceplugins.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: npudeviceplugins.deviceplugin.intel.com -spec: - group: deviceplugin.intel.com - names: - kind: NpuDevicePlugin - listKind: NpuDevicePluginList - plural: npudeviceplugins - singular: npudeviceplugin - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.desiredNumberScheduled - name: Desired - type: integer - - jsonPath: .status.numberReady - name: Ready - type: integer - - jsonPath: .spec.nodeSelector - name: Node Selector - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - NpuDevicePlugin is the Schema for the npudeviceplugins API. It represents - the NPU device plugin responsible for advertising Intel NPU hardware resources to - the kubelet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NpuDevicePluginSpec defines the desired state of NpuDevicePlugin. - properties: - image: - description: Image is a container image with NPU device plugin executable. - type: string - logLevel: - description: LogLevel sets the plugin's log level. - minimum: 0 - type: integer - nodeSelector: - additionalProperties: - type: string - description: NodeSelector provides a simple way to constrain device - plugin pods to nodes with particular labels. - type: object - sharedDevNum: - description: SharedDevNum is a number of containers that can share - the same NPU device. - minimum: 1 - type: integer - tolerations: - description: Specialized nodes (e.g., with accelerators) can be Tainted - to make sure unwanted pods are not scheduled on them. Tolerations - can be set for the plugin pod to neutralize the Taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - status: - description: NpuDevicePluginStatus defines the observed state of NpuDevicePlugin. - properties: - controlledDaemonSet: - description: ControlledDaemoSet references the DaemonSet controlled - by the operator. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - desiredNumberScheduled: - description: |- - The total number of nodes that should be running the device plugin - pod (including nodes correctly running the device plugin pod). - format: int32 - type: integer - nodeNames: - description: The list of Node names where the device plugin pods are - running. - items: - type: string - type: array - numberReady: - description: |- - The number of nodes that should be running the device plugin pod and have one - or more of the device plugin pod running and ready. - format: int32 - type: integer - required: - - desiredNumberScheduled - - numberReady - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/deviceplugin.intel.com_qatdeviceplugins.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: qatdeviceplugins.deviceplugin.intel.com -spec: - group: deviceplugin.intel.com - names: - kind: QatDevicePlugin - listKind: QatDevicePluginList - plural: qatdeviceplugins - singular: qatdeviceplugin - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.desiredNumberScheduled - name: Desired - type: integer - - jsonPath: .status.numberReady - name: Ready - type: integer - - jsonPath: .spec.nodeSelector - name: Node Selector - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - QatDevicePlugin is the Schema for the qatdeviceplugins API. It represents the QAT device - plugin responsible for advertising Intel QuickAssist Technology hardware resources - to the kubelet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: QatDevicePluginSpec defines the desired state of QatDevicePlugin. - properties: - dpdkDriver: - description: DpdkDriver is a DPDK device driver for configuring the - QAT device. - enum: - - igb_uio - - vfio-pci - type: string - image: - description: Image is a container image with QAT device plugin executable. - type: string - initImage: - description: InitImage is a container image with a script that initialize - devices. - type: string - kernelVfDrivers: - description: KernelVfDrivers is a list of VF device drivers for the - QuickAssist devices in the system. - items: - description: KernelVfDriver is a VF device driver for QuickAssist - devices. - enum: - - dh895xccvf - - c6xxvf - - c3xxxvf - - d15xxvf - - 4xxxvf - - 420xxvf - - c4xxxvf - - 6xxxvf - type: string - type: array - logLevel: - description: LogLevel sets the plugin's log level. - minimum: 0 - type: integer - maxNumDevices: - description: MaxNumDevices is a maximum number of QAT devices to be - provided to the QuickAssist device plugin - minimum: 1 - type: integer - nodeSelector: - additionalProperties: - type: string - description: NodeSelector provides a simple way to constrain device - plugin pods to nodes with particular labels. - type: object - preferredAllocationPolicy: - description: |- - PreferredAllocationPolicy sets the mode of allocating QAT devices on a node. - See documentation for detailed description of the policies. - enum: - - balanced - - packed - type: string - provisioningConfig: - description: ProvisioningConfig is a ConfigMap used to pass the configuration - of QAT devices into qat initcontainer. - type: string - tolerations: - description: Specialized nodes (e.g., with accelerators) can be Tainted - to make sure unwanted pods are not scheduled on them. Tolerations - can be set for the plugin pod to neutralize the Taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - status: - description: QatDevicePluginStatus defines the observed state of QatDevicePlugin. - properties: - controlledDaemonSet: - description: ControlledDaemoSet references the DaemonSet controlled - by the operator. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - desiredNumberScheduled: - description: |- - The total number of nodes that should be running the device plugin - pod (including nodes correctly running the device plugin pod). - format: int32 - type: integer - nodeNames: - description: The list of Node names where the device plugin pods are - running. - items: - type: string - type: array - numberReady: - description: |- - The number of nodes that should be running the device plugin pod and have one - or more of the device plugin pod running and ready. - format: int32 - type: integer - required: - - desiredNumberScheduled - - numberReady - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/deviceplugin.intel.com_sgxdeviceplugins.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: sgxdeviceplugins.deviceplugin.intel.com -spec: - group: deviceplugin.intel.com - names: - kind: SgxDevicePlugin - listKind: SgxDevicePluginList - plural: sgxdeviceplugins - singular: sgxdeviceplugin - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.desiredNumberScheduled - name: Desired - type: integer - - jsonPath: .status.numberReady - name: Ready - type: integer - - jsonPath: .spec.nodeSelector - name: Node Selector - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - SgxDevicePlugin is the Schema for the sgxdeviceplugins API. It represents - the SGX device plugin responsible for advertising SGX device nodes to - the kubelet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SgxDevicePluginSpec defines the desired state of SgxDevicePlugin. - properties: - dcapInfraResources: - description: DcapInfraResources flag enables two special resources - for Intel DCAP infrastructure containers. - type: boolean - enclaveLimit: - description: EnclaveLimit is a number of containers that can share - the same SGX enclave device. - minimum: 1 - type: integer - image: - description: Image is a container image with SGX device plugin executable. - type: string - initImage: - description: |- - InitImage is a container image with tools (i.e., SGX NFD source hook) installed on each node. - Recommendation is to leave this unset and prefer the SGX NodeFeatureRule instead. - type: string - logLevel: - description: LogLevel sets the plugin's log level. - minimum: 0 - type: integer - nodeSelector: - additionalProperties: - type: string - description: NodeSelector provides a simple way to constrain device - plugin pods to nodes with particular labels. - type: object - provisionLimit: - description: ProvisionLimit is a number of containers that can share - the same SGX provision device. - minimum: 1 - type: integer - tolerations: - description: Specialized nodes (e.g., with accelerators) can be Tainted - to make sure unwanted pods are not scheduled on them. Tolerations - can be set for the plugin pod to neutralize the Taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - status: - description: SgxDevicePluginStatus defines the observed state of SgxDevicePlugin. - properties: - controlledDaemonSet: - description: ControlledDaemoSet references the DaemonSet controlled - by the operator. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - desiredNumberScheduled: - description: |- - The total number of nodes that should be running the device plugin - pod (including nodes correctly running the device plugin pod). - format: int32 - type: integer - nodeNames: - description: The list of Node names where the device plugin pods are - running. - items: - type: string - type: array - numberReady: - description: |- - The number of nodes that should be running the device plugin pod and have one - or more of the device plugin pod running and ready. - format: int32 - type: integer - required: - - desiredNumberScheduled - - numberReady - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/fpga.intel.com_acceleratorfunctions.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: acceleratorfunctions.fpga.intel.com -spec: - group: fpga.intel.com - names: - kind: AcceleratorFunction - listKind: AcceleratorFunctionList - plural: acceleratorfunctions - shortNames: - - af - singular: acceleratorfunction - scope: Namespaced - versions: - - name: v2 - schema: - openAPIV3Schema: - description: |- - AcceleratorFunction is a specification for an Accelerator Function resource - provided by a FPGA-based programmable hardware accelerator. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AcceleratorFunctionSpec contains actual specs for AcceleratorFunction. - properties: - afuId: - pattern: ^[0-9a-f]{8,40}$ - type: string - interfaceId: - pattern: ^[0-9a-f]{8,32}$ - type: string - mode: - pattern: ^af|region$ - type: string - required: - - afuId - - interfaceId - - mode - type: object - status: - description: AcceleratorFunctionStatus is an empty object used to satisfy - operator-sdk. - type: object - required: - - spec - type: object - served: true - storage: true - ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/crds/fpga.intel.com_fpgaregions.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: fpgaregions.fpga.intel.com -spec: - group: fpga.intel.com - names: - kind: FpgaRegion - listKind: FpgaRegionList - plural: fpgaregions - shortNames: - - fpga - singular: fpgaregion - scope: Namespaced - versions: - - name: v2 - schema: - openAPIV3Schema: - description: |- - FpgaRegion is a specification for a FPGA region resource which can be programmed - with a bitstream. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FpgaRegionSpec contains actual specs for FpgaRegion. - properties: - interfaceId: - pattern: ^[0-9a-f]{8,32}$ - type: string - required: - - interfaceId - type: object - status: - description: FpgaRegionStatus is an empty object used to satisfy operator-sdk. - type: object - required: - - spec - type: object - served: true - storage: true - ---- -# Source: intel-device-plugin/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: intel-device-plugin - labels: - app.kubernetes.io/name: intel-device-plugin - app.kubernetes.io/instance: intel-device-plugin - app.kubernetes.io/part-of: intel-device-plugin - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: inteldeviceplugins-gpu-manager-role -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - list ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: inteldeviceplugins-manager-role -rules: -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get - - list -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - delete - - get - - list - - watch -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - coordination.k8s.io - resourceNames: - - d1c7b6d5.intel.com - resources: - - leases - verbs: - - get - - update -- apiGroups: - - deviceplugin.intel.com - resources: - - dlbdeviceplugins - - dsadeviceplugins - - fpgadeviceplugins - - gpudeviceplugins - - iaadeviceplugins - - npudeviceplugins - - qatdeviceplugins - - sgxdeviceplugins - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - deviceplugin.intel.com - resources: - - dlbdeviceplugins/finalizers - - dsadeviceplugins/finalizers - - fpgadeviceplugins/finalizers - - gpudeviceplugins/finalizers - - iaadeviceplugins/finalizers - - qatdeviceplugins/finalizers - - sgxdeviceplugins/finalizers - verbs: - - update -- apiGroups: - - deviceplugin.intel.com - resources: - - dlbdeviceplugins/status - - dsadeviceplugins/status - - fpgadeviceplugins/status - - gpudeviceplugins/status - - iaadeviceplugins/status - - qatdeviceplugins/status - - sgxdeviceplugins/status - verbs: - - get - - patch - - update -- apiGroups: - - fpga.intel.com - resources: - - acceleratorfunctions - - fpgaregions - verbs: - - get - - list - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - create - - delete - - get - - list - - watch -- apiGroups: - - security.openshift.io - resourceNames: - - privileged - resources: - - securitycontextconstraints - verbs: - - use ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: inteldeviceplugins-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: inteldeviceplugins-auth-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: inteldeviceplugins-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: inteldeviceplugins-manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: "intel-device-plugin" ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: inteldeviceplugins-auth-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: inteldeviceplugins-auth-role -subjects: -- kind: ServiceAccount - name: default - namespace: "intel-device-plugin" ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: inteldeviceplugins-leader-election-role - namespace: "intel-device-plugin" -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: inteldeviceplugins-leader-election-rolebinding - namespace: "intel-device-plugin" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: inteldeviceplugins-leader-election-role -subjects: -- kind: ServiceAccount - name: default - namespace: "intel-device-plugin" ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: inteldeviceplugins-controller-manager-metrics-service - namespace: "intel-device-plugin" -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: v1 -kind: Service -metadata: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: controller-manager ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: inteldeviceplugins-controller-manager - namespace: "intel-device-plugin" -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - labels: - control-plane: controller-manager - spec: - containers: - - args: - - "--metrics-bind-address=:8443" - - "--metrics-secure" - - "--health-probe-bind-address=:8081" - - "--leader-elect" - env: - - name: DEVICEPLUGIN_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: "intel/intel-deviceplugin-operator:0.34.0" - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 100m - memory: 120Mi - requests: - cpu: 100m - memory: 100Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - nodeSelector: - kubernetes.io/arch: amd64 - serviceAccountName: default - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert - tolerations: - [] ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: inteldeviceplugins-serving-cert - namespace: "intel-device-plugin" -spec: - dnsNames: - - inteldeviceplugins-webhook-service.intel-device-plugin.svc - - inteldeviceplugins-webhook-service.intel-device-plugin.svc.cluster.local - issuerRef: - kind: Issuer - name: inteldeviceplugins-selfsigned-issuer - secretName: webhook-server-cert ---- -# Source: intel-device-plugin/charts/intel-device-plugins-gpu/templates/gpu.yaml -apiVersion: deviceplugin.intel.com/v1 -kind: GpuDevicePlugin -metadata: - name: gpudeviceplugin - annotations: - null -spec: - image: "intel/intel-gpu-plugin:0.34.0" - logLevel: 2 - sharedDevNum: 5 - enableMonitoring: true - preferredAllocationPolicy: none - allowIDs: "" - denyIDs: "" - - nodeSelector: - intel.feature.node.kubernetes.io/gpu: "true" - tolerations: - [] ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: inteldeviceplugins-selfsigned-issuer - namespace: "intel-device-plugin" -spec: - selfSigned: {} ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: intel-device-plugin/inteldeviceplugins-serving-cert - name: inteldeviceplugins-mutating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /mutate-deviceplugin-intel-com-v1-dlbdeviceplugin - failurePolicy: Fail - name: mdlbdeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - dlbdeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /mutate-deviceplugin-intel-com-v1-dsadeviceplugin - failurePolicy: Fail - name: mdsadeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - dsadeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /mutate-deviceplugin-intel-com-v1-fpgadeviceplugin - failurePolicy: Fail - name: mfpgadeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - fpgadeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /mutate-deviceplugin-intel-com-v1-gpudeviceplugin - failurePolicy: Fail - name: mgpudeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - gpudeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /mutate-deviceplugin-intel-com-v1-iaadeviceplugin - failurePolicy: Fail - name: miaadeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - iaadeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /mutate-deviceplugin-intel-com-v1-qatdeviceplugin - failurePolicy: Fail - name: mqatdeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - qatdeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /mutate-deviceplugin-intel-com-v1-sgxdeviceplugin - failurePolicy: Fail - name: msgxdeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - sgxdeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /pods - failurePolicy: Ignore - name: fpga.mutator.webhooks.intel.com - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /mutate--v1-pod - failurePolicy: Ignore - name: sgx.mutator.webhooks.intel.com - reinvocationPolicy: IfNeeded - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None ---- -# Source: intel-device-plugin/charts/intel-device-plugins-operator/templates/operator.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: intel-device-plugin/inteldeviceplugins-serving-cert - name: inteldeviceplugins-validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /validate-deviceplugin-intel-com-v1-dlbdeviceplugin - failurePolicy: Fail - name: vdlbdeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - dlbdeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /validate-deviceplugin-intel-com-v1-dsadeviceplugin - failurePolicy: Fail - name: vdsadeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - dsadeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /validate-deviceplugin-intel-com-v1-fpgadeviceplugin - failurePolicy: Fail - name: vfpgadeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - fpgadeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /validate-deviceplugin-intel-com-v1-gpudeviceplugin - failurePolicy: Fail - name: vgpudeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - gpudeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /validate-deviceplugin-intel-com-v1-iaadeviceplugin - failurePolicy: Fail - name: viaadeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - iaadeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /validate-deviceplugin-intel-com-v1-qatdeviceplugin - failurePolicy: Fail - name: vqatdeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - qatdeviceplugins - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: inteldeviceplugins-webhook-service - namespace: "intel-device-plugin" - path: /validate-deviceplugin-intel-com-v1-sgxdeviceplugin - failurePolicy: Fail - name: vsgxdeviceplugin.kb.io - rules: - - apiGroups: - - deviceplugin.intel.com - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - sgxdeviceplugins - sideEffects: None diff --git a/clusters/cl01tl/manifests/jellyfin/jellyfin.yaml b/clusters/cl01tl/manifests/jellyfin/jellyfin.yaml deleted file mode 100644 index 030774d51..000000000 --- a/clusters/cl01tl/manifests/jellyfin/jellyfin.yaml +++ /dev/null @@ -1,326 +0,0 @@ ---- -# Source: jellyfin/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: jellyfin-nfs-storage - namespace: jellyfin - labels: - app.kubernetes.io/name: jellyfin-nfs-storage - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/part-of: jellyfin -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: jellyfin/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: jellyfin-youtube-nfs-storage - namespace: jellyfin - labels: - app.kubernetes.io/name: jellyfin-youtube-nfs-storage - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/part-of: jellyfin -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadOnlyMany - nfs: - path: /volume2/Storage/YouTube - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: jellyfin/charts/jellyfin/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: jellyfin-config - labels: - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jellyfin - helm.sh/chart: jellyfin-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: jellyfin -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "100Gi" - storageClassName: "ceph-block" ---- -# Source: jellyfin/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: jellyfin-nfs-storage - namespace: jellyfin - labels: - app.kubernetes.io/name: jellyfin-nfs-storage - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/part-of: jellyfin -spec: - volumeName: jellyfin-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: jellyfin/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: jellyfin-youtube-nfs-storage - namespace: jellyfin - labels: - app.kubernetes.io/name: jellyfin-youtube-nfs-storage - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/part-of: jellyfin -spec: - volumeName: jellyfin-youtube-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadOnlyMany - resources: - requests: - storage: 1Gi ---- -# Source: jellyfin/charts/jellyfin/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: jellyfin - labels: - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jellyfin - app.kubernetes.io/service: jellyfin - helm.sh/chart: jellyfin-4.4.0 - namespace: jellyfin -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8096 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/name: jellyfin ---- -# Source: jellyfin/charts/jellyfin/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jellyfin - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jellyfin - helm.sh/chart: jellyfin-4.4.0 - namespace: jellyfin -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: jellyfin - app.kubernetes.io/instance: jellyfin - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/name: jellyfin - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: JELLYFIN_hostwebclient - value: "true" - - name: JELLYFIN_PublishedServerUrl - value: https://jellyfin.alexlebens.net/ - image: ghcr.io/jellyfin/jellyfin:10.11.4 - imagePullPolicy: IfNotPresent - name: main - resources: - limits: - gpu.intel.com/i915: 1 - requests: - cpu: 1 - gpu.intel.com/i915: 1 - memory: 2Gi - volumeMounts: - - mountPath: /cache - name: cache - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - mountPath: /mnt/youtube - name: youtube - readOnly: true - volumes: - - emptyDir: {} - name: cache - - name: config - persistentVolumeClaim: - claimName: jellyfin-config - - name: media - persistentVolumeClaim: - claimName: jellyfin-nfs-storage - - name: youtube - persistentVolumeClaim: - claimName: jellyfin-youtube-nfs-storage ---- -# Source: jellyfin/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: jellyfin-config-backup-secret - namespace: jellyfin - labels: - app.kubernetes.io/name: jellyfin-config-backup-secret - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/part-of: jellyfin -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/jellyfin/jellyfin-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: jellyfin/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-jellyfin - namespace: jellyfin - labels: - app.kubernetes.io/name: http-route-jellyfin - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/part-of: jellyfin -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - jellyfin.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: jellyfin - port: 80 - weight: 100 ---- -# Source: jellyfin/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: jellyfin-config-backup-source - namespace: jellyfin - labels: - app.kubernetes.io/name: jellyfin-config-backup-source - app.kubernetes.io/instance: jellyfin - app.kubernetes.io/part-of: jellyfin -spec: - sourcePVC: jellyfin-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: jellyfin-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot - cacheCapacity: 10Gi diff --git a/clusters/cl01tl/manifests/jellystat/jellystat.yaml b/clusters/cl01tl/manifests/jellystat/jellystat.yaml deleted file mode 100644 index eed5685aa..000000000 --- a/clusters/cl01tl/manifests/jellystat/jellystat.yaml +++ /dev/null @@ -1,861 +0,0 @@ ---- -# Source: jellystat/charts/jellystat/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: jellystat-data - labels: - app.kubernetes.io/instance: jellystat - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jellystat - helm.sh/chart: jellystat-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: jellystat -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: jellystat/charts/jellystat/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: jellystat - labels: - app.kubernetes.io/instance: jellystat - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jellystat - app.kubernetes.io/service: jellystat - helm.sh/chart: jellystat-4.4.0 - namespace: jellystat -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 3000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: jellystat - app.kubernetes.io/name: jellystat ---- -# Source: jellystat/charts/jellystat/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jellystat - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: jellystat - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jellystat - helm.sh/chart: jellystat-4.4.0 - namespace: jellystat -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: jellystat - app.kubernetes.io/instance: jellystat - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: jellystat - app.kubernetes.io/name: jellystat - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: JWT_SECRET - valueFrom: - secretKeyRef: - key: secret-key - name: jellystat-secret - - name: JS_USER - valueFrom: - secretKeyRef: - key: user - name: jellystat-secret - - name: JS_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: jellystat-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: jellystat-postgresql-17-cluster-app - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: jellystat-postgresql-17-cluster-app - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: dbname - name: jellystat-postgresql-17-cluster-app - - name: POSTGRES_IP - valueFrom: - secretKeyRef: - key: host - name: jellystat-postgresql-17-cluster-app - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: jellystat-postgresql-17-cluster-app - image: cyfershepard/jellystat:1.1.6 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /app/backend/backup-data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: jellystat-data ---- -# Source: jellystat/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: jellystat-postgresql-17-cluster - namespace: jellystat - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: jellystat-postgresql-17 - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "jellystat-postgresql-17-external-backup" - serverName: "jellystat-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "jellystat-postgresql-17-garage-local-backup" - serverName: "jellystat-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "jellystat-postgresql-17-recovery" - serverName: jellystat-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: jellystat-postgresql-17-backup-1 - - externalClusters: - - name: jellystat-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "jellystat-postgresql-17-recovery" - serverName: jellystat-postgresql-17-backup-1 ---- -# Source: jellystat/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: jellystat-secret - namespace: jellystat - labels: - app.kubernetes.io/name: jellystat-secret - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: secret-key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/jellystat/auth - metadataPolicy: None - property: secret-key - - secretKey: user - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/jellystat/auth - metadataPolicy: None - property: user - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/jellystat/auth - metadataPolicy: None - property: password ---- -# Source: jellystat/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: jellystat-data-backup-secret - namespace: jellystat - labels: - app.kubernetes.io/name: jellystat-data-backup-secret - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/jellystat/jellystat-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: jellystat/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: jellystat-postgresql-17-cluster-backup-secret - namespace: jellystat - labels: - app.kubernetes.io/name: jellystat-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: jellystat/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: jellystat-postgresql-17-cluster-backup-secret-garage - namespace: jellystat - labels: - app.kubernetes.io/name: jellystat-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: jellystat/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-jellystat - namespace: jellystat - labels: - app.kubernetes.io/name: http-route-jellystat - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - jellystat.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: jellystat - port: 80 - weight: 100 ---- -# Source: jellystat/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "jellystat-postgresql-17-external-backup" - namespace: jellystat - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: jellystat-postgresql-17 - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/jellystat/jellystat-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: jellystat-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: jellystat-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: jellystat/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "jellystat-postgresql-17-garage-local-backup" - namespace: jellystat - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: jellystat-postgresql-17 - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/jellystat/jellystat-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: jellystat-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: jellystat-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: jellystat-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: jellystat/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "jellystat-postgresql-17-recovery" - namespace: jellystat - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: jellystat-postgresql-17 - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/jellystat/jellystat-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: jellystat-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: jellystat-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: jellystat/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: jellystat-postgresql-17-alert-rules - namespace: jellystat - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: jellystat-postgresql-17 - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/jellystat-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="jellystat"} - cnpg_pg_replication_is_wal_receiver_up{namespace="jellystat"}) < 1 - for: 5m - labels: - severity: critical - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="jellystat"} - cnpg_pg_replication_is_wal_receiver_up{namespace="jellystat"}) < 2 - for: 5m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "jellystat/jellystat-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="jellystat", pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="jellystat", pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "jellystat/jellystat-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="jellystat", pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="jellystat", pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "jellystat/jellystat-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="jellystat",pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "jellystat/jellystat-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="jellystat", pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "jellystat/jellystat-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "jellystat/jellystat-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="jellystat", persistentvolumeclaim=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "jellystat/jellystat-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="jellystat",pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "jellystat/jellystat-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="jellystat", pod=~"jellystat-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: jellystat - cnpg_cluster: jellystat-postgresql-17-cluster ---- -# Source: jellystat/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: jellystat-data-backup-source - namespace: jellystat - labels: - app.kubernetes.io/name: jellystat-data-backup-source - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat -spec: - sourcePVC: jellystat-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: jellystat-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: jellystat/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "jellystat-postgresql-17-daily-backup-scheduled-backup" - namespace: jellystat - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: jellystat-postgresql-17 - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: jellystat-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "jellystat-postgresql-17-external-backup" ---- -# Source: jellystat/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "jellystat-postgresql-17-live-backup-scheduled-backup" - namespace: jellystat - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: jellystat-postgresql-17 - app.kubernetes.io/instance: jellystat - app.kubernetes.io/part-of: jellystat - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: jellystat-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "jellystat-postgresql-17-garage-local-backup" diff --git a/clusters/cl01tl/manifests/karakeep/karakeep.yaml b/clusters/cl01tl/manifests/karakeep/karakeep.yaml deleted file mode 100644 index d243af100..000000000 --- a/clusters/cl01tl/manifests/karakeep/karakeep.yaml +++ /dev/null @@ -1,712 +0,0 @@ ---- -# Source: karakeep/charts/meilisearch/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: karakeep-meilisearch - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: false ---- -# Source: karakeep/charts/meilisearch/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: karakeep-meilisearch-environment - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -data: - MEILI_ENV: "production" - MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: "true" - MEILI_NO_ANALYTICS: "true" - MEILI_EXPERIMENTAL_ENABLE_METRICS: "true" ---- -# Source: karakeep/charts/karakeep/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: karakeep - labels: - app.kubernetes.io/instance: karakeep - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: karakeep - helm.sh/chart: karakeep-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: karakeep -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: karakeep/charts/meilisearch/templates/pvc.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: karakeep-meilisearch - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: karakeep/charts/karakeep/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: karakeep - labels: - app.kubernetes.io/instance: karakeep - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: karakeep - app.kubernetes.io/service: karakeep - helm.sh/chart: karakeep-4.4.0 - namespace: karakeep -spec: - type: ClusterIP - ports: - - port: 9222 - targetPort: 9222 - protocol: TCP - name: chrome - - port: 3000 - targetPort: 3000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: karakeep - app.kubernetes.io/name: karakeep ---- -# Source: karakeep/charts/meilisearch/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: karakeep-meilisearch - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 7700 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep ---- -# Source: karakeep/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: karakeep-cloudflared - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: karakeep - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: karakeep -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: karakeep - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: karakeep - app.kubernetes.io/name: cloudflared - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: karakeep-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: karakeep/charts/karakeep/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: karakeep - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: karakeep - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: karakeep - helm.sh/chart: karakeep-4.4.0 - namespace: karakeep -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: karakeep - app.kubernetes.io/instance: karakeep - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: karakeep - app.kubernetes.io/name: karakeep - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - --no-sandbox - - --disable-gpu - - --disable-dev-shm-usage - - --remote-debugging-address=0.0.0.0 - - --remote-debugging-port=9222 - - --hide-scrollbars - image: gcr.io/zenika-hub/alpine-chrome:124 - imagePullPolicy: IfNotPresent - name: chrome - resources: - requests: - cpu: 10m - memory: 128Mi - - env: - - name: DATA_DIR - value: /data - - name: DB_WAL_MODE - value: "true" - - name: NEXTAUTH_URL - value: https://karakeep.alexlebens.dev/ - - name: NEXTAUTH_SECRET - valueFrom: - secretKeyRef: - key: key - name: karakeep-key-secret - - name: PROMETHEUS_AUTH_TOKEN - valueFrom: - secretKeyRef: - key: prometheus-token - name: karakeep-key-secret - - name: ASSET_STORE_S3_ENDPOINT - value: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80 - - name: ASSET_STORE_S3_REGION - value: us-east-1 - - name: ASSET_STORE_S3_BUCKET - valueFrom: - configMapKeyRef: - key: BUCKET_NAME - name: ceph-bucket-karakeep - - name: ASSET_STORE_S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: ceph-bucket-karakeep - - name: ASSET_STORE_S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: ceph-bucket-karakeep - - name: ASSET_STORE_S3_FORCE_PATH_STYLE - value: "true" - - name: MEILI_ADDR - value: http://karakeep-meilisearch.karakeep:7700 - - name: MEILI_MASTER_KEY - valueFrom: - secretKeyRef: - key: MEILI_MASTER_KEY - name: karakeep-meilisearch-master-key-secret - - name: BROWSER_WEB_URL - value: http://karakeep.karakeep:9222 - - name: DISABLE_SIGNUPS - value: "false" - - name: OAUTH_PROVIDER_NAME - value: Authentik - - name: OAUTH_WELLKNOWN_URL - value: https://auth.alexlebens.dev/application/o/karakeep/.well-known/openid-configuration - - name: OAUTH_SCOPE - value: openid email profile - - name: OAUTH_CLIENT_ID - valueFrom: - secretKeyRef: - key: AUTHENTIK_CLIENT_ID - name: karakeep-oidc-secret - - name: OAUTH_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: AUTHENTIK_CLIENT_SECRET - name: karakeep-oidc-secret - - name: OLLAMA_BASE_URL - value: http://ollama-server-3.ollama:11434 - - name: OLLAMA_KEEP_ALIVE - value: 5m - - name: INFERENCE_TEXT_MODEL - value: gemma3:4b - - name: INFERENCE_IMAGE_MODEL - value: granite3.2-vision:2b - - name: EMBEDDING_TEXT_MODEL - value: mxbai-embed-large - - name: INFERENCE_JOB_TIMEOUT_SEC - value: "720" - image: ghcr.io/karakeep-app/karakeep:0.29.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: karakeep ---- -# Source: karakeep/charts/meilisearch/templates/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: karakeep-meilisearch - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - serviceName: karakeep-meilisearch - selector: - matchLabels: - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - template: - metadata: - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm - annotations: - checksum/config: 574eb89dc1c0d091db8dc897d730588383fe85ac2b886588fe96f50eb3d1d7c2 - spec: - serviceAccountName: karakeep-meilisearch - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} - - name: data - persistentVolumeClaim: - claimName: karakeep-meilisearch - - - - containers: - - name: meilisearch - image: "getmeili/meilisearch:v1.18.0" - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - name: tmp - mountPath: /tmp - - name: data - mountPath: /meili_data - envFrom: - - configMapRef: - name: karakeep-meilisearch-environment - - secretRef: - name: karakeep-meilisearch-master-key-secret - ports: - - name: http - containerPort: 7700 - protocol: TCP - startupProbe: - httpGet: - path: /health - port: http - periodSeconds: 1 - initialDelaySeconds: 1 - failureThreshold: 60 - timeoutSeconds: 1 - livenessProbe: - httpGet: - path: /health - port: http - periodSeconds: 10 - initialDelaySeconds: 0 - timeoutSeconds: 10 - readinessProbe: - httpGet: - path: /health - port: http - periodSeconds: 10 - initialDelaySeconds: 0 - timeoutSeconds: 10 - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: karakeep/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: karakeep-key-secret - namespace: karakeep - labels: - app.kubernetes.io/name: karakeep-key-secret - app.kubernetes.io/instance: karakeep - app.kubernetes.io/part-of: karakeep -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/karakeep/key - metadataPolicy: None - property: key - - secretKey: prometheus-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/karakeep/key - metadataPolicy: None - property: prometheus-token ---- -# Source: karakeep/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: karakeep-oidc-secret - namespace: karakeep - labels: - app.kubernetes.io/name: karakeep-oidc-secret - app.kubernetes.io/instance: karakeep - app.kubernetes.io/part-of: karakeep -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AUTHENTIK_CLIENT_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/karakeep - metadataPolicy: None - property: client - - secretKey: AUTHENTIK_CLIENT_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/karakeep - metadataPolicy: None - property: secret ---- -# Source: karakeep/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: karakeep-meilisearch-master-key-secret - namespace: karakeep - labels: - app.kubernetes.io/name: karakeep-meilisearch-master-key-secret - app.kubernetes.io/instance: karakeep - app.kubernetes.io/part-of: karakeep -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: MEILI_MASTER_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/karakeep/meilisearch - metadataPolicy: None - property: MEILI_MASTER_KEY ---- -# Source: karakeep/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: karakeep-cloudflared-secret - namespace: karakeep - labels: - app.kubernetes.io/name: karakeep-cloudflared-secret - app.kubernetes.io/instance: karakeep - app.kubernetes.io/part-of: karakeep -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/karakeep - metadataPolicy: None - property: token ---- -# Source: karakeep/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: karakeep-data-backup-secret - namespace: karakeep - labels: - app.kubernetes.io/name: karakeep-data-backup-secret - app.kubernetes.io/instance: karakeep - app.kubernetes.io/part-of: karakeep -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/karakeep/karakeep-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: karakeep/templates/object-bucket-claim.yaml -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - name: ceph-bucket-karakeep - labels: - app.kubernetes.io/name: ceph-bucket-karakeep - app.kubernetes.io/instance: karakeep - app.kubernetes.io/part-of: karakeep -spec: - generateBucketName: bucket-karakeep - storageClassName: ceph-bucket ---- -# Source: karakeep/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: karakeep-data-backup-source - namespace: karakeep - labels: - app.kubernetes.io/name: karakeep-data-backup-source - app.kubernetes.io/instance: karakeep - app.kubernetes.io/part-of: karakeep -spec: - sourcePVC: karakeep-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: karakeep-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: karakeep/charts/meilisearch/templates/serviceMonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: karakeep-meilisearch - namespace: karakeep - labels: - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - app.kubernetes.io/version: "v1.18.0" - app.kubernetes.io/component: search-engine - app.kubernetes.io/part-of: meilisearch - app.kubernetes.io/managed-by: Helm -spec: - jobLabel: karakeep - namespaceSelector: - matchNames: - - karakeep - selector: - matchLabels: - app.kubernetes.io/name: meilisearch - app.kubernetes.io/instance: karakeep - endpoints: - - port: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - bearerTokenSecret: - name: karakeep-meilisearch-master-key-secret - key: MEILI_MASTER_KEY ---- -# Source: karakeep/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: karakeep - namespace: karakeep - labels: - app.kubernetes.io/name: karakeep - app.kubernetes.io/instance: karakeep - app.kubernetes.io/part-of: karakeep -spec: - endpoints: - - port: http - interval: 30s - scrapeTimeout: 15s - path: /api/metrics - authorization: - credentials: - key: prometheus-token - name: karakeep-key-secret - selector: - matchLabels: - app.kubernetes.io/name: karakeep - app.kubernetes.io/instance: karakeep ---- -# Source: karakeep/charts/meilisearch/templates/tests/test-connection.yaml -apiVersion: v1 -kind: Pod -metadata: - name: karakeep-meilisearch-test-connection - labels: - app.kubernetes.io/name: meilisearch - helm.sh/chart: meilisearch-0.17.2 - app.kubernetes.io/instance: karakeep - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['karakeep-meilisearch:7700'] - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/kiwix/kiwix.yaml b/clusters/cl01tl/manifests/kiwix/kiwix.yaml deleted file mode 100644 index ad975895a..000000000 --- a/clusters/cl01tl/manifests/kiwix/kiwix.yaml +++ /dev/null @@ -1,157 +0,0 @@ ---- -# Source: kiwix/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: kiwix-nfs-storage - namespace: kiwix - labels: - app.kubernetes.io/name: kiwix-nfs-storage - app.kubernetes.io/instance: kiwix - app.kubernetes.io/part-of: kiwix -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Kiwix - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: kiwix/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: kiwix-nfs-storage - namespace: kiwix - labels: - app.kubernetes.io/name: kiwix-nfs-storage - app.kubernetes.io/instance: kiwix - app.kubernetes.io/part-of: kiwix -spec: - volumeName: kiwix-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: kiwix/charts/kiwix/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: kiwix - labels: - app.kubernetes.io/instance: kiwix - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kiwix - app.kubernetes.io/service: kiwix - helm.sh/chart: kiwix-4.4.0 - namespace: kiwix -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8080 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kiwix - app.kubernetes.io/name: kiwix ---- -# Source: kiwix/charts/kiwix/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kiwix - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kiwix - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kiwix - helm.sh/chart: kiwix-4.4.0 - namespace: kiwix -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: kiwix - app.kubernetes.io/instance: kiwix - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kiwix - app.kubernetes.io/name: kiwix - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - '*.zim' - env: - - name: PORT - value: "8080" - image: ghcr.io/kiwix/kiwix-serve:3.8.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 50m - memory: 512Mi - volumeMounts: - - mountPath: /data - name: media - readOnly: true - volumes: - - name: media - persistentVolumeClaim: - claimName: kiwix-nfs-storage ---- -# Source: kiwix/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-kiwix - namespace: kiwix - labels: - app.kubernetes.io/name: http-route-kiwix - app.kubernetes.io/instance: kiwix - app.kubernetes.io/part-of: kiwix -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - kiwix.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: kiwix - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/komodo/komodo.yaml b/clusters/cl01tl/manifests/komodo/komodo.yaml deleted file mode 100644 index 74d74030d..000000000 --- a/clusters/cl01tl/manifests/komodo/komodo.yaml +++ /dev/null @@ -1,945 +0,0 @@ ---- -# Source: komodo/charts/komodo/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: komodo-cache - labels: - app.kubernetes.io/instance: komodo - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: komodo - helm.sh/chart: komodo-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: komodo -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: komodo/charts/komodo/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: komodo-syncs - labels: - app.kubernetes.io/instance: komodo - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: komodo - helm.sh/chart: komodo-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: komodo -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: komodo/charts/komodo/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: komodo-ferretdb-2 - labels: - app.kubernetes.io/instance: komodo - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: komodo - app.kubernetes.io/service: komodo-ferretdb-2 - helm.sh/chart: komodo-4.4.0 - namespace: komodo -spec: - type: ClusterIP - ports: - - port: 27017 - targetPort: 27017 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: ferretdb-2 - app.kubernetes.io/instance: komodo - app.kubernetes.io/name: komodo ---- -# Source: komodo/charts/komodo/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: komodo-main - labels: - app.kubernetes.io/instance: komodo - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: komodo - app.kubernetes.io/service: komodo-main - helm.sh/chart: komodo-4.4.0 - namespace: komodo -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 9120 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: komodo - app.kubernetes.io/name: komodo ---- -# Source: komodo/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: komodo-periphery-ps10rp - namespace: komodo - labels: - app.kubernetes.io/name: komodo-periphery-ps10rp - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo - annotations: - tailscale.com/tailnet-fqdn: komodo-periphery-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: komodo/charts/komodo/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: komodo-ferretdb-2 - labels: - app.kubernetes.io/controller: ferretdb-2 - app.kubernetes.io/instance: komodo - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: komodo - helm.sh/chart: komodo-4.4.0 - namespace: komodo -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: ferretdb-2 - app.kubernetes.io/name: komodo - app.kubernetes.io/instance: komodo - template: - metadata: - labels: - app.kubernetes.io/controller: ferretdb-2 - app.kubernetes.io/instance: komodo - app.kubernetes.io/name: komodo - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: FERRETDB_POSTGRESQL_URL - valueFrom: - secretKeyRef: - key: uri - name: komodo-postgresql-17-fdb-cluster-app - image: ghcr.io/ferretdb/ferretdb:2.7.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: komodo/charts/komodo/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: komodo-main - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: komodo - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: komodo - helm.sh/chart: komodo-4.4.0 - namespace: komodo -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: komodo - app.kubernetes.io/instance: komodo - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: komodo - app.kubernetes.io/name: komodo - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: COMPOSE_LOGGING_DRIVER - value: local - - name: KOMODO_HOST - value: https://komodo.alexlebens.net - - name: KOMODO_TITLE - value: Komodo - - name: PASSKEY - valueFrom: - secretKeyRef: - key: passkey - name: komodo-secret - - name: KOMODO_MONITORING_INTERVAL - value: 15-sec - - name: KOMODO_RESOURCE_POLL_INTERVAL - value: 5-min - - name: KOMODO_PASSKEY - valueFrom: - secretKeyRef: - key: passkey - name: komodo-secret - - name: KOMODO_WEBHOOK_SECRET - valueFrom: - secretKeyRef: - key: webhook - name: komodo-secret - - name: KOMODO_JWT_SECRET - valueFrom: - secretKeyRef: - key: jwt - name: komodo-secret - - name: KOMODO_LOCAL_AUTH - value: "true" - - name: KOMODO_ENABLE_NEW_USERS - value: "true" - - name: KOMODO_DISABLE_NON_ADMIN_CREATE - value: "true" - - name: KOMODO_TRANSPARENT_MODE - value: "false" - - name: PERIPHERY_SSL_ENABLED - value: "false" - - name: DB_USERNAME - valueFrom: - secretKeyRef: - key: user - name: komodo-postgresql-17-fdb-cluster-app - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: komodo-postgresql-17-fdb-cluster-app - - name: KOMODO_DATABASE_URI - value: mongodb://$(DB_USERNAME):$(DB_PASSWORD)@komodo-ferretdb-2.komodo:27017/komodo - - name: KOMODO_OIDC_ENABLED - value: "true" - - name: KOMODO_OIDC_PROVIDER - value: http://authentik-server.authentik/application/o/komodo/ - - name: KOMODO_OIDC_REDIRECT_HOST - value: https://authentik.alexlebens.net - - name: KOMODO_OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - key: oidc-client-id - name: komodo-secret - - name: KOMODO_OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: oidc-client-secret - name: komodo-secret - - name: KOMODO_OIDC_USE_FULL_EMAIL - value: "true" - image: ghcr.io/moghtech/komodo-core:1.19.5 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /repo-cache - name: cache - - mountPath: /syncs - name: syncs - volumes: - - name: cache - persistentVolumeClaim: - claimName: komodo-cache - - name: syncs - persistentVolumeClaim: - claimName: komodo-syncs ---- -# Source: komodo/charts/postgresql-17-fdb-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: komodo-postgresql-17-fdb-cluster - namespace: komodo - labels: - helm.sh/chart: postgresql-17-fdb-cluster-6.16.1 - app.kubernetes.io/name: komodo-postgresql-17-fdb - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/ferretdb/postgres-documentdb:17-0.106.0-ferretdb-2.5.0" - imagePullPolicy: IfNotPresent - postgresUID: 999 - postgresGID: 999 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "komodo-postgresql-17-fdb-external-backup" - serverName: "komodo-postgresql-17-fdb-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "komodo-postgresql-17-fdb-garage-local-backup" - serverName: "komodo-postgresql-17-fdb-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "komodo-postgresql-17-fdb-recovery" - serverName: komodo-postgresql-17-fdb-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: true - enablePDB: true - - postgresql: - shared_preload_libraries: - - pg_cron - - pg_documentdb_core - - pg_documentdb - pg_hba: - - host ferretDB postgres localhost trust - - host ferretDB ferret localhost trust - parameters: - cron.database_name: ferretDB - documentdb.enableBypassDocumentValidation: "true" - documentdb.enableCompact: "true" - documentdb.enableLetAndCollationForQueryMatch: "true" - documentdb.enableNowSystemVariable: "true" - documentdb.enableSchemaValidation: "true" - documentdb.enableSortbyIdPushDownToPrimaryKey: "true" - documentdb.enableUserCrud: "true" - documentdb.maxUserLimit: "100" - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - - bootstrap: - initdb: - database: ferretDB - owner: ferret - postInitApplicationSQL: - - create extension if not exists pg_cron; - - create extension if not exists documentdb cascade; - - grant documentdb_admin_role to ferret; ---- -# Source: komodo/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: komodo-secret - namespace: komodo - labels: - app.kubernetes.io/name: komodo-secret - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: passkey - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/komodo/config - metadataPolicy: None - property: passkey - - secretKey: jwt - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/komodo/config - metadataPolicy: None - property: jwt - - secretKey: webhook - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/komodo/config - metadataPolicy: None - property: webhook - - secretKey: oidc-client-id - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/komodo - metadataPolicy: None - property: client - - secretKey: oidc-client-secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/komodo - metadataPolicy: None - property: secret ---- -# Source: komodo/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: komodo-postgresql-17-fdb-cluster-backup-secret - namespace: komodo - labels: - app.kubernetes.io/name: komodo-postgresql-17-fdb-cluster-backup-secret - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: komodo/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: komodo-postgresql-17-cluster-backup-secret-garage - namespace: komodo - labels: - app.kubernetes.io/name: komodo-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: komodo/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: https-route-komodo - namespace: komodo - labels: - app.kubernetes.io/name: https-route-komodo - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - komodo.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: komodo-main - port: 80 - weight: 100 ---- -# Source: komodo/charts/postgresql-17-fdb-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "komodo-postgresql-17-fdb-external-backup" - namespace: komodo - labels: - helm.sh/chart: postgresql-17-fdb-cluster-6.16.1 - app.kubernetes.io/name: komodo-postgresql-17-fdb - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/komodo/komodo-postgresql-17-fdb-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: komodo-postgresql-17-fdb-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: komodo-postgresql-17-fdb-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: komodo/charts/postgresql-17-fdb-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "komodo-postgresql-17-fdb-garage-local-backup" - namespace: komodo - labels: - helm.sh/chart: postgresql-17-fdb-cluster-6.16.1 - app.kubernetes.io/name: komodo-postgresql-17-fdb - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/komodo/komodo-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: komodo-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: komodo-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: komodo-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: komodo/charts/postgresql-17-fdb-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "komodo-postgresql-17-fdb-recovery" - namespace: komodo - labels: - helm.sh/chart: postgresql-17-fdb-cluster-6.16.1 - app.kubernetes.io/name: komodo-postgresql-17-fdb - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/komodo/komodo-postgresql-17-fdb-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: komodo-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: komodo-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: komodo/charts/postgresql-17-fdb-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: komodo-postgresql-17-fdb-alert-rules - namespace: komodo - labels: - helm.sh/chart: postgresql-17-fdb-cluster-6.16.1 - app.kubernetes.io/name: komodo-postgresql-17-fdb - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/komodo-postgresql-17-fdb - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="komodo"} - cnpg_pg_replication_is_wal_receiver_up{namespace="komodo"}) < 1 - for: 5m - labels: - severity: critical - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="komodo"} - cnpg_pg_replication_is_wal_receiver_up{namespace="komodo"}) < 2 - for: 5m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "komodo/komodo-postgresql-17-fdb-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="komodo", pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="komodo", pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "komodo/komodo-postgresql-17-fdb-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="komodo", pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="komodo", pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "komodo/komodo-postgresql-17-fdb-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="komodo",pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "komodo/komodo-postgresql-17-fdb-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="komodo", pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "komodo/komodo-postgresql-17-fdb-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "komodo/komodo-postgresql-17-fdb-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="komodo", persistentvolumeclaim=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "komodo/komodo-postgresql-17-fdb-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="komodo",pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "komodo/komodo-postgresql-17-fdb-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="komodo", pod=~"komodo-postgresql-17-fdb-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: komodo - cnpg_cluster: komodo-postgresql-17-fdb-cluster ---- -# Source: komodo/charts/postgresql-17-fdb-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "komodo-postgresql-17-fdb-daily-backup-scheduled-backup" - namespace: komodo - labels: - helm.sh/chart: postgresql-17-fdb-cluster-6.16.1 - app.kubernetes.io/name: komodo-postgresql-17-fdb - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: komodo-postgresql-17-fdb-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "komodo-postgresql-17-fdb-external-backup" ---- -# Source: komodo/charts/postgresql-17-fdb-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "komodo-postgresql-17-fdb-live-backup-scheduled-backup" - namespace: komodo - labels: - helm.sh/chart: postgresql-17-fdb-cluster-6.16.1 - app.kubernetes.io/name: komodo-postgresql-17-fdb - app.kubernetes.io/instance: komodo - app.kubernetes.io/part-of: komodo - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: komodo-postgresql-17-fdb-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "komodo-postgresql-17-fdb-garage-local-backup" diff --git a/clusters/cl01tl/manifests/kronic/kronic.yaml b/clusters/cl01tl/manifests/kronic/kronic.yaml deleted file mode 100644 index 4784330f3..000000000 --- a/clusters/cl01tl/manifests/kronic/kronic.yaml +++ /dev/null @@ -1,228 +0,0 @@ ---- -# Source: kronic/charts/kronic/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kronic - labels: - helm.sh/chart: kronic-0.1.7 - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic - app.kubernetes.io/version: "v0.1.4" - app.kubernetes.io/managed-by: Helm ---- -# Source: kronic/charts/kronic/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: kronic-0.1.7 - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic - app.kubernetes.io/version: "v0.1.4" - app.kubernetes.io/managed-by: Helm - name: kronic -rules: - - apiGroups: - - "" - resources: - - pods - - events - - pods/log - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - - cronjobs - - cronjobs/status - verbs: - - "*" ---- -# Source: kronic/charts/kronic/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: kronic-0.1.7 - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic - app.kubernetes.io/version: "v0.1.4" - app.kubernetes.io/managed-by: Helm - name: kronic -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kronic -subjects: - - kind: ServiceAccount - name: kronic - namespace: "kronic" ---- -# Source: kronic/charts/kronic/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kronic - labels: - helm.sh/chart: kronic-0.1.7 - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic - app.kubernetes.io/version: "v0.1.4" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic ---- -# Source: kronic/charts/kronic/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kronic - labels: - helm.sh/chart: kronic-0.1.7 - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic - app.kubernetes.io/version: "v0.1.4" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic - template: - metadata: - labels: - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic - spec: - serviceAccountName: kronic - securityContext: - {} - containers: - - name: kronic - securityContext: - {} - image: "ghcr.io/mshade/kronic:v0.1.4" - imagePullPolicy: IfNotPresent - env: - - name: KRONIC_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KRONIC_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: kronic-config-secret - key: password - - name: KRONIC_ADMIN_USERNAME - value: "kronic" - - name: KRONIC_ALLOW_NAMESPACES - value: "gitea,vault,talos,libation,kubernetes-cloudflare-ddns" - - name: KRONIC_NAMESPACE_ONLY - value: "" - ports: - - name: http - containerPort: 8000 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: http - readinessProbe: - httpGet: - path: /healthz - port: http - resources: - limits: - cpu: 1 - memory: 1024Mi - requests: - cpu: 10m - memory: 256Mi ---- -# Source: kronic/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: kronic-config-secret - namespace: kronic - labels: - app.kubernetes.io/name: kronic-config-secret - app.kubernetes.io/instance: kronic - app.kubernetes.io/part-of: kronic -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/kronic/auth - metadataPolicy: None - property: password ---- -# Source: kronic/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: https-route-kronic - namespace: kronic - labels: - app.kubernetes.io/name: https-route-kronic - app.kubernetes.io/instance: kronic - app.kubernetes.io/part-of: kronic -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - kronic.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: kronic - port: 80 - weight: 100 ---- -# Source: kronic/charts/kronic/templates/tests/test-connection.yaml -apiVersion: v1 -kind: Pod -metadata: - name: "kronic-test-connection" - labels: - helm.sh/chart: kronic-0.1.7 - app.kubernetes.io/name: kronic - app.kubernetes.io/instance: kronic - app.kubernetes.io/version: "v0.1.4" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['kronic:80/healthz'] - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/kube-prometheus-stack.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/kube-prometheus-stack.yaml deleted file mode 100644 index 8cfe7ac0b..000000000 --- a/clusters/cl01tl/manifests/kube-prometheus-stack/kube-prometheus-stack.yaml +++ /dev/null @@ -1,5728 +0,0 @@ ---- -# Source: kube-prometheus-stack/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: kube-prometheus-stack - labels: - app.kubernetes.io/name: kube-prometheus-stack - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - labels: - helm.sh/chart: kube-state-metrics-6.4.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: kube-state-metrics - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "2.17.0" - release: kube-prometheus-stack - name: kube-prometheus-stack-kube-state-metrics - namespace: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-prometheus-stack-prometheus-node-exporter - namespace: kube-prometheus-stack - labels: - helm.sh/chart: prometheus-node-exporter-4.49.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: prometheus-node-exporter - app.kubernetes.io/name: prometheus-node-exporter - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "1.10.2" - release: kube-prometheus-stack -automountServiceAccountToken: false ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/alertmanager/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-prometheus-stack-alertmanager - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-alertmanager - app.kubernetes.io/name: kube-prometheus-stack-alertmanager - app.kubernetes.io/component: alertmanager - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -automountServiceAccountToken: true ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-prometheus-stack-operator - namespace: kube-prometheus-stack - labels: - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator -automountServiceAccountToken: true ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-prometheus-stack-prometheus - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-prometheus - app.kubernetes.io/name: kube-prometheus-stack-prometheus - app.kubernetes.io/component: prometheus - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -automountServiceAccountToken: true ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/alertmanager/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: alertmanager-kube-prometheus-stack-alertmanager - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-alertmanager - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -data: - alertmanager.yaml: "Z2xvYmFsOgogIHJlc29sdmVfdGltZW91dDogNW0KaW5oaWJpdF9ydWxlczoKLSBlcXVhbDoKICAtIG5hbWVzcGFjZQogIC0gYWxlcnRuYW1lCiAgc291cmNlX21hdGNoZXJzOgogIC0gc2V2ZXJpdHkgPSBjcml0aWNhbAogIHRhcmdldF9tYXRjaGVyczoKICAtIHNldmVyaXR5ID1+IHdhcm5pbmd8aW5mbwotIGVxdWFsOgogIC0gbmFtZXNwYWNlCiAgLSBhbGVydG5hbWUKICBzb3VyY2VfbWF0Y2hlcnM6CiAgLSBzZXZlcml0eSA9IHdhcm5pbmcKICB0YXJnZXRfbWF0Y2hlcnM6CiAgLSBzZXZlcml0eSA9IGluZm8KLSBlcXVhbDoKICAtIG5hbWVzcGFjZQogIHNvdXJjZV9tYXRjaGVyczoKICAtIGFsZXJ0bmFtZSA9IEluZm9JbmhpYml0b3IKICB0YXJnZXRfbWF0Y2hlcnM6CiAgLSBzZXZlcml0eSA9IGluZm8KLSB0YXJnZXRfbWF0Y2hlcnM6CiAgLSBhbGVydG5hbWUgPSBJbmZvSW5oaWJpdG9yCnJlY2VpdmVyczoKLSBuYW1lOiBwdXNob3ZlcgogIHB1c2hvdmVyX2NvbmZpZ3M6CiAgLSBzZW5kX3Jlc29sdmVkOiB0cnVlCiAgICB0b2tlbl9maWxlOiAvZXRjL2FsZXJ0bWFuYWdlci9zZWNyZXRzL2FsZXJ0bWFuYWdlci1jb25maWctc2VjcmV0L3B1c2hvdmVyX3Rva2VuCiAgICB1c2VyX2tleV9maWxlOiAvZXRjL2FsZXJ0bWFuYWdlci9zZWNyZXRzL2FsZXJ0bWFuYWdlci1jb25maWctc2VjcmV0L3B1c2hvdmVyX3VzZXJfa2V5Ci0gbmFtZTogbnRmeQogIHdlYmhvb2tfY29uZmlnczoKICAtIGh0dHBfY29uZmlnOgogICAgICBiYXNpY19hdXRoOgogICAgICAgIHBhc3N3b3JkX2ZpbGU6IC9ldGMvYWxlcnRtYW5hZ2VyL3NlY3JldHMvYWxlcnRtYW5hZ2VyLWNvbmZpZy1zZWNyZXQvbnRmeV9wYXNzd29yZAogICAgICAgIHVzZXJuYW1lOiBudGZ5LWFsZXJ0bWFuYWdlcgogICAgdXJsOiBodHRwOi8vbnRmeS1hbGVydG1hbmFnZXIua3ViZS1wcm9tZXRoZXVzLXN0YWNrOjgwCnJvdXRlOgogIGdyb3VwX2J5OgogIC0gbmFtZXNwYWNlCiAgLSBhbGVydG5hbWUKICBncm91cF9pbnRlcnZhbDogNW0KICBncm91cF93YWl0OiAzMHMKICByZWNlaXZlcjogbnRmeQogIHJlcGVhdF9pbnRlcnZhbDogMjRoCiAgcm91dGVzOgogIC0gZ3JvdXBfaW50ZXJ2YWw6IDVtCiAgICBncm91cF93YWl0OiAxMHMKICAgIHJlY2VpdmVyOiBudGZ5CiAgICByZXBlYXRfaW50ZXJ2YWw6IDI0aAp0ZW1wbGF0ZXM6Ci0gL2V0Yy9hbGVydG1hbmFnZXIvY29uZmlnLyoudG1wbA==" ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: kube-state-metrics-6.4.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: kube-state-metrics - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "2.17.0" - release: kube-prometheus-stack - name: kube-prometheus-stack-kube-state-metrics -rules: - -- apiGroups: ["certificates.k8s.io"] - resources: - - certificatesigningrequests - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - configmaps - verbs: ["list", "watch"] - -- apiGroups: ["batch"] - resources: - - cronjobs - verbs: ["list", "watch"] - -- apiGroups: ["apps"] - resources: - - daemonsets - verbs: ["list", "watch"] - -- apiGroups: ["apps"] - resources: - - deployments - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - endpoints - verbs: ["list", "watch"] - -- apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: ["list", "watch"] - -- apiGroups: ["networking.k8s.io"] - resources: - - ingresses - verbs: ["list", "watch"] - -- apiGroups: ["batch"] - resources: - - jobs - verbs: ["list", "watch"] - -- apiGroups: ["coordination.k8s.io"] - resources: - - leases - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - limitranges - verbs: ["list", "watch"] - -- apiGroups: ["admissionregistration.k8s.io"] - resources: - - mutatingwebhookconfigurations - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - namespaces - verbs: ["list", "watch"] - -- apiGroups: ["networking.k8s.io"] - resources: - - networkpolicies - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - nodes - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - persistentvolumeclaims - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - persistentvolumes - verbs: ["list", "watch"] - -- apiGroups: ["policy"] - resources: - - poddisruptionbudgets - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - pods - verbs: ["list", "watch"] - -- apiGroups: ["apps"] - resources: - - replicasets - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - replicationcontrollers - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - resourcequotas - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - secrets - verbs: ["list", "watch"] - -- apiGroups: [""] - resources: - - services - verbs: ["list", "watch"] - -- apiGroups: ["apps"] - resources: - - statefulsets - verbs: ["list", "watch"] - -- apiGroups: ["storage.k8s.io"] - resources: - - storageclasses - verbs: ["list", "watch"] - -- apiGroups: ["admissionregistration.k8s.io"] - resources: - - validatingwebhookconfigurations - verbs: ["list", "watch"] - -- apiGroups: ["storage.k8s.io"] - resources: - - volumeattachments - verbs: ["list", "watch"] ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/aggregate-clusterroles.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kube-prometheus-stack-prometheus-crd-view - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator -rules: -- apiGroups: ["monitoring.coreos.com"] - resources: ["alertmanagers", "alertmanagerconfigs", "podmonitors", "probes", "prometheuses", "prometheusagents", "prometheusrules", "scrapeconfigs", "servicemonitors"] - verbs: ["get", "list", "watch"] ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/aggregate-clusterroles.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kube-prometheus-stack-prometheus-crd-edit - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator -rules: -- apiGroups: ["monitoring.coreos.com"] - resources: ["alertmanagers", "alertmanagerconfigs", "podmonitors", "probes", "prometheuses", "prometheusagents", "prometheusrules", "scrapeconfigs", "servicemonitors"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kube-prometheus-stack-operator - labels: - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator -rules: -- apiGroups: - - monitoring.coreos.com - resources: - - alertmanagers - - alertmanagers/finalizers - - alertmanagers/status - - alertmanagerconfigs - - prometheuses - - prometheuses/finalizers - - prometheuses/status - - prometheusagents - - prometheusagents/finalizers - - prometheusagents/status - - thanosrulers - - thanosrulers/finalizers - - thanosrulers/status - - scrapeconfigs - - scrapeconfigs/status - - servicemonitors - - servicemonitors/status - - podmonitors - - podmonitors/status - - probes - - probes/status - - prometheusrules - verbs: - - '*' -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - - secrets - verbs: - - '*' -- apiGroups: - - "" - resources: - - pods - verbs: - - list - - delete -- apiGroups: - - "" - resources: - - services - - services/finalizers - - endpoints - verbs: - - get - - create - - update - - delete -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - - events.k8s.io - resources: - - events - verbs: - - patch - - create -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - create - - list - - watch - - update - - delete ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kube-prometheus-stack-prometheus - labels: - app: kube-prometheus-stack-prometheus - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -rules: -# These permissions (to examine all namespaces) are not in the kube-prometheus repo. -# They're grabbed from https://github.com/prometheus/prometheus/blob/master/documentation/examples/rbac-setup.yml -# kube-prometheus deliberately defaults to a more restrictive setup that is not appropriate for our general audience. -- apiGroups: [""] - resources: - - nodes - - nodes/metrics - - services - - endpoints - - pods - verbs: ["get", "list", "watch"] -- apiGroups: ["discovery.k8s.io"] - resources: - - endpointslices - verbs: ["get", "list", "watch"] -- apiGroups: - - "networking.k8s.io" - resources: - - ingresses - verbs: ["get", "list", "watch"] -- nonResourceURLs: ["/metrics", "/metrics/cadvisor"] - verbs: ["get"] ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: kube-state-metrics-6.4.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: kube-state-metrics - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "2.17.0" - release: kube-prometheus-stack - name: kube-prometheus-stack-kube-state-metrics -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kube-prometheus-stack-kube-state-metrics -subjects: -- kind: ServiceAccount - name: kube-prometheus-stack-kube-state-metrics - namespace: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-prometheus-stack-operator - labels: - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kube-prometheus-stack-operator -subjects: -- kind: ServiceAccount - name: kube-prometheus-stack-operator - namespace: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-prometheus-stack-prometheus - labels: - app: kube-prometheus-stack-prometheus - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kube-prometheus-stack-prometheus -subjects: - - kind: ServiceAccount - name: kube-prometheus-stack-prometheus - namespace: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-prometheus-stack-kube-state-metrics - namespace: kube-prometheus-stack - labels: - helm.sh/chart: kube-state-metrics-6.4.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: kube-state-metrics - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "2.17.0" - release: kube-prometheus-stack - annotations: -spec: - type: "ClusterIP" - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: http - - selector: - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-prometheus-stack-prometheus-node-exporter - namespace: kube-prometheus-stack - labels: - helm.sh/chart: prometheus-node-exporter-4.49.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: prometheus-node-exporter - app.kubernetes.io/name: prometheus-node-exporter - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "1.10.2" - release: kube-prometheus-stack - jobLabel: node-exporter - annotations: - prometheus.io/scrape: "true" -spec: - type: ClusterIP - ports: - - port: 9100 - targetPort: 9100 - protocol: TCP - name: http-metrics - selector: - app.kubernetes.io/name: prometheus-node-exporter - app.kubernetes.io/instance: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/alertmanager/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-prometheus-stack-alertmanager - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-alertmanager - self-monitor: "true" - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - ports: - - name: http-web - port: 9093 - targetPort: 9093 - protocol: TCP - - name: reloader-web - appProtocol: http - port: 8080 - targetPort: reloader-web - selector: - app.kubernetes.io/name: alertmanager - alertmanager: kube-prometheus-stack-alertmanager - sessionAffinity: None - type: "ClusterIP" ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/exporters/core-dns/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-prometheus-stack-coredns - labels: - app: kube-prometheus-stack-coredns - jobLabel: coredns - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - namespace: kube-system -spec: - clusterIP: None - ports: - - name: http-metrics - port: 9153 - protocol: TCP - targetPort: 9153 - selector: - k8s-app: kube-dns ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/exporters/kube-etcd/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-prometheus-stack-kube-etcd - labels: - app: kube-prometheus-stack-kube-etcd - jobLabel: kube-etcd - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - namespace: kube-system -spec: - clusterIP: None - ports: - - name: http-metrics - port: 2381 - protocol: TCP - targetPort: 2381 - selector: - k8s-app: kube-controller-manager - type: ClusterIP ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-prometheus-stack-operator - namespace: kube-prometheus-stack - labels: - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator -spec: - ports: - - name: https - port: 443 - targetPort: https - selector: - app: kube-prometheus-stack-operator - release: "kube-prometheus-stack" - type: "ClusterIP" ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kube-prometheus-stack-prometheus - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-prometheus - self-monitor: "true" - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - ports: - - name: http-web - port: 9090 - targetPort: 9090 - - name: reloader-web - appProtocol: http - port: 8080 - targetPort: reloader-web - publishNotReadyAddresses: false - selector: - app.kubernetes.io/name: prometheus - operator.prometheus.io/name: kube-prometheus-stack-prometheus - sessionAffinity: None - type: "ClusterIP" ---- -# Source: kube-prometheus-stack/charts/ntfy-alertmanager/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: ntfy-alertmanager - labels: - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kube-prometheus-stack - app.kubernetes.io/service: ntfy-alertmanager - helm.sh/chart: ntfy-alertmanager-4.4.0 - namespace: kube-prometheus-stack -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8080 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/name: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: node-ps10rp - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: node-ps10rp - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack - annotations: - tailscale.com/tailnet-fqdn: node-exporter-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: kube-prometheus-stack/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: garage-ps10rp - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: garage-ps10rp - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack - annotations: - tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/daemonset.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kube-prometheus-stack-prometheus-node-exporter - namespace: kube-prometheus-stack - labels: - helm.sh/chart: prometheus-node-exporter-4.49.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: prometheus-node-exporter - app.kubernetes.io/name: prometheus-node-exporter - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "1.10.2" - release: kube-prometheus-stack -spec: - selector: - matchLabels: - app.kubernetes.io/name: prometheus-node-exporter - app.kubernetes.io/instance: kube-prometheus-stack - revisionHistoryLimit: 10 - updateStrategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - labels: - helm.sh/chart: prometheus-node-exporter-4.49.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: prometheus-node-exporter - app.kubernetes.io/name: prometheus-node-exporter - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "1.10.2" - release: kube-prometheus-stack - jobLabel: node-exporter - spec: - automountServiceAccountToken: false - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - serviceAccountName: kube-prometheus-stack-prometheus-node-exporter - containers: - - name: node-exporter - image: quay.io/prometheus/node-exporter:v1.10.2 - imagePullPolicy: IfNotPresent - args: - - --path.procfs=/host/proc - - --path.sysfs=/host/sys - - --path.rootfs=/host/root - - --path.udev.data=/host/root/run/udev/data - - --web.listen-address=[$(HOST_IP)]:9100 - - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run/containerd/.+|var/lib/docker/.+|var/lib/kubelet/.+)($|/) - - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs|erofs)$ - securityContext: - readOnlyRootFilesystem: true - env: - - name: HOST_IP - value: 0.0.0.0 - ports: - - name: http-metrics - containerPort: 9100 - protocol: TCP - livenessProbe: - failureThreshold: 3 - httpGet: - httpHeaders: - path: / - port: http-metrics - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - httpHeaders: - path: / - port: http-metrics - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: proc - mountPath: /host/proc - readOnly: true - - name: sys - mountPath: /host/sys - readOnly: true - - name: root - mountPath: /host/root - mountPropagation: HostToContainer - readOnly: true - hostNetwork: true - hostPID: true - hostIPC: false - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - - key: type - operator: NotIn - values: - - virtual-kubelet - nodeSelector: - kubernetes.io/os: linux - tolerations: - - effect: NoSchedule - operator: Exists - volumes: - - name: proc - hostPath: - path: /proc - - name: sys - hostPath: - path: /sys - - name: root - hostPath: - path: / ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kube-prometheus-stack-kube-state-metrics - namespace: kube-prometheus-stack - labels: - helm.sh/chart: kube-state-metrics-6.4.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: kube-state-metrics - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "2.17.0" - release: kube-prometheus-stack -spec: - selector: - matchLabels: - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - replicas: 1 - strategy: - type: RollingUpdate - revisionHistoryLimit: 10 - template: - metadata: - labels: - helm.sh/chart: kube-state-metrics-6.4.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: kube-state-metrics - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "2.17.0" - release: kube-prometheus-stack - spec: - automountServiceAccountToken: true - hostNetwork: false - serviceAccountName: kube-prometheus-stack-kube-state-metrics - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - dnsPolicy: ClusterFirst - containers: - - name: kube-state-metrics - args: - - --port=8080 - - --resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments - imagePullPolicy: IfNotPresent - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.17.0 - ports: - - containerPort: 8080 - name: http - livenessProbe: - failureThreshold: 3 - httpGet: - httpHeaders: - path: /livez - port: 8080 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 3 - httpGet: - httpHeaders: - path: /readyz - port: 8081 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kube-prometheus-stack-operator - namespace: kube-prometheus-stack - labels: - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app: kube-prometheus-stack-operator - release: "kube-prometheus-stack" - template: - metadata: - labels: - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator - spec: - containers: - - name: kube-prometheus-stack - image: "quay.io/prometheus-operator/prometheus-operator:v0.86.2" - imagePullPolicy: "IfNotPresent" - args: - - --kubelet-service=kube-system/kube-prometheus-stack-kubelet - - --kubelet-endpoints=true - - --kubelet-endpointslice=false - - --localhost=127.0.0.1 - - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.86.2 - - --config-reloader-cpu-request=0 - - --config-reloader-cpu-limit=0 - - --config-reloader-memory-request=0 - - --config-reloader-memory-limit=0 - - --thanos-default-base-image=quay.io/thanos/thanos:v0.40.1 - - --secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1 - - --web.enable-tls=true - - --web.cert-file=/cert/cert - - --web.key-file=/cert/key - - --web.listen-address=:10250 - - --web.tls-min-version=VersionTLS13 - ports: - - containerPort: 10250 - name: https - env: - - name: GOGC - value: "30" - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - name: tls-secret - mountPath: /cert - readOnly: true - readinessProbe: - httpGet: - path: /healthz - port: https - scheme: HTTPS - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - livenessProbe: - httpGet: - path: /healthz - port: https - scheme: HTTPS - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - volumes: - - name: tls-secret - secret: - defaultMode: 420 - secretName: kube-prometheus-stack-admission - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - serviceAccountName: kube-prometheus-stack-operator - automountServiceAccountToken: true - terminationGracePeriodSeconds: 30 ---- -# Source: kube-prometheus-stack/charts/ntfy-alertmanager/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ntfy-alertmanager - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kube-prometheus-stack - helm.sh/chart: ntfy-alertmanager-4.4.0 - namespace: kube-prometheus-stack -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: kube-prometheus-stack - app.kubernetes.io/instance: kube-prometheus-stack - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/name: kube-prometheus-stack - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - image: xenrox/ntfy-alertmanager:0.5.0 - imagePullPolicy: IfNotPresent - name: main - volumeMounts: - - mountPath: /etc/ntfy-alertmanager/config - mountPropagation: None - name: config - readOnly: true - subPath: config - volumes: - - name: config - secret: - secretName: ntfy-alertmanager-config-secret ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/alertmanager/alertmanager.yaml -apiVersion: monitoring.coreos.com/v1 -kind: Alertmanager -metadata: - name: kube-prometheus-stack-alertmanager - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-alertmanager - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - image: "quay.io/prometheus/alertmanager:v0.29.0" - imagePullPolicy: "IfNotPresent" - version: v0.29.0 - replicas: 1 - listenLocal: false - serviceAccountName: kube-prometheus-stack-alertmanager - automountServiceAccountToken: true - externalUrl: http://kube-prometheus-stack-alertmanager.kube-prometheus-stack:9093 - paused: false - logFormat: "logfmt" - logLevel: "info" - retention: "120h" - secrets: - - alertmanager-config-secret - alertmanagerConfigSelector: {} - alertmanagerConfigNamespaceSelector: - {} - routePrefix: "/" - securityContext: - fsGroup: 2000 - runAsGroup: 2000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchExpressions: - - {key: app.kubernetes.io/name, operator: In, values: [alertmanager]} - - {key: alertmanager, operator: In, values: [kube-prometheus-stack-alertmanager]} - portName: http-web ---- -# Source: kube-prometheus-stack/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: alertmanager-config-secret - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: alertmanager-config-secret - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: pushover_token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /pushover/key - metadataPolicy: None - property: alertmanager_key - - secretKey: pushover_user_key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /pushover/key - metadataPolicy: None - property: user_key - - secretKey: ntfy_password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager - metadataPolicy: None - property: ntfy_password ---- -# Source: kube-prometheus-stack/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: garage-metric-secret - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: garage-metric-secret - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/token - metadataPolicy: None - property: metric ---- -# Source: kube-prometheus-stack/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ntfy-alertmanager-config-secret - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: ntfy-alertmanager-config-secret - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ntfy_password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager - metadataPolicy: None - property: ntfy_password - - secretKey: config - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager - metadataPolicy: None - property: config ---- -# Source: kube-prometheus-stack/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-prometheus - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: http-route-prometheus - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - prometheus.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: prometheus-operated - port: 9090 - weight: 100 ---- -# Source: kube-prometheus-stack/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-alertmanager - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: http-route-alertmanager - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - alertmanager.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: kube-prometheus-stack-alertmanager - port: 9093 - weight: 100 ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/mutatingWebhookConfiguration.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: kube-prometheus-stack-admission - annotations: - - argocd.argoproj.io/hook: PreSync - labels: - app: kube-prometheus-stack-admission - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -webhooks: - - name: prometheusrulemutate.monitoring.coreos.com - failurePolicy: Ignore - rules: - - apiGroups: - - monitoring.coreos.com - apiVersions: - - "*" - resources: - - prometheusrules - operations: - - CREATE - - UPDATE - clientConfig: - service: - namespace: kube-prometheus-stack - name: kube-prometheus-stack-operator - path: /admission-prometheusrules/mutate - timeoutSeconds: 10 - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml -apiVersion: monitoring.coreos.com/v1 -kind: Prometheus -metadata: - name: kube-prometheus-stack-prometheus - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-prometheus - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - automountServiceAccountToken: true - alerting: - alertmanagers: - - namespace: kube-prometheus-stack - name: kube-prometheus-stack-alertmanager - port: http-web - pathPrefix: "/" - apiVersion: v2 - image: "quay.io/prometheus/prometheus:v3.8.0" - imagePullPolicy: "IfNotPresent" - version: v3.8.0 - externalUrl: "https://prometheus.alexlebens.net" - paused: false - replicas: 1 - shards: 1 - logLevel: "info" - logFormat: logfmt - listenLocal: false - enableOTLPReceiver: false - enableAdminAPI: false - scrapeInterval: 30s - retention: "30d" - tsdb: - outOfOrderTimeWindow: 0s - walCompression: true - routePrefix: "/" - serviceAccountName: kube-prometheus-stack-prometheus - serviceMonitorSelector: {} - serviceMonitorNamespaceSelector: {} - podMonitorSelector: {} - podMonitorNamespaceSelector: {} - probeSelector: - matchLabels: - release: "kube-prometheus-stack" - - probeNamespaceSelector: {} - securityContext: - fsGroup: 2000 - runAsGroup: 2000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - ruleNamespaceSelector: {} - ruleSelector: {} - scrapeConfigSelector: {} - scrapeConfigNamespaceSelector: {} - storage: - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 250Gi - storageClassName: synology-iscsi-delete - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchExpressions: - - {key: app.kubernetes.io/name, operator: In, values: [prometheus]} - - {key: app.kubernetes.io/instance, operator: In, values: [kube-prometheus-stack-prometheus]} - portName: http-web - hostNetwork: false ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/alertmanager.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-alertmanager.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: alertmanager.rules - rules: - - alert: AlertmanagerFailedReload - annotations: - description: Configuration has failed to load for {{ $labels.namespace }}/{{ $labels.pod}}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/alertmanager/alertmanagerfailedreload - summary: Reloading an Alertmanager configuration has failed. - expr: |- - # Without max_over_time, failed scrapes could create false negatives, see - # https://www.robustperception.io/alerting-on-gauges-in-prometheus-2-0 for details. - max_over_time(alertmanager_config_last_reload_successful{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"}[5m]) == 0 - for: 10m - labels: - severity: critical - - alert: AlertmanagerMembersInconsistent - annotations: - description: Alertmanager {{ $labels.namespace }}/{{ $labels.pod}} has only found {{ $value }} members of the {{$labels.job}} cluster. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/alertmanager/alertmanagermembersinconsistent - summary: A member of an Alertmanager cluster has not found all other cluster members. - expr: |- - # Without max_over_time, failed scrapes could create false negatives, see - # https://www.robustperception.io/alerting-on-gauges-in-prometheus-2-0 for details. - max_over_time(alertmanager_cluster_members{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"}[5m]) - < on (namespace,service,cluster) group_left - count by (namespace,service,cluster) (max_over_time(alertmanager_cluster_members{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"}[5m])) - for: 15m - labels: - severity: critical - - alert: AlertmanagerFailedToSendAlerts - annotations: - description: Alertmanager {{ $labels.namespace }}/{{ $labels.pod}} failed to send {{ $value | humanizePercentage }} of notifications to {{ $labels.integration }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/alertmanager/alertmanagerfailedtosendalerts - summary: An Alertmanager instance failed to send notifications. - expr: |- - ( - rate(alertmanager_notifications_failed_total{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"}[15m]) - / - ignoring (reason) group_left rate(alertmanager_notifications_total{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"}[15m]) - ) - > 0.01 - for: 5m - labels: - severity: warning - - alert: AlertmanagerClusterFailedToSendAlerts - annotations: - description: The minimum notification failure rate to {{ $labels.integration }} sent from any instance in the {{$labels.job}} cluster is {{ $value | humanizePercentage }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/alertmanager/alertmanagerclusterfailedtosendalerts - summary: All Alertmanager instances in a cluster failed to send notifications to a critical integration. - expr: |- - min by (namespace,service, integration) ( - rate(alertmanager_notifications_failed_total{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack", integration=~`.*`}[15m]) - / - ignoring (reason) group_left rate(alertmanager_notifications_total{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack", integration=~`.*`}[15m]) - ) - > 0.01 - for: 5m - labels: - severity: critical - - alert: AlertmanagerClusterFailedToSendAlerts - annotations: - description: The minimum notification failure rate to {{ $labels.integration }} sent from any instance in the {{$labels.job}} cluster is {{ $value | humanizePercentage }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/alertmanager/alertmanagerclusterfailedtosendalerts - summary: All Alertmanager instances in a cluster failed to send notifications to a non-critical integration. - expr: |- - min by (namespace,service, integration) ( - rate(alertmanager_notifications_failed_total{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack", integration!~`.*`}[15m]) - / - ignoring (reason) group_left rate(alertmanager_notifications_total{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack", integration!~`.*`}[15m]) - ) - > 0.01 - for: 5m - labels: - severity: warning - - alert: AlertmanagerConfigInconsistent - annotations: - description: Alertmanager instances within the {{$labels.job}} cluster have different configurations. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/alertmanager/alertmanagerconfiginconsistent - summary: Alertmanager instances within the same cluster have different configurations. - expr: |- - count by (namespace,service,cluster) ( - count_values by (namespace,service,cluster) ("config_hash", alertmanager_config_hash{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"}) - ) - != 1 - for: 20m - labels: - severity: critical - - alert: AlertmanagerClusterDown - annotations: - description: '{{ $value | humanizePercentage }} of Alertmanager instances within the {{$labels.job}} cluster have been up for less than half of the last 5m.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/alertmanager/alertmanagerclusterdown - summary: Half or more of the Alertmanager instances within the same cluster are down. - expr: |- - ( - count by (namespace,service,cluster) ( - avg_over_time(up{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"}[5m]) < 0.5 - ) - / - count by (namespace,service,cluster) ( - up{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"} - ) - ) - >= 0.5 - for: 5m - labels: - severity: critical - - alert: AlertmanagerClusterCrashlooping - annotations: - description: '{{ $value | humanizePercentage }} of Alertmanager instances within the {{$labels.job}} cluster have restarted at least 5 times in the last 10m.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/alertmanager/alertmanagerclustercrashlooping - summary: Half or more of the Alertmanager instances within the same cluster are crashlooping. - expr: |- - ( - count by (namespace,service,cluster) ( - changes(process_start_time_seconds{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"}[10m]) > 4 - ) - / - count by (namespace,service,cluster) ( - up{job="kube-prometheus-stack-alertmanager",container="alertmanager",namespace="kube-prometheus-stack"} - ) - ) - >= 0.5 - for: 5m - labels: - severity: critical ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/config-reloaders.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-config-reloaders - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: config-reloaders - rules: - - alert: ConfigReloaderSidecarErrors - annotations: - description: 'Errors encountered while the {{$labels.pod}} config-reloader sidecar attempts to sync config in {{$labels.namespace}} namespace. - - As a result, configuration for service running in {{$labels.pod}} may be stale and cannot be updated anymore.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/configreloadersidecarerrors - summary: config-reloader sidecar has not had a successful reload for 10m - expr: max_over_time(reloader_last_reload_successful{namespace=~".+"}[5m]) == 0 - for: 10m - labels: - severity: warning ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/etcd.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-etcd - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: etcd - rules: - - alert: etcdMembersDown - annotations: - description: 'etcd cluster "{{ $labels.job }}": members are down ({{ $value }}).' - summary: etcd cluster members are down. - expr: |- - max without (endpoint) ( - sum without (instance, pod) (up{job=~".*etcd.*"} == bool 0) - or - count without (To) ( - sum without (instance, pod) (rate(etcd_network_peer_sent_failures_total{job=~".*etcd.*"}[120s])) > 0.01 - ) - ) - > 0 - for: 20m - labels: - severity: warning - - alert: etcdInsufficientMembers - annotations: - description: 'etcd cluster "{{ $labels.job }}": insufficient members ({{ $value }}).' - summary: etcd cluster has insufficient number of members. - expr: sum(up{job=~".*etcd.*"} == bool 1) without (instance, pod) < ((count(up{job=~".*etcd.*"}) without (instance, pod) + 1) / 2) - for: 3m - labels: - severity: critical - - alert: etcdNoLeader - annotations: - description: 'etcd cluster "{{ $labels.job }}": member {{ $labels.instance }} has no leader.' - summary: etcd cluster has no leader. - expr: etcd_server_has_leader{job=~".*etcd.*"} == 0 - for: 1m - labels: - severity: critical - - alert: etcdHighNumberOfLeaderChanges - annotations: - description: 'etcd cluster "{{ $labels.job }}": {{ $value }} leader changes within the last 15 minutes. Frequent elections may be a sign of insufficient resources, high network latency, or disruptions by other components and should be investigated.' - summary: etcd cluster has high number of leader changes. - expr: increase((max without (instance, pod) (etcd_server_leader_changes_seen_total{job=~".*etcd.*"}) or 0*absent(etcd_server_leader_changes_seen_total{job=~".*etcd.*"}))[15m:1m]) >= 4 - for: 5m - labels: - severity: warning - - alert: etcdHighNumberOfFailedGRPCRequests - annotations: - description: 'etcd cluster "{{ $labels.job }}": {{ $value }}% of requests for {{ $labels.grpc_method }} failed on etcd instance {{ $labels.instance }}.' - summary: etcd cluster has high number of failed grpc requests. - expr: |- - 100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code=~"Unknown|FailedPrecondition|ResourceExhausted|Internal|Unavailable|DataLoss|DeadlineExceeded"}[5m])) without (grpc_type, grpc_code) - / - sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) without (grpc_type, grpc_code) - > 1 - for: 10m - labels: - severity: warning - - alert: etcdHighNumberOfFailedGRPCRequests - annotations: - description: 'etcd cluster "{{ $labels.job }}": {{ $value }}% of requests for {{ $labels.grpc_method }} failed on etcd instance {{ $labels.instance }}.' - summary: etcd cluster has high number of failed grpc requests. - expr: |- - 100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code=~"Unknown|FailedPrecondition|ResourceExhausted|Internal|Unavailable|DataLoss|DeadlineExceeded"}[5m])) without (grpc_type, grpc_code) - / - sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) without (grpc_type, grpc_code) - > 5 - for: 5m - labels: - severity: critical - - alert: etcdGRPCRequestsSlow - annotations: - description: 'etcd cluster "{{ $labels.job }}": 99th percentile of gRPC requests is {{ $value }}s on etcd instance {{ $labels.instance }} for {{ $labels.grpc_method }} method.' - summary: etcd grpc requests are slow - expr: |- - histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{job=~".*etcd.*", grpc_method!="Defragment", grpc_type="unary"}[5m])) without(grpc_type)) - > 0.15 - for: 10m - labels: - severity: critical - - alert: etcdMemberCommunicationSlow - annotations: - description: 'etcd cluster "{{ $labels.job }}": member communication with {{ $labels.To }} is taking {{ $value }}s on etcd instance {{ $labels.instance }}.' - summary: etcd cluster member communication is slow. - expr: |- - histogram_quantile(0.99, rate(etcd_network_peer_round_trip_time_seconds_bucket{job=~".*etcd.*"}[5m])) - > 0.15 - for: 10m - labels: - severity: warning - - alert: etcdHighNumberOfFailedProposals - annotations: - description: 'etcd cluster "{{ $labels.job }}": {{ $value }} proposal failures within the last 30 minutes on etcd instance {{ $labels.instance }}.' - summary: etcd cluster has high number of proposal failures. - expr: rate(etcd_server_proposals_failed_total{job=~".*etcd.*"}[15m]) > 5 - for: 15m - labels: - severity: warning - - alert: etcdHighFsyncDurations - annotations: - description: 'etcd cluster "{{ $labels.job }}": 99th percentile fsync durations are {{ $value }}s on etcd instance {{ $labels.instance }}.' - summary: etcd cluster 99th percentile fsync durations are too high. - expr: |- - histogram_quantile(0.99, rate(etcd_disk_wal_fsync_duration_seconds_bucket{job=~".*etcd.*"}[5m])) - > 0.5 - for: 10m - labels: - severity: warning - - alert: etcdHighFsyncDurations - annotations: - description: 'etcd cluster "{{ $labels.job }}": 99th percentile fsync durations are {{ $value }}s on etcd instance {{ $labels.instance }}.' - summary: etcd cluster 99th percentile fsync durations are too high. - expr: |- - histogram_quantile(0.99, rate(etcd_disk_wal_fsync_duration_seconds_bucket{job=~".*etcd.*"}[5m])) - > 1 - for: 10m - labels: - severity: critical - - alert: etcdHighCommitDurations - annotations: - description: 'etcd cluster "{{ $labels.job }}": 99th percentile commit durations {{ $value }}s on etcd instance {{ $labels.instance }}.' - summary: etcd cluster 99th percentile commit durations are too high. - expr: |- - histogram_quantile(0.99, rate(etcd_disk_backend_commit_duration_seconds_bucket{job=~".*etcd.*"}[5m])) - > 0.25 - for: 10m - labels: - severity: warning - - alert: etcdDatabaseQuotaLowSpace - annotations: - description: 'etcd cluster "{{ $labels.job }}": database size exceeds the defined quota on etcd instance {{ $labels.instance }}, please defrag or increase the quota as the writes to etcd will be disabled when it is full.' - summary: etcd cluster database is running full. - expr: (last_over_time(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[5m]) / last_over_time(etcd_server_quota_backend_bytes{job=~".*etcd.*"}[5m]))*100 > 95 - for: 10m - labels: - severity: critical - - alert: etcdExcessiveDatabaseGrowth - annotations: - description: 'etcd cluster "{{ $labels.job }}": Predicting running out of disk space in the next four hours, based on write observations within the past four hours on etcd instance {{ $labels.instance }}, please check as it might be disruptive.' - summary: etcd cluster database growing very fast. - expr: predict_linear(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[4h], 4*60*60) > etcd_server_quota_backend_bytes{job=~".*etcd.*"} - for: 10m - labels: - severity: warning - - alert: etcdDatabaseHighFragmentationRatio - annotations: - description: 'etcd cluster "{{ $labels.job }}": database size in use on instance {{ $labels.instance }} is {{ $value | humanizePercentage }} of the actual allocated disk space, please run defragmentation (e.g. etcdctl defrag) to retrieve the unused fragmented disk space.' - runbook_url: https://etcd.io/docs/v3.5/op-guide/maintenance/#defragmentation - summary: etcd database size in use is less than 50% of the actual allocated storage. - expr: (last_over_time(etcd_mvcc_db_total_size_in_use_in_bytes{job=~".*etcd.*"}[5m]) / last_over_time(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[5m])) < 0.5 and etcd_mvcc_db_total_size_in_use_in_bytes{job=~".*etcd.*"} > 104857600 - for: 10m - labels: - severity: warning ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/general.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-general.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: general.rules - rules: - - alert: TargetDown - annotations: - description: '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service }} targets in {{ $labels.namespace }} namespace are down.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/targetdown - summary: One or more targets are unreachable. - expr: 100 * (count(up == 0) BY (cluster, job, namespace, service) / count(up) BY (cluster, job, namespace, service)) > 10 - for: 10m - labels: - severity: warning - - alert: Watchdog - annotations: - description: 'This is an alert meant to ensure that the entire alerting pipeline is functional. - - This alert is always firing, therefore it should always be firing in Alertmanager - - and always fire against a receiver. There are integrations with various notification - - mechanisms that send a notification when this alert is not firing. For example the - - "DeadMansSnitch" integration in PagerDuty. - - ' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/watchdog - summary: An alert that should always be firing to certify that Alertmanager is working properly. - expr: vector(1) - labels: - severity: none - - alert: InfoInhibitor - annotations: - description: 'This is an alert that is used to inhibit info alerts. - - By themselves, the info-level alerts are sometimes very noisy, but they are relevant when combined with - - other alerts. - - This alert fires whenever there''s a severity="info" alert, and stops firing when another alert with a - - severity of ''warning'' or ''critical'' starts firing on the same namespace. - - This alert should be routed to a null receiver and configured to inhibit alerts with severity="info". - - ' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/infoinhibitor - summary: Info-level alert inhibition. - expr: ALERTS{severity = "info"} == 1 unless on (namespace) ALERTS{alertname != "InfoInhibitor", severity =~ "warning|critical", alertstate="firing"} == 1 - labels: - severity: none ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/k8s.rules.container_cpu_usage_seconds_total.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-k8s.rules.container-cpu-usage-seconds-tot - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: k8s.rules.container_cpu_usage_seconds_total - rules: - - expr: |- - sum by (cluster, namespace, pod, container) ( - rate(container_cpu_usage_seconds_total{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}[5m]) - ) * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) ( - 1, max by (cluster, namespace, pod, node) (kube_pod_info{node!=""}) - ) - record: node_namespace_pod_container:container_cpu_usage_seconds_total:sum_rate5m - - expr: |- - sum by (cluster, namespace, pod, container) ( - irate(container_cpu_usage_seconds_total{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}[5m]) - ) * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) ( - 1, max by (cluster, namespace, pod, node) (kube_pod_info{node!=""}) - ) - record: node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/k8s.rules.container_memory_cache.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-k8s.rules.container-memory-cache - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: k8s.rules.container_memory_cache - rules: - - expr: |- - container_memory_cache{job="kubelet", metrics_path="/metrics/cadvisor", image!=""} - * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) (1, - max by (cluster, namespace, pod, node) (kube_pod_info{node!=""}) - ) - record: node_namespace_pod_container:container_memory_cache ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/k8s.rules.container_memory_rss.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-k8s.rules.container-memory-rss - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: k8s.rules.container_memory_rss - rules: - - expr: |- - container_memory_rss{job="kubelet", metrics_path="/metrics/cadvisor", image!=""} - * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) (1, - max by (cluster, namespace, pod, node) (kube_pod_info{node!=""}) - ) - record: node_namespace_pod_container:container_memory_rss ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/k8s.rules.container_memory_swap.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-k8s.rules.container-memory-swap - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: k8s.rules.container_memory_swap - rules: - - expr: |- - container_memory_swap{job="kubelet", metrics_path="/metrics/cadvisor", image!=""} - * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) (1, - max by (cluster, namespace, pod, node) (kube_pod_info{node!=""}) - ) - record: node_namespace_pod_container:container_memory_swap ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/k8s.rules.container_memory_working_set_bytes.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-k8s.rules.container-memory-working-set-by - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: k8s.rules.container_memory_working_set_bytes - rules: - - expr: |- - container_memory_working_set_bytes{job="kubelet", metrics_path="/metrics/cadvisor", image!=""} - * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) (1, - max by (cluster, namespace, pod, node) (kube_pod_info{node!=""}) - ) - record: node_namespace_pod_container:container_memory_working_set_bytes ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/k8s.rules.container_resource.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-k8s.rules.container-resource - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: k8s.rules.container_resource - rules: - - expr: |- - kube_pod_container_resource_requests{resource="memory",job="kube-state-metrics"} * on (namespace, pod, cluster) - group_left() max by (namespace, pod, cluster) ( - (kube_pod_status_phase{phase=~"Pending|Running"} == 1) - ) - record: cluster:namespace:pod_memory:active:kube_pod_container_resource_requests - - expr: |- - sum by (namespace, cluster) ( - sum by (namespace, pod, cluster) ( - max by (namespace, pod, container, cluster) ( - kube_pod_container_resource_requests{resource="memory",job="kube-state-metrics"} - ) * on (namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( - kube_pod_status_phase{phase=~"Pending|Running"} == 1 - ) - ) - ) - record: namespace_memory:kube_pod_container_resource_requests:sum - - expr: |- - kube_pod_container_resource_requests{resource="cpu",job="kube-state-metrics"} * on (namespace, pod, cluster) - group_left() max by (namespace, pod, cluster) ( - (kube_pod_status_phase{phase=~"Pending|Running"} == 1) - ) - record: cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests - - expr: |- - sum by (namespace, cluster) ( - sum by (namespace, pod, cluster) ( - max by (namespace, pod, container, cluster) ( - kube_pod_container_resource_requests{resource="cpu",job="kube-state-metrics"} - ) * on (namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( - kube_pod_status_phase{phase=~"Pending|Running"} == 1 - ) - ) - ) - record: namespace_cpu:kube_pod_container_resource_requests:sum - - expr: |- - kube_pod_container_resource_limits{resource="memory",job="kube-state-metrics"} * on (namespace, pod, cluster) - group_left() max by (namespace, pod, cluster) ( - (kube_pod_status_phase{phase=~"Pending|Running"} == 1) - ) - record: cluster:namespace:pod_memory:active:kube_pod_container_resource_limits - - expr: |- - sum by (namespace, cluster) ( - sum by (namespace, pod, cluster) ( - max by (namespace, pod, container, cluster) ( - kube_pod_container_resource_limits{resource="memory",job="kube-state-metrics"} - ) * on (namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( - kube_pod_status_phase{phase=~"Pending|Running"} == 1 - ) - ) - ) - record: namespace_memory:kube_pod_container_resource_limits:sum - - expr: |- - kube_pod_container_resource_limits{resource="cpu",job="kube-state-metrics"} * on (namespace, pod, cluster) - group_left() max by (namespace, pod, cluster) ( - (kube_pod_status_phase{phase=~"Pending|Running"} == 1) - ) - record: cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits - - expr: |- - sum by (namespace, cluster) ( - sum by (namespace, pod, cluster) ( - max by (namespace, pod, container, cluster) ( - kube_pod_container_resource_limits{resource="cpu",job="kube-state-metrics"} - ) * on (namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( - kube_pod_status_phase{phase=~"Pending|Running"} == 1 - ) - ) - ) - record: namespace_cpu:kube_pod_container_resource_limits:sum ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/k8s.rules.pod_owner.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-k8s.rules.pod-owner - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: k8s.rules.pod_owner - rules: - - expr: |- - max by (cluster, namespace, workload, pod) ( - label_replace( - label_replace( - kube_pod_owner{job="kube-state-metrics", owner_kind="ReplicaSet"}, - "replicaset", "$1", "owner_name", "(.*)" - ) * on (cluster, replicaset, namespace) group_left(owner_name) topk by (cluster, replicaset, namespace) ( - 1, max by (cluster, replicaset, namespace, owner_name) ( - kube_replicaset_owner{job="kube-state-metrics", owner_kind=""} - ) - ), - "workload", "$1", "replicaset", "(.*)" - ) - ) - labels: - workload_type: replicaset - record: namespace_workload_pod:kube_pod_owner:relabel - - expr: |- - max by (cluster, namespace, workload, pod) ( - label_replace( - label_replace( - kube_pod_owner{job="kube-state-metrics", owner_kind="ReplicaSet"}, - "replicaset", "$1", "owner_name", "(.*)" - ) * on (replicaset, namespace, cluster) group_left(owner_name) topk by (cluster, replicaset, namespace) ( - 1, max by (cluster, replicaset, namespace, owner_name) ( - kube_replicaset_owner{job="kube-state-metrics", owner_kind="Deployment"} - ) - ), - "workload", "$1", "owner_name", "(.*)" - ) - ) - labels: - workload_type: deployment - record: namespace_workload_pod:kube_pod_owner:relabel - - expr: |- - max by (cluster, namespace, workload, pod) ( - label_replace( - kube_pod_owner{job="kube-state-metrics", owner_kind="DaemonSet"}, - "workload", "$1", "owner_name", "(.*)" - ) - ) - labels: - workload_type: daemonset - record: namespace_workload_pod:kube_pod_owner:relabel - - expr: |- - max by (cluster, namespace, workload, pod) ( - label_replace( - kube_pod_owner{job="kube-state-metrics", owner_kind="StatefulSet"}, - "workload", "$1", "owner_name", "(.*)") - ) - labels: - workload_type: statefulset - record: namespace_workload_pod:kube_pod_owner:relabel - - expr: |- - group by (cluster, namespace, workload, pod) ( - label_join( - group by (cluster, namespace, job_name, pod, owner_name) ( - label_join( - kube_pod_owner{job="kube-state-metrics", owner_kind="Job"} - , "job_name", "", "owner_name") - ) - * on (cluster, namespace, job_name) group_left() - group by (cluster, namespace, job_name) ( - kube_job_owner{job="kube-state-metrics", owner_kind=~"Pod|"} - ) - , "workload", "", "owner_name") - ) - labels: - workload_type: job - record: namespace_workload_pod:kube_pod_owner:relabel - - expr: |- - max by (cluster, namespace, workload, pod) ( - label_replace( - kube_pod_owner{job="kube-state-metrics", owner_kind="", owner_name=""}, - "workload", "$1", "pod", "(.+)") - ) - labels: - workload_type: barepod - record: namespace_workload_pod:kube_pod_owner:relabel - - expr: |- - max by (cluster, namespace, workload, pod) ( - label_replace( - kube_pod_owner{job="kube-state-metrics", owner_kind="Node"}, - "workload", "$1", "pod", "(.+)") - ) - labels: - workload_type: staticpod - record: namespace_workload_pod:kube_pod_owner:relabel - - expr: |- - group by (cluster, namespace, workload, workload_type, pod) ( - label_join( - label_join( - group by (cluster, namespace, job_name, pod) ( - label_join( - kube_pod_owner{job="kube-state-metrics", owner_kind="Job"} - , "job_name", "", "owner_name") - ) - * on (cluster, namespace, job_name) group_left(owner_kind, owner_name) - group by (cluster, namespace, job_name, owner_kind, owner_name) ( - kube_job_owner{job="kube-state-metrics", owner_kind!="Pod", owner_kind!=""} - ) - , "workload", "", "owner_name") - , "workload_type", "", "owner_kind") - - OR - - label_replace( - label_replace( - label_replace( - kube_pod_owner{job="kube-state-metrics", owner_kind="ReplicaSet"} - , "replicaset", "$1", "owner_name", "(.+)" - ) - * on (cluster, namespace, replicaset) group_left(owner_kind, owner_name) - group by (cluster, namespace, replicaset, owner_kind, owner_name) ( - kube_replicaset_owner{job="kube-state-metrics", owner_kind!="Deployment", owner_kind!=""} - ) - , "workload", "$1", "owner_name", "(.+)") - OR - label_replace( - group by (cluster, namespace, pod, owner_name, owner_kind) ( - kube_pod_owner{job="kube-state-metrics", owner_kind!="ReplicaSet", owner_kind!="DaemonSet", owner_kind!="StatefulSet", owner_kind!="Job", owner_kind!="Node", owner_kind!=""} - ) - , "workload", "$1", "owner_name", "(.+)" - ) - , "workload_type", "$1", "owner_kind", "(.+)") - ) - record: namespace_workload_pod:kube_pod_owner:relabel ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kube-apiserver-availability.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kube-apiserver-availability.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - interval: 3m - name: kube-apiserver-availability.rules - rules: - - expr: avg_over_time(code_verb:apiserver_request_total:increase1h[30d]) * 24 * 30 - record: code_verb:apiserver_request_total:increase30d - - expr: sum by (cluster, code) (code_verb:apiserver_request_total:increase30d{verb=~"LIST|GET"}) - labels: - verb: read - record: code:apiserver_request_total:increase30d - - expr: sum by (cluster, code) (code_verb:apiserver_request_total:increase30d{verb=~"POST|PUT|PATCH|DELETE"}) - labels: - verb: write - record: code:apiserver_request_total:increase30d - - expr: sum by (cluster, verb, scope, le) (increase(apiserver_request_sli_duration_seconds_bucket[1h])) - record: cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase1h - - expr: sum by (cluster, verb, scope, le) (avg_over_time(cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase1h[30d]) * 24 * 30) - record: cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d - - expr: sum by (cluster, verb, scope) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase1h{le="+Inf"}) - record: cluster_verb_scope:apiserver_request_sli_duration_seconds_count:increase1h - - expr: sum by (cluster, verb, scope) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{le="+Inf"}) - record: cluster_verb_scope:apiserver_request_sli_duration_seconds_count:increase30d - - expr: |- - 1 - ( - ( - # write too slow - sum by (cluster) (cluster_verb_scope:apiserver_request_sli_duration_seconds_count:increase30d{verb=~"POST|PUT|PATCH|DELETE"}) - - - sum by (cluster) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{verb=~"POST|PUT|PATCH|DELETE",le=~"1(\\.0)?"} or vector(0)) - ) + - ( - # read too slow - sum by (cluster) (cluster_verb_scope:apiserver_request_sli_duration_seconds_count:increase30d{verb=~"LIST|GET"}) - - - ( - sum by (cluster) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{verb=~"LIST|GET",scope=~"resource|",le=~"1(\\.0)?"} or vector(0)) - + - sum by (cluster) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{verb=~"LIST|GET",scope="namespace",le=~"5(\\.0)?"} or vector(0)) - + - sum by (cluster) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{verb=~"LIST|GET",scope="cluster",le=~"30(\\.0)?"} or vector(0)) - ) - ) + - # errors - sum by (cluster) (code:apiserver_request_total:increase30d{code=~"5.."} or vector(0)) - ) - / - sum by (cluster) (code:apiserver_request_total:increase30d) - labels: - verb: all - record: apiserver_request:availability30d - - expr: |- - 1 - ( - sum by (cluster) (cluster_verb_scope:apiserver_request_sli_duration_seconds_count:increase30d{verb=~"LIST|GET"}) - - - ( - # too slow - sum by (cluster) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{verb=~"LIST|GET",scope=~"resource|",le=~"1(\\.0)?"} or vector(0)) - + - sum by (cluster) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{verb=~"LIST|GET",scope="namespace",le=~"5(\\.0)?"} or vector(0)) - + - sum by (cluster) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{verb=~"LIST|GET",scope="cluster",le=~"30(\\.0)?"} or vector(0)) - ) - + - # errors - sum by (cluster) (code:apiserver_request_total:increase30d{verb="read",code=~"5.."} or vector(0)) - ) - / - sum by (cluster) (code:apiserver_request_total:increase30d{verb="read"}) - labels: - verb: read - record: apiserver_request:availability30d - - expr: |- - 1 - ( - ( - # too slow - sum by (cluster) (cluster_verb_scope:apiserver_request_sli_duration_seconds_count:increase30d{verb=~"POST|PUT|PATCH|DELETE"}) - - - sum by (cluster) (cluster_verb_scope_le:apiserver_request_sli_duration_seconds_bucket:increase30d{verb=~"POST|PUT|PATCH|DELETE",le=~"1(\\.0)?"} or vector(0)) - ) - + - # errors - sum by (cluster) (code:apiserver_request_total:increase30d{verb="write",code=~"5.."} or vector(0)) - ) - / - sum by (cluster) (code:apiserver_request_total:increase30d{verb="write"}) - labels: - verb: write - record: apiserver_request:availability30d - - expr: sum by (cluster,code,resource) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET"}[5m])) - labels: - verb: read - record: code_resource:apiserver_request_total:rate5m - - expr: sum by (cluster,code,resource) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE"}[5m])) - labels: - verb: write - record: code_resource:apiserver_request_total:rate5m - - expr: sum by (cluster, code, verb) (increase(apiserver_request_total{job="apiserver",verb=~"LIST|GET|POST|PUT|PATCH|DELETE",code=~"2.."}[1h])) - record: code_verb:apiserver_request_total:increase1h - - expr: sum by (cluster, code, verb) (increase(apiserver_request_total{job="apiserver",verb=~"LIST|GET|POST|PUT|PATCH|DELETE",code=~"3.."}[1h])) - record: code_verb:apiserver_request_total:increase1h - - expr: sum by (cluster, code, verb) (increase(apiserver_request_total{job="apiserver",verb=~"LIST|GET|POST|PUT|PATCH|DELETE",code=~"4.."}[1h])) - record: code_verb:apiserver_request_total:increase1h - - expr: sum by (cluster, code, verb) (increase(apiserver_request_total{job="apiserver",verb=~"LIST|GET|POST|PUT|PATCH|DELETE",code=~"5.."}[1h])) - record: code_verb:apiserver_request_total:increase1h ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kube-apiserver-burnrate.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kube-apiserver-burnrate.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kube-apiserver-burnrate.rules - rules: - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward"}[1d])) - - - ( - ( - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope=~"resource|",le=~"1(\\.0)?"}[1d])) - or - vector(0) - ) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="namespace",le=~"5(\\.0)?"}[1d])) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="cluster",le=~"30(\\.0)?"}[1d])) - ) - ) - + - # errors - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET",code=~"5.."}[1d])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET"}[1d])) - labels: - verb: read - record: apiserver_request:burnrate1d - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward"}[1h])) - - - ( - ( - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope=~"resource|",le=~"1(\\.0)?"}[1h])) - or - vector(0) - ) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="namespace",le=~"5(\\.0)?"}[1h])) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="cluster",le=~"30(\\.0)?"}[1h])) - ) - ) - + - # errors - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET",code=~"5.."}[1h])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET"}[1h])) - labels: - verb: read - record: apiserver_request:burnrate1h - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward"}[2h])) - - - ( - ( - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope=~"resource|",le=~"1(\\.0)?"}[2h])) - or - vector(0) - ) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="namespace",le=~"5(\\.0)?"}[2h])) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="cluster",le=~"30(\\.0)?"}[2h])) - ) - ) - + - # errors - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET",code=~"5.."}[2h])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET"}[2h])) - labels: - verb: read - record: apiserver_request:burnrate2h - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward"}[30m])) - - - ( - ( - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope=~"resource|",le=~"1(\\.0)?"}[30m])) - or - vector(0) - ) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="namespace",le=~"5(\\.0)?"}[30m])) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="cluster",le=~"30(\\.0)?"}[30m])) - ) - ) - + - # errors - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET",code=~"5.."}[30m])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET"}[30m])) - labels: - verb: read - record: apiserver_request:burnrate30m - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward"}[3d])) - - - ( - ( - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope=~"resource|",le=~"1(\\.0)?"}[3d])) - or - vector(0) - ) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="namespace",le=~"5(\\.0)?"}[3d])) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="cluster",le=~"30(\\.0)?"}[3d])) - ) - ) - + - # errors - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET",code=~"5.."}[3d])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET"}[3d])) - labels: - verb: read - record: apiserver_request:burnrate3d - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward"}[5m])) - - - ( - ( - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope=~"resource|",le=~"1(\\.0)?"}[5m])) - or - vector(0) - ) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="namespace",le=~"5(\\.0)?"}[5m])) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="cluster",le=~"30(\\.0)?"}[5m])) - ) - ) - + - # errors - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET",code=~"5.."}[5m])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET"}[5m])) - labels: - verb: read - record: apiserver_request:burnrate5m - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward"}[6h])) - - - ( - ( - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope=~"resource|",le=~"1(\\.0)?"}[6h])) - or - vector(0) - ) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="namespace",le=~"5(\\.0)?"}[6h])) - + - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward",scope="cluster",le=~"30(\\.0)?"}[6h])) - ) - ) - + - # errors - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET",code=~"5.."}[6h])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"LIST|GET"}[6h])) - labels: - verb: read - record: apiserver_request:burnrate6h - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward"}[1d])) - - - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward",le=~"1(\\.0)?"}[1d])) - ) - + - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",code=~"5.."}[1d])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE"}[1d])) - labels: - verb: write - record: apiserver_request:burnrate1d - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward"}[1h])) - - - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward",le=~"1(\\.0)?"}[1h])) - ) - + - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",code=~"5.."}[1h])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE"}[1h])) - labels: - verb: write - record: apiserver_request:burnrate1h - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward"}[2h])) - - - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward",le=~"1(\\.0)?"}[2h])) - ) - + - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",code=~"5.."}[2h])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE"}[2h])) - labels: - verb: write - record: apiserver_request:burnrate2h - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward"}[30m])) - - - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward",le=~"1(\\.0)?"}[30m])) - ) - + - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",code=~"5.."}[30m])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE"}[30m])) - labels: - verb: write - record: apiserver_request:burnrate30m - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward"}[3d])) - - - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward",le=~"1(\\.0)?"}[3d])) - ) - + - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",code=~"5.."}[3d])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE"}[3d])) - labels: - verb: write - record: apiserver_request:burnrate3d - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward"}[5m])) - - - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward",le=~"1(\\.0)?"}[5m])) - ) - + - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",code=~"5.."}[5m])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE"}[5m])) - labels: - verb: write - record: apiserver_request:burnrate5m - - expr: |- - ( - ( - # too slow - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_count{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward"}[6h])) - - - sum by (cluster) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward",le=~"1(\\.0)?"}[6h])) - ) - + - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",code=~"5.."}[6h])) - ) - / - sum by (cluster) (rate(apiserver_request_total{job="apiserver",verb=~"POST|PUT|PATCH|DELETE"}[6h])) - labels: - verb: write - record: apiserver_request:burnrate6h ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kube-apiserver-histogram.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kube-apiserver-histogram.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kube-apiserver-histogram.rules - rules: - - expr: histogram_quantile(0.99, sum by (cluster, le, resource) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"LIST|GET",subresource!~"proxy|attach|log|exec|portforward"}[5m]))) > 0 - labels: - quantile: '0.99' - verb: read - record: cluster_quantile:apiserver_request_sli_duration_seconds:histogram_quantile - - expr: histogram_quantile(0.99, sum by (cluster, le, resource) (rate(apiserver_request_sli_duration_seconds_bucket{job="apiserver",verb=~"POST|PUT|PATCH|DELETE",subresource!~"proxy|attach|log|exec|portforward"}[5m]))) > 0 - labels: - quantile: '0.99' - verb: write - record: cluster_quantile:apiserver_request_sli_duration_seconds:histogram_quantile ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kube-apiserver-slos.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kube-apiserver-slos - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kube-apiserver-slos - rules: - - alert: KubeAPIErrorBudgetBurn - annotations: - description: The API server is burning too much error budget on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeapierrorbudgetburn - summary: The API server is burning too much error budget. - expr: |- - sum by (cluster) (apiserver_request:burnrate1h) > (14.40 * 0.01000) - and on (cluster) - sum by (cluster) (apiserver_request:burnrate5m) > (14.40 * 0.01000) - for: 2m - labels: - long: 1h - severity: critical - short: 5m - - alert: KubeAPIErrorBudgetBurn - annotations: - description: The API server is burning too much error budget on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeapierrorbudgetburn - summary: The API server is burning too much error budget. - expr: |- - sum by (cluster) (apiserver_request:burnrate6h) > (6.00 * 0.01000) - and on (cluster) - sum by (cluster) (apiserver_request:burnrate30m) > (6.00 * 0.01000) - for: 15m - labels: - long: 6h - severity: critical - short: 30m - - alert: KubeAPIErrorBudgetBurn - annotations: - description: The API server is burning too much error budget on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeapierrorbudgetburn - summary: The API server is burning too much error budget. - expr: |- - sum by (cluster) (apiserver_request:burnrate1d) > (3.00 * 0.01000) - and on (cluster) - sum by (cluster) (apiserver_request:burnrate2h) > (3.00 * 0.01000) - for: 1h - labels: - long: 1d - severity: warning - short: 2h - - alert: KubeAPIErrorBudgetBurn - annotations: - description: The API server is burning too much error budget on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeapierrorbudgetburn - summary: The API server is burning too much error budget. - expr: |- - sum by (cluster) (apiserver_request:burnrate3d) > (1.00 * 0.01000) - and on (cluster) - sum by (cluster) (apiserver_request:burnrate6h) > (1.00 * 0.01000) - for: 3h - labels: - long: 3d - severity: warning - short: 6h ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kube-prometheus-general.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kube-prometheus-general.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kube-prometheus-general.rules - rules: - - expr: count without(instance, pod, node) (up == 1) - record: count:up1 - - expr: count without(instance, pod, node) (up == 0) - record: count:up0 ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kube-prometheus-node-recording.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kube-prometheus-node-recording.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kube-prometheus-node-recording.rules - rules: - - expr: sum(rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal"}[3m])) BY (instance) - record: instance:node_cpu:rate:sum - - expr: sum(rate(node_network_receive_bytes_total[3m])) BY (instance) - record: instance:node_network_receive_bytes:rate:sum - - expr: sum(rate(node_network_transmit_bytes_total[3m])) BY (instance) - record: instance:node_network_transmit_bytes:rate:sum - - expr: sum(rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal"}[5m])) WITHOUT (cpu, mode) / ON (instance) GROUP_LEFT() count(sum(node_cpu_seconds_total) BY (instance, cpu)) BY (instance) - record: instance:node_cpu:ratio - - expr: sum(rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal"}[5m])) - record: cluster:node_cpu:sum_rate5m - - expr: cluster:node_cpu:sum_rate5m / count(sum(node_cpu_seconds_total) BY (instance, cpu)) - record: cluster:node_cpu:ratio ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kube-state-metrics.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kube-state-metrics - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kube-state-metrics - rules: - - alert: KubeStateMetricsListErrors - annotations: - description: kube-state-metrics is experiencing errors at an elevated rate in list operations. This is likely causing it to not be able to expose metrics about Kubernetes objects correctly or at all. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kube-state-metrics/kubestatemetricslisterrors - summary: kube-state-metrics is experiencing errors in list operations. - expr: |- - (sum(rate(kube_state_metrics_list_total{job="kube-state-metrics",result="error"}[5m])) by (cluster) - / - sum(rate(kube_state_metrics_list_total{job="kube-state-metrics"}[5m])) by (cluster)) - > 0.01 - for: 15m - labels: - severity: critical - - alert: KubeStateMetricsWatchErrors - annotations: - description: kube-state-metrics is experiencing errors at an elevated rate in watch operations. This is likely causing it to not be able to expose metrics about Kubernetes objects correctly or at all. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kube-state-metrics/kubestatemetricswatcherrors - summary: kube-state-metrics is experiencing errors in watch operations. - expr: |- - (sum(rate(kube_state_metrics_watch_total{job="kube-state-metrics",result="error"}[5m])) by (cluster) - / - sum(rate(kube_state_metrics_watch_total{job="kube-state-metrics"}[5m])) by (cluster)) - > 0.01 - for: 15m - labels: - severity: critical - - alert: KubeStateMetricsShardingMismatch - annotations: - description: kube-state-metrics pods are running with different --total-shards configuration, some Kubernetes objects may be exposed multiple times or not exposed at all. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kube-state-metrics/kubestatemetricsshardingmismatch - summary: kube-state-metrics sharding is misconfigured. - expr: stdvar (kube_state_metrics_total_shards{job="kube-state-metrics"}) by (cluster) != 0 - for: 15m - labels: - severity: critical - - alert: KubeStateMetricsShardsMissing - annotations: - description: kube-state-metrics shards are missing, some Kubernetes objects are not being exposed. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kube-state-metrics/kubestatemetricsshardsmissing - summary: kube-state-metrics shards are missing. - expr: |- - 2^max(kube_state_metrics_total_shards{job="kube-state-metrics"}) by (cluster) - 1 - - - sum( 2 ^ max by (cluster, shard_ordinal) (kube_state_metrics_shard_ordinal{job="kube-state-metrics"}) ) by (cluster) - != 0 - for: 15m - labels: - severity: critical ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kubelet.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kubelet.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kubelet.rules - rules: - - expr: |- - histogram_quantile( - 0.99, - sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job="kubelet", metrics_path="/metrics"}[5m])) by (cluster, instance, le) - * on (cluster, instance) group_left (node) - max by (cluster, instance, node) (kubelet_node_name{job="kubelet", metrics_path="/metrics"}) - ) - labels: - quantile: '0.99' - record: node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile - - expr: |- - histogram_quantile( - 0.9, - sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job="kubelet", metrics_path="/metrics"}[5m])) by (cluster, instance, le) - * on (cluster, instance) group_left (node) - max by (cluster, instance, node) (kubelet_node_name{job="kubelet", metrics_path="/metrics"}) - ) - labels: - quantile: '0.9' - record: node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile - - expr: |- - histogram_quantile( - 0.5, - sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job="kubelet", metrics_path="/metrics"}[5m])) by (cluster, instance, le) - * on (cluster, instance) group_left (node) - max by (cluster, instance, node) (kubelet_node_name{job="kubelet", metrics_path="/metrics"}) - ) - labels: - quantile: '0.5' - record: node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kubernetes-apps.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kubernetes-apps - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kubernetes-apps - rules: - - alert: KubePodCrashLooping - annotations: - description: 'Pod {{ $labels.namespace }}/{{ $labels.pod }} ({{ $labels.container }}) is in waiting state (reason: "CrashLoopBackOff") on cluster {{ $labels.cluster }}.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepodcrashlooping - summary: Pod is crash looping. - expr: max_over_time(kube_pod_container_status_waiting_reason{reason="CrashLoopBackOff", job="kube-state-metrics", namespace=~".*"}[5m]) >= 1 - for: 15m - labels: - severity: warning - - alert: KubePodNotReady - annotations: - description: Pod {{ $labels.namespace }}/{{ $labels.pod }} has been in a non-ready state for longer than 15 minutes on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepodnotready - summary: Pod has been in a non-ready state for more than 15 minutes. - expr: |- - sum by (namespace, pod, cluster) ( - max by (namespace, pod, cluster) ( - kube_pod_status_phase{job="kube-state-metrics", namespace=~".*", phase=~"Pending|Unknown"} - ) * on (namespace, pod, cluster) group_left(owner_kind) topk by (namespace, pod, cluster) ( - 1, max by (namespace, pod, owner_kind, cluster) (kube_pod_owner{owner_kind!="Job"}) - ) - ) > 0 - for: 15m - labels: - severity: warning - - alert: KubeDeploymentGenerationMismatch - annotations: - description: Deployment generation for {{ $labels.namespace }}/{{ $labels.deployment }} does not match, this indicates that the Deployment has failed but has not been rolled back on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentgenerationmismatch - summary: Deployment generation mismatch due to possible roll-back - expr: |- - kube_deployment_status_observed_generation{job="kube-state-metrics", namespace=~".*"} - != - kube_deployment_metadata_generation{job="kube-state-metrics", namespace=~".*"} - for: 15m - labels: - severity: warning - - alert: KubeDeploymentReplicasMismatch - annotations: - description: Deployment {{ $labels.namespace }}/{{ $labels.deployment }} has not matched the expected number of replicas for longer than 15 minutes on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentreplicasmismatch - summary: Deployment has not matched the expected number of replicas. - expr: |- - ( - kube_deployment_spec_replicas{job="kube-state-metrics", namespace=~".*"} - > - kube_deployment_status_replicas_available{job="kube-state-metrics", namespace=~".*"} - ) and ( - changes(kube_deployment_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[10m]) - == - 0 - ) - for: 15m - labels: - severity: warning - - alert: KubeDeploymentRolloutStuck - annotations: - description: Rollout of deployment {{ $labels.namespace }}/{{ $labels.deployment }} is not progressing for longer than 15 minutes on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentrolloutstuck - summary: Deployment rollout is not progressing. - expr: |- - kube_deployment_status_condition{condition="Progressing", status="false",job="kube-state-metrics", namespace=~".*"} - != 0 - for: 15m - labels: - severity: warning - - alert: KubeStatefulSetReplicasMismatch - annotations: - description: StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} has not matched the expected number of replicas for longer than 15 minutes on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetreplicasmismatch - summary: StatefulSet has not matched the expected number of replicas. - expr: |- - ( - kube_statefulset_status_replicas_ready{job="kube-state-metrics", namespace=~".*"} - != - kube_statefulset_replicas{job="kube-state-metrics", namespace=~".*"} - ) and ( - changes(kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[10m]) - == - 0 - ) - for: 15m - labels: - severity: warning - - alert: KubeStatefulSetGenerationMismatch - annotations: - description: StatefulSet generation for {{ $labels.namespace }}/{{ $labels.statefulset }} does not match, this indicates that the StatefulSet has failed but has not been rolled back on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetgenerationmismatch - summary: StatefulSet generation mismatch due to possible roll-back - expr: |- - kube_statefulset_status_observed_generation{job="kube-state-metrics", namespace=~".*"} - != - kube_statefulset_metadata_generation{job="kube-state-metrics", namespace=~".*"} - for: 15m - labels: - severity: warning - - alert: KubeStatefulSetUpdateNotRolledOut - annotations: - description: StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} update has not been rolled out on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetupdatenotrolledout - summary: StatefulSet update has not been rolled out. - expr: |- - ( - max by (namespace, statefulset, job, cluster) ( - kube_statefulset_status_current_revision{job="kube-state-metrics", namespace=~".*"} - unless - kube_statefulset_status_update_revision{job="kube-state-metrics", namespace=~".*"} - ) - * on (namespace, statefulset, job, cluster) - ( - kube_statefulset_replicas{job="kube-state-metrics", namespace=~".*"} - != - kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"} - ) - ) and on (namespace, statefulset, job, cluster) ( - changes(kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[5m]) - == - 0 - ) - for: 15m - labels: - severity: warning - - alert: KubeDaemonSetRolloutStuck - annotations: - description: DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset }} has not finished or progressed for at least 15m on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetrolloutstuck - summary: DaemonSet rollout is stuck. - expr: |- - ( - ( - kube_daemonset_status_current_number_scheduled{job="kube-state-metrics", namespace=~".*"} - != - kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"} - ) or ( - kube_daemonset_status_number_misscheduled{job="kube-state-metrics", namespace=~".*"} - != - 0 - ) or ( - kube_daemonset_status_updated_number_scheduled{job="kube-state-metrics", namespace=~".*"} - != - kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"} - ) or ( - kube_daemonset_status_number_available{job="kube-state-metrics", namespace=~".*"} - != - kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"} - ) - ) and ( - changes(kube_daemonset_status_updated_number_scheduled{job="kube-state-metrics", namespace=~".*"}[5m]) - == - 0 - ) - for: 15m - labels: - severity: warning - - alert: KubeContainerWaiting - annotations: - description: 'pod/{{ $labels.pod }} in namespace {{ $labels.namespace }} on container {{ $labels.container}} has been in waiting state for longer than 1 hour. (reason: "{{ $labels.reason }}") on cluster {{ $labels.cluster }}.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecontainerwaiting - summary: Pod container waiting longer than 1 hour - expr: kube_pod_container_status_waiting_reason{reason!="CrashLoopBackOff", job="kube-state-metrics", namespace=~".*"} > 0 - for: 1h - labels: - severity: warning - - alert: KubeDaemonSetNotScheduled - annotations: - description: '{{ $value }} Pods of DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset }} are not scheduled on cluster {{ $labels.cluster }}.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetnotscheduled - summary: DaemonSet pods are not scheduled. - expr: |- - kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"} - - - kube_daemonset_status_current_number_scheduled{job="kube-state-metrics", namespace=~".*"} > 0 - for: 10m - labels: - severity: warning - - alert: KubeDaemonSetMisScheduled - annotations: - description: '{{ $value }} Pods of DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset }} are running where they are not supposed to run on cluster {{ $labels.cluster }}.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetmisscheduled - summary: DaemonSet pods are misscheduled. - expr: kube_daemonset_status_number_misscheduled{job="kube-state-metrics", namespace=~".*"} > 0 - for: 15m - labels: - severity: warning - - alert: KubeJobNotCompleted - annotations: - description: Job {{ $labels.namespace }}/{{ $labels.job_name }} is taking more than {{ "43200" | humanizeDuration }} to complete on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubejobnotcompleted - summary: Job did not complete in time - expr: |- - time() - max by (namespace, job_name, cluster) (kube_job_status_start_time{job="kube-state-metrics", namespace=~".*"} - and - kube_job_status_active{job="kube-state-metrics", namespace=~".*"} > 0) > 43200 - labels: - severity: warning - - alert: KubeJobFailed - annotations: - description: Job {{ $labels.namespace }}/{{ $labels.job_name }} failed to complete. Removing failed job after investigation should clear this alert on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubejobfailed - summary: Job failed to complete. - expr: kube_job_failed{job="kube-state-metrics", namespace=~".*"} > 0 - for: 15m - labels: - severity: warning - - alert: KubeHpaReplicasMismatch - annotations: - description: HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }} has not matched the desired number of replicas for longer than 15 minutes on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubehpareplicasmismatch - summary: HPA has not matched desired number of replicas. - expr: |- - (kube_horizontalpodautoscaler_status_desired_replicas{job="kube-state-metrics", namespace=~".*"} - != - kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}) - and - (kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"} - > - kube_horizontalpodautoscaler_spec_min_replicas{job="kube-state-metrics", namespace=~".*"}) - and - (kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"} - < - kube_horizontalpodautoscaler_spec_max_replicas{job="kube-state-metrics", namespace=~".*"}) - and - changes(kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}[15m]) == 0 - for: 15m - labels: - severity: warning - - alert: KubeHpaMaxedOut - annotations: - description: HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }} has been running at max replicas for longer than 15 minutes on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubehpamaxedout - summary: HPA is running at max replicas - expr: |- - kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"} - == - kube_horizontalpodautoscaler_spec_max_replicas{job="kube-state-metrics", namespace=~".*"} - for: 15m - labels: - severity: warning - - alert: KubePdbNotEnoughHealthyPods - annotations: - description: PDB {{ $labels.cluster }}/{{ $labels.namespace }}/{{ $labels.poddisruptionbudget }} expects {{ $value }} more healthy pods. The desired number of healthy pods has not been met for at least 15m. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepdbnotenoughhealthypods - summary: PDB does not have enough healthy pods. - expr: |- - ( - kube_poddisruptionbudget_status_desired_healthy{job="kube-state-metrics", namespace=~".*"} - - - kube_poddisruptionbudget_status_current_healthy{job="kube-state-metrics", namespace=~".*"} - ) - > 0 - for: 15m - labels: - severity: warning ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kubernetes-resources.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kubernetes-resources - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kubernetes-resources - rules: - - alert: KubeCPUOvercommit - annotations: - description: Cluster {{ $labels.cluster }} has overcommitted CPU resource requests for Pods by {{ printf "%.2f" $value }} CPU shares and cannot tolerate node failure. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecpuovercommit - summary: Cluster has overcommitted CPU resource requests. - expr: |- - # Non-HA clusters. - ( - ( - sum by (cluster) (namespace_cpu:kube_pod_container_resource_requests:sum{}) - - - sum by (cluster) (kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) > 0 - ) - and - count by (cluster) (max by (cluster, node) (kube_node_role{job="kube-state-metrics", role="control-plane"})) < 3 - ) - or - # HA clusters. - ( - sum by (cluster) (namespace_cpu:kube_pod_container_resource_requests:sum{}) - - - ( - # Skip clusters with only one allocatable node. - ( - sum by (cluster) (kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) - - - max by (cluster) (kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) - ) > 0 - ) > 0 - ) - for: 10m - labels: - severity: warning - - alert: KubeMemoryOvercommit - annotations: - description: Cluster {{ $labels.cluster }} has overcommitted memory resource requests for Pods by {{ $value | humanize }} bytes and cannot tolerate node failure. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubememoryovercommit - summary: Cluster has overcommitted memory resource requests. - expr: |- - # Non-HA clusters. - ( - ( - sum by (cluster) (namespace_memory:kube_pod_container_resource_requests:sum{}) - - - sum by (cluster) (kube_node_status_allocatable{job="kube-state-metrics",resource="memory"}) > 0 - ) - and - count by (cluster) (max by (cluster, node) (kube_node_role{job="kube-state-metrics", role="control-plane"})) < 3 - ) - or - # HA clusters. - ( - sum by (cluster) (namespace_memory:kube_pod_container_resource_requests:sum{}) - - - ( - # Skip clusters with only one allocatable node. - ( - sum by (cluster) (kube_node_status_allocatable{job="kube-state-metrics",resource="memory"}) - - - max by (cluster) (kube_node_status_allocatable{job="kube-state-metrics",resource="memory"}) - ) > 0 - ) > 0 - ) - for: 10m - labels: - severity: warning - - alert: KubeCPUQuotaOvercommit - annotations: - description: Cluster {{ $labels.cluster }} has overcommitted CPU resource requests for Namespaces. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecpuquotaovercommit - summary: Cluster has overcommitted CPU resource requests. - expr: |- - sum by (cluster) ( - min without(resource) (kube_resourcequota{job="kube-state-metrics", type="hard", resource=~"(cpu|requests.cpu)"}) - ) - / - sum by (cluster) ( - kube_node_status_allocatable{resource="cpu", job="kube-state-metrics"} - ) > 1.5 - for: 5m - labels: - severity: warning - - alert: KubeMemoryQuotaOvercommit - annotations: - description: Cluster {{ $labels.cluster }} has overcommitted memory resource requests for Namespaces. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubememoryquotaovercommit - summary: Cluster has overcommitted memory resource requests. - expr: |- - sum by (cluster) ( - min without(resource) (kube_resourcequota{job="kube-state-metrics", type="hard", resource=~"(memory|requests.memory)"}) - ) - / - sum by (cluster) ( - kube_node_status_allocatable{resource="memory", job="kube-state-metrics"} - ) > 1.5 - for: 5m - labels: - severity: warning - - alert: KubeQuotaAlmostFull - annotations: - description: Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage }} of its {{ $labels.resource }} quota on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotaalmostfull - summary: Namespace quota is going to be full. - expr: |- - max without (instance, job, type) ( - kube_resourcequota{job="kube-state-metrics", type="used"} - ) - / on (cluster, namespace, resource, resourcequota) group_left() - ( - max without (instance, job, type) ( - kube_resourcequota{job="kube-state-metrics", type="hard"} - ) > 0 - ) - > 0.9 < 1 - for: 15m - labels: - severity: info - - alert: KubeQuotaFullyUsed - annotations: - description: Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage }} of its {{ $labels.resource }} quota on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotafullyused - summary: Namespace quota is fully used. - expr: |- - max without (instance, job, type) ( - kube_resourcequota{job="kube-state-metrics", type="used"} - ) - / on (cluster, namespace, resource, resourcequota) group_left() - ( - max without (instance, job, type) ( - kube_resourcequota{job="kube-state-metrics", type="hard"} - ) > 0 - ) - == 1 - for: 15m - labels: - severity: info - - alert: KubeQuotaExceeded - annotations: - description: Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage }} of its {{ $labels.resource }} quota on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotaexceeded - summary: Namespace quota has exceeded the limits. - expr: |- - max without (instance, job, type) ( - kube_resourcequota{job="kube-state-metrics", type="used"} - ) - / on (cluster, namespace, resource, resourcequota) group_left() - ( - max without (instance, job, type) ( - kube_resourcequota{job="kube-state-metrics", type="hard"} - ) > 0 - ) > 1 - for: 15m - labels: - severity: warning - - alert: CPUThrottlingHigh - annotations: - description: '{{ $value | humanizePercentage }} throttling of CPU in namespace {{ $labels.namespace }} for container {{ $labels.container }} in pod {{ $labels.pod }} on cluster {{ $labels.cluster }}.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/cputhrottlinghigh - summary: Processes experience elevated CPU throttling. - expr: |- - sum without (id, metrics_path, name, image, endpoint, job, node) ( - topk by (cluster, namespace, pod, container, instance) (1, - increase( - container_cpu_cfs_throttled_periods_total{container!="", job="kubelet", metrics_path="/metrics/cadvisor", } - [5m]) - ) - ) - / on (cluster, namespace, pod, container, instance) group_left - sum without (id, metrics_path, name, image, endpoint, job, node) ( - topk by (cluster, namespace, pod, container, instance) (1, - increase( - container_cpu_cfs_periods_total{job="kubelet", metrics_path="/metrics/cadvisor", } - [5m]) - ) - ) - > ( 25 / 100 ) - for: 15m - labels: - severity: info ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kubernetes-storage.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kubernetes-storage - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kubernetes-storage - rules: - - alert: KubePersistentVolumeFillingUp - annotations: - description: The PersistentVolume claimed by {{ $labels.persistentvolumeclaim }} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster {{ . }} {{- end }} is only {{ $value | humanizePercentage }} free. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumefillingup - summary: PersistentVolume is filling up. - expr: |- - ( - kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} - / - kubelet_volume_stats_capacity_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} - ) < 0.03 - and - kubelet_volume_stats_used_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 - unless on (cluster, namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1 - unless on (cluster, namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1 - for: 1m - labels: - severity: critical - - alert: KubePersistentVolumeFillingUp - annotations: - description: Based on recent sampling, the PersistentVolume claimed by {{ $labels.persistentvolumeclaim }} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster {{ . }} {{- end }} is expected to fill up within four days. Currently {{ $value | humanizePercentage }} is available. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumefillingup - summary: PersistentVolume is filling up. - expr: |- - ( - kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} - / - kubelet_volume_stats_capacity_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} - ) < 0.15 - and - kubelet_volume_stats_used_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 - and - predict_linear(kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"}[6h], 4 * 24 * 3600) < 0 - unless on (cluster, namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1 - unless on (cluster, namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1 - for: 1h - labels: - severity: warning - - alert: KubePersistentVolumeInodesFillingUp - annotations: - description: The PersistentVolume claimed by {{ $labels.persistentvolumeclaim }} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster {{ . }} {{- end }} only has {{ $value | humanizePercentage }} free inodes. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeinodesfillingup - summary: PersistentVolumeInodes are filling up. - expr: |- - ( - kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"} - / - kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"} - ) < 0.03 - and - kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 - unless on (cluster, namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1 - unless on (cluster, namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1 - for: 1m - labels: - severity: critical - - alert: KubePersistentVolumeInodesFillingUp - annotations: - description: Based on recent sampling, the PersistentVolume claimed by {{ $labels.persistentvolumeclaim }} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster {{ . }} {{- end }} is expected to run out of inodes within four days. Currently {{ $value | humanizePercentage }} of its inodes are free. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeinodesfillingup - summary: PersistentVolumeInodes are filling up. - expr: |- - ( - kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"} - / - kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"} - ) < 0.15 - and - kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 - and - predict_linear(kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"}[6h], 4 * 24 * 3600) < 0 - unless on (cluster, namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1 - unless on (cluster, namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1 - for: 1h - labels: - severity: warning - - alert: KubePersistentVolumeErrors - annotations: - description: The persistent volume {{ $labels.persistentvolume }} {{ with $labels.cluster -}} on Cluster {{ . }} {{- end }} has status {{ $labels.phase }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeerrors - summary: PersistentVolume is having issues with provisioning. - expr: kube_persistentvolume_status_phase{phase=~"Failed|Pending",job="kube-state-metrics"} > 0 - for: 5m - labels: - severity: critical ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kubernetes-system-apiserver.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kubernetes-system-apiserver - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kubernetes-system-apiserver - rules: - - alert: KubeClientCertificateExpiration - annotations: - description: A client certificate used to authenticate to kubernetes apiserver is expiring in less than 7.0 days on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeclientcertificateexpiration - summary: Client certificate is about to expire. - expr: |- - histogram_quantile(0.01, sum without (namespace, service, endpoint) (rate(apiserver_client_certificate_expiration_seconds_bucket{job="apiserver"}[5m]))) < 604800 - and - on (job, cluster, instance) apiserver_client_certificate_expiration_seconds_count{job="apiserver"} > 0 - for: 5m - labels: - severity: warning - - alert: KubeClientCertificateExpiration - annotations: - description: A client certificate used to authenticate to kubernetes apiserver is expiring in less than 24.0 hours on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeclientcertificateexpiration - summary: Client certificate is about to expire. - expr: |- - histogram_quantile(0.01, sum without (namespace, service, endpoint) (rate(apiserver_client_certificate_expiration_seconds_bucket{job="apiserver"}[5m]))) < 86400 - and - on (job, cluster, instance) apiserver_client_certificate_expiration_seconds_count{job="apiserver"} > 0 - for: 5m - labels: - severity: critical - - alert: KubeAggregatedAPIErrors - annotations: - description: Kubernetes aggregated API {{ $labels.instance }}/{{ $labels.name }} has reported {{ $labels.reason }} errors on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeaggregatedapierrors - summary: Kubernetes aggregated API has reported errors. - expr: sum by (cluster, instance, name, reason)(increase(aggregator_unavailable_apiservice_total{job="apiserver"}[1m])) > 0 - for: 10m - labels: - severity: warning - - alert: KubeAggregatedAPIDown - annotations: - description: Kubernetes aggregated API {{ $labels.name }}/{{ $labels.namespace }} has been only {{ $value | humanize }}% available over the last 10m on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeaggregatedapidown - summary: Kubernetes aggregated API is down. - expr: (1 - max by (name, namespace, cluster)(avg_over_time(aggregator_unavailable_apiservice{job="apiserver"}[10m]))) * 100 < 85 - for: 5m - labels: - severity: warning - - alert: KubeAPIDown - annotations: - description: KubeAPI has disappeared from Prometheus target discovery. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeapidown - summary: Target disappeared from Prometheus target discovery. - expr: absent(up{job="apiserver"}) - for: 15m - labels: - severity: critical - - alert: KubeAPITerminatedRequests - annotations: - description: The kubernetes apiserver has terminated {{ $value | humanizePercentage }} of its incoming requests on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeapiterminatedrequests - summary: The kubernetes apiserver has terminated {{ $value | humanizePercentage }} of its incoming requests. - expr: sum by (cluster) (rate(apiserver_request_terminations_total{job="apiserver"}[10m])) / ( sum by (cluster) (rate(apiserver_request_total{job="apiserver"}[10m])) + sum by (cluster) (rate(apiserver_request_terminations_total{job="apiserver"}[10m])) ) > 0.20 - for: 5m - labels: - severity: warning ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kubernetes-system-kubelet.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kubernetes-system-kubelet - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kubernetes-system-kubelet - rules: - - alert: KubeNodeNotReady - annotations: - description: '{{ $labels.node }} has been unready for more than 15 minutes on cluster {{ $labels.cluster }}.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubenodenotready - summary: Node is not ready. - expr: |- - kube_node_status_condition{job="kube-state-metrics",condition="Ready",status="true"} == 0 - and on (cluster, node) - kube_node_spec_unschedulable{job="kube-state-metrics"} == 0 - for: 15m - labels: - severity: warning - - alert: KubeNodePressure - annotations: - description: '{{ $labels.node }} on cluster {{ $labels.cluster }} has active Condition {{ $labels.condition }}. This is caused by resource usage exceeding eviction thresholds.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubenodepressure - summary: Node has as active Condition. - expr: |- - kube_node_status_condition{job="kube-state-metrics",condition=~"(MemoryPressure|DiskPressure|PIDPressure)",status="true"} == 1 - and on (cluster, node) - kube_node_spec_unschedulable{job="kube-state-metrics"} == 0 - for: 10m - labels: - severity: info - - alert: KubeNodeUnreachable - annotations: - description: '{{ $labels.node }} is unreachable and some workloads may be rescheduled on cluster {{ $labels.cluster }}.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubenodeunreachable - summary: Node is unreachable. - expr: (kube_node_spec_taint{job="kube-state-metrics",key="node.kubernetes.io/unreachable",effect="NoSchedule"} unless ignoring(key,value) kube_node_spec_taint{job="kube-state-metrics",key=~"ToBeDeletedByClusterAutoscaler|cloud.google.com/impending-node-termination|aws-node-termination-handler/spot-itn"}) == 1 - for: 15m - labels: - severity: warning - - alert: KubeletTooManyPods - annotations: - description: Kubelet '{{ $labels.node }}' is running at {{ $value | humanizePercentage }} of its Pod capacity on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubelettoomanypods - summary: Kubelet is running at capacity. - expr: |- - ( - max by (cluster, instance) ( - kubelet_running_pods{job="kubelet", metrics_path="/metrics"} > 1 - ) - * on (cluster, instance) group_left(node) - max by (cluster, instance, node) ( - kubelet_node_name{job="kubelet", metrics_path="/metrics"} - ) - ) - / on (cluster, node) group_left() - max by (cluster, node) ( - kube_node_status_capacity{job="kube-state-metrics", resource="pods"} != 1 - ) > 0.95 - for: 15m - labels: - severity: info - - alert: KubeNodeReadinessFlapping - annotations: - description: The readiness status of node {{ $labels.node }} has changed {{ $value }} times in the last 15 minutes on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubenodereadinessflapping - summary: Node readiness status is flapping. - expr: |- - sum(changes(kube_node_status_condition{job="kube-state-metrics",status="true",condition="Ready"}[15m])) by (cluster, node) > 2 - and on (cluster, node) - kube_node_spec_unschedulable{job="kube-state-metrics"} == 0 - for: 15m - labels: - severity: warning - - alert: KubeNodeEviction - annotations: - description: Node {{ $labels.node }} on {{ $labels.cluster }} is evicting Pods due to {{ $labels.eviction_signal }}. Eviction occurs when eviction thresholds are crossed, typically caused by Pods exceeding RAM/ephemeral-storage limits. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubenodeeviction - summary: Node is evicting pods. - expr: |- - sum(rate(kubelet_evictions{job="kubelet", metrics_path="/metrics"}[15m])) by (cluster, eviction_signal, instance) - * on (cluster, instance) group_left(node) - max by (cluster, instance, node) ( - kubelet_node_name{job="kubelet", metrics_path="/metrics"} - ) - > 0 - for: 0s - labels: - severity: info - - alert: KubeletPlegDurationHigh - annotations: - description: The Kubelet Pod Lifecycle Event Generator has a 99th percentile duration of {{ $value }} seconds on node {{ $labels.node }} on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletplegdurationhigh - summary: Kubelet Pod Lifecycle Event Generator is taking too long to relist. - expr: node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile{quantile="0.99"} >= 10 - for: 5m - labels: - severity: warning - - alert: KubeletPodStartUpLatencyHigh - annotations: - description: Kubelet Pod startup 99th percentile latency is {{ $value }} seconds on node {{ $labels.node }} on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletpodstartuplatencyhigh - summary: Kubelet Pod startup latency is too high. - expr: |- - histogram_quantile(0.99, - sum by (cluster, instance, le) ( - topk by (cluster, instance, le, operation_type) (1, - rate(kubelet_pod_worker_duration_seconds_bucket{job="kubelet", metrics_path="/metrics"}[5m]) - ) - ) - ) - * on (cluster, instance) group_left(node) - topk by (cluster, instance, node) (1, - kubelet_node_name{job="kubelet", metrics_path="/metrics"} - ) - > 60 - for: 15m - labels: - severity: warning - - alert: KubeletClientCertificateExpiration - annotations: - description: Client certificate for Kubelet on node {{ $labels.node }} expires in {{ $value | humanizeDuration }} on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletclientcertificateexpiration - summary: Kubelet client certificate is about to expire. - expr: kubelet_certificate_manager_client_ttl_seconds < 604800 - labels: - severity: warning - - alert: KubeletClientCertificateExpiration - annotations: - description: Client certificate for Kubelet on node {{ $labels.node }} expires in {{ $value | humanizeDuration }} on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletclientcertificateexpiration - summary: Kubelet client certificate is about to expire. - expr: kubelet_certificate_manager_client_ttl_seconds < 86400 - labels: - severity: critical - - alert: KubeletServerCertificateExpiration - annotations: - description: Server certificate for Kubelet on node {{ $labels.node }} expires in {{ $value | humanizeDuration }} on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletservercertificateexpiration - summary: Kubelet server certificate is about to expire. - expr: kubelet_certificate_manager_server_ttl_seconds < 604800 - labels: - severity: warning - - alert: KubeletServerCertificateExpiration - annotations: - description: Server certificate for Kubelet on node {{ $labels.node }} expires in {{ $value | humanizeDuration }} on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletservercertificateexpiration - summary: Kubelet server certificate is about to expire. - expr: kubelet_certificate_manager_server_ttl_seconds < 86400 - labels: - severity: critical - - alert: KubeletClientCertificateRenewalErrors - annotations: - description: Kubelet on node {{ $labels.node }} has failed to renew its client certificate ({{ $value | humanize }} errors in the last 5 minutes) on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletclientcertificaterenewalerrors - summary: Kubelet has failed to renew its client certificate. - expr: increase(kubelet_certificate_manager_client_expiration_renew_errors[5m]) > 0 - for: 15m - labels: - severity: warning - - alert: KubeletServerCertificateRenewalErrors - annotations: - description: Kubelet on node {{ $labels.node }} has failed to renew its server certificate ({{ $value | humanize }} errors in the last 5 minutes) on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletservercertificaterenewalerrors - summary: Kubelet has failed to renew its server certificate. - expr: increase(kubelet_server_expiration_renew_errors[5m]) > 0 - for: 15m - labels: - severity: warning - - alert: KubeletDown - annotations: - description: Kubelet has disappeared from Prometheus target discovery. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeletdown - summary: Target disappeared from Prometheus target discovery. - expr: absent(up{job="kubelet", metrics_path="/metrics"}) - for: 15m - labels: - severity: critical ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kubernetes-system.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-kubernetes-system - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: kubernetes-system - rules: - - alert: KubeVersionMismatch - annotations: - description: There are {{ $value }} different semantic versions of Kubernetes components running on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeversionmismatch - summary: Different semantic versions of Kubernetes components running. - expr: count by (cluster) (count by (git_version, cluster) (label_replace(kubernetes_build_info{job!~"kube-dns|coredns"},"git_version","$1","git_version","(v[0-9]*.[0-9]*).*"))) > 1 - for: 15m - labels: - severity: warning - - alert: KubeClientErrors - annotations: - description: Kubernetes API server client '{{ $labels.job }}/{{ $labels.instance }}' is experiencing {{ $value | humanizePercentage }} errors on cluster {{ $labels.cluster }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubeclienterrors - summary: Kubernetes API server client is experiencing errors. - expr: |- - (sum(rate(rest_client_requests_total{job="apiserver",code=~"5.."}[5m])) by (cluster, instance, job, namespace) - / - sum(rate(rest_client_requests_total{job="apiserver"}[5m])) by (cluster, instance, job, namespace)) - > 0.01 - for: 15m - labels: - severity: warning ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/node-exporter.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-node-exporter.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: node-exporter.rules - rules: - - expr: |- - count without (cpu, mode) ( - node_cpu_seconds_total{job="node-exporter",mode="idle"} - ) - record: instance:node_num_cpu:sum - - expr: |- - 1 - avg without (cpu) ( - sum without (mode) (rate(node_cpu_seconds_total{job="node-exporter", mode=~"idle|iowait|steal"}[5m])) - ) - record: instance:node_cpu_utilisation:rate5m - - expr: |- - ( - node_load1{job="node-exporter"} - / - instance:node_num_cpu:sum{job="node-exporter"} - ) - record: instance:node_load1_per_cpu:ratio - - expr: |- - 1 - ( - ( - node_memory_MemAvailable_bytes{job="node-exporter"} - or - ( - node_memory_Buffers_bytes{job="node-exporter"} - + - node_memory_Cached_bytes{job="node-exporter"} - + - node_memory_MemFree_bytes{job="node-exporter"} - + - node_memory_Slab_bytes{job="node-exporter"} - ) - ) - / - node_memory_MemTotal_bytes{job="node-exporter"} - ) - record: instance:node_memory_utilisation:ratio - - expr: rate(node_vmstat_pgmajfault{job="node-exporter"}[5m]) - record: instance:node_vmstat_pgmajfault:rate5m - - expr: rate(node_disk_io_time_seconds_total{job="node-exporter", device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}[5m]) - record: instance_device:node_disk_io_time_seconds:rate5m - - expr: rate(node_disk_io_time_weighted_seconds_total{job="node-exporter", device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}[5m]) - record: instance_device:node_disk_io_time_weighted_seconds:rate5m - - expr: |- - sum without (device) ( - rate(node_network_receive_bytes_total{job="node-exporter", device!="lo"}[5m]) - ) - record: instance:node_network_receive_bytes_excluding_lo:rate5m - - expr: |- - sum without (device) ( - rate(node_network_transmit_bytes_total{job="node-exporter", device!="lo"}[5m]) - ) - record: instance:node_network_transmit_bytes_excluding_lo:rate5m - - expr: |- - sum without (device) ( - rate(node_network_receive_drop_total{job="node-exporter", device!="lo"}[5m]) - ) - record: instance:node_network_receive_drop_excluding_lo:rate5m - - expr: |- - sum without (device) ( - rate(node_network_transmit_drop_total{job="node-exporter", device!="lo"}[5m]) - ) - record: instance:node_network_transmit_drop_excluding_lo:rate5m ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/node-exporter.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-node-exporter - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: node-exporter - rules: - - alert: NodeFilesystemSpaceFillingUp - annotations: - description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left and is filling up. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemspacefillingup - summary: Filesystem is predicted to run out of space within the next 24 hours. - expr: |- - ( - node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 15 - and - predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""}[6h], 24*60*60) < 0 - and - node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 - ) - for: 1h - labels: - severity: warning - - alert: NodeFilesystemSpaceFillingUp - annotations: - description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left and is filling up fast. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemspacefillingup - summary: Filesystem is predicted to run out of space within the next 4 hours. - expr: |- - ( - node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 10 - and - predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""}[6h], 4*60*60) < 0 - and - node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 - ) - for: 1h - labels: - severity: critical - - alert: NodeFilesystemAlmostOutOfSpace - annotations: - description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutofspace - summary: Filesystem has less than 5% space left. - expr: |- - ( - node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 5 - and - node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 - ) - for: 30m - labels: - severity: warning - - alert: NodeFilesystemAlmostOutOfSpace - annotations: - description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutofspace - summary: Filesystem has less than 3% space left. - expr: |- - ( - node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 3 - and - node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 - ) - for: 30m - labels: - severity: critical - - alert: NodeFilesystemFilesFillingUp - annotations: - description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left and is filling up. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemfilesfillingup - summary: Filesystem is predicted to run out of inodes within the next 24 hours. - expr: |- - ( - node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 40 - and - predict_linear(node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""}[6h], 24*60*60) < 0 - and - node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 - ) - for: 1h - labels: - severity: warning - - alert: NodeFilesystemFilesFillingUp - annotations: - description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left and is filling up fast. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemfilesfillingup - summary: Filesystem is predicted to run out of inodes within the next 4 hours. - expr: |- - ( - node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 20 - and - predict_linear(node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""}[6h], 4*60*60) < 0 - and - node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 - ) - for: 1h - labels: - severity: critical - - alert: NodeFilesystemAlmostOutOfFiles - annotations: - description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutoffiles - summary: Filesystem has less than 5% inodes left. - expr: |- - ( - node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 5 - and - node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 - ) - for: 1h - labels: - severity: warning - - alert: NodeFilesystemAlmostOutOfFiles - annotations: - description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutoffiles - summary: Filesystem has less than 3% inodes left. - expr: |- - ( - node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 3 - and - node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 - ) - for: 1h - labels: - severity: critical - - alert: NodeNetworkReceiveErrs - annotations: - description: '{{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf "%.0f" $value }} receive errors in the last two minutes.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodenetworkreceiveerrs - summary: Network interface is reporting many receive errors. - expr: rate(node_network_receive_errs_total{job="node-exporter"}[2m]) / rate(node_network_receive_packets_total{job="node-exporter"}[2m]) > 0.01 - for: 1h - labels: - severity: warning - - alert: NodeNetworkTransmitErrs - annotations: - description: '{{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf "%.0f" $value }} transmit errors in the last two minutes.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodenetworktransmiterrs - summary: Network interface is reporting many transmit errors. - expr: rate(node_network_transmit_errs_total{job="node-exporter"}[2m]) / rate(node_network_transmit_packets_total{job="node-exporter"}[2m]) > 0.01 - for: 1h - labels: - severity: warning - - alert: NodeHighNumberConntrackEntriesUsed - annotations: - description: '{{ $labels.instance }} {{ $value | humanizePercentage }} of conntrack entries are used.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodehighnumberconntrackentriesused - summary: Number of conntrack are getting close to the limit. - expr: (node_nf_conntrack_entries{job="node-exporter"} / node_nf_conntrack_entries_limit) > 0.75 - labels: - severity: warning - - alert: NodeTextFileCollectorScrapeError - annotations: - description: Node Exporter text file collector on {{ $labels.instance }} failed to scrape. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodetextfilecollectorscrapeerror - summary: Node Exporter text file collector failed to scrape. - expr: node_textfile_scrape_error{job="node-exporter"} == 1 - labels: - severity: warning - - alert: NodeClockSkewDetected - annotations: - description: Clock at {{ $labels.instance }} is out of sync by more than 0.05s. Ensure NTP is configured correctly on this host. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected - summary: Clock skew detected. - expr: |- - ( - node_timex_offset_seconds{job="node-exporter"} > 0.05 - and - deriv(node_timex_offset_seconds{job="node-exporter"}[5m]) >= 0 - ) - or - ( - node_timex_offset_seconds{job="node-exporter"} < -0.05 - and - deriv(node_timex_offset_seconds{job="node-exporter"}[5m]) <= 0 - ) - for: 10m - labels: - severity: warning - - alert: NodeClockNotSynchronising - annotations: - description: Clock at {{ $labels.instance }} is not synchronising. Ensure NTP is configured on this host. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclocknotsynchronising - summary: Clock not synchronising. - expr: |- - min_over_time(node_timex_sync_status{job="node-exporter"}[5m]) == 0 - and - node_timex_maxerror_seconds{job="node-exporter"} >= 16 - for: 10m - labels: - severity: warning - - alert: NodeRAIDDegraded - annotations: - description: RAID array '{{ $labels.device }}' at {{ $labels.instance }} is in degraded state due to one or more disks failures. Number of spare drives is insufficient to fix issue automatically. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/noderaiddegraded - summary: RAID Array is degraded. - expr: node_md_disks_required{job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"} - ignoring (state) (node_md_disks{state="active",job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}) > 0 - for: 15m - labels: - severity: critical - - alert: NodeRAIDDiskFailure - annotations: - description: At least one device in RAID array at {{ $labels.instance }} failed. Array '{{ $labels.device }}' needs attention and possibly a disk swap. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/noderaiddiskfailure - summary: Failed device in RAID array. - expr: node_md_disks{state="failed",job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"} > 0 - labels: - severity: warning - - alert: NodeFileDescriptorLimit - annotations: - description: File descriptors limit at {{ $labels.instance }} is currently at {{ printf "%.2f" $value }}%. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefiledescriptorlimit - summary: Kernel is predicted to exhaust file descriptors limit soon. - expr: |- - ( - node_filefd_allocated{job="node-exporter"} * 100 / node_filefd_maximum{job="node-exporter"} > 70 - ) - for: 15m - labels: - severity: warning - - alert: NodeFileDescriptorLimit - annotations: - description: File descriptors limit at {{ $labels.instance }} is currently at {{ printf "%.2f" $value }}%. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefiledescriptorlimit - summary: Kernel is predicted to exhaust file descriptors limit soon. - expr: |- - ( - node_filefd_allocated{job="node-exporter"} * 100 / node_filefd_maximum{job="node-exporter"} > 90 - ) - for: 15m - labels: - severity: critical - - alert: NodeCPUHighUsage - annotations: - description: 'CPU usage at {{ $labels.instance }} has been above 90% for the last 15 minutes, is currently at {{ printf "%.2f" $value }}%. - - ' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodecpuhighusage - summary: High CPU usage. - expr: sum without(mode) (avg without (cpu) (rate(node_cpu_seconds_total{job="node-exporter", mode!~"idle|iowait"}[2m]))) * 100 > 90 - for: 15m - labels: - severity: info - - alert: NodeSystemSaturation - annotations: - description: 'System load per core at {{ $labels.instance }} has been above 2 for the last 15 minutes, is currently at {{ printf "%.2f" $value }}. - - This might indicate this instance resources saturation and can cause it becoming unresponsive. - - ' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodesystemsaturation - summary: System saturated, load per core is very high. - expr: |- - node_load1{job="node-exporter"} - / count without (cpu, mode) (node_cpu_seconds_total{job="node-exporter", mode="idle"}) > 2 - for: 15m - labels: - severity: warning - - alert: NodeMemoryMajorPagesFaults - annotations: - description: 'Memory major pages are occurring at very high rate at {{ $labels.instance }}, 500 major page faults per second for the last 15 minutes, is currently at {{ printf "%.2f" $value }}. - - Please check that there is enough memory available at this instance. - - ' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodememorymajorpagesfaults - summary: Memory major page faults are occurring at very high rate. - expr: rate(node_vmstat_pgmajfault{job="node-exporter"}[5m]) > 500 - for: 15m - labels: - severity: warning - - alert: NodeMemoryHighUtilization - annotations: - description: 'Memory is filling up at {{ $labels.instance }}, has been above 90% for the last 15 minutes, is currently at {{ printf "%.2f" $value }}%. - - ' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodememoryhighutilization - summary: Host is running out of memory. - expr: 100 - (node_memory_MemAvailable_bytes{job="node-exporter"} / node_memory_MemTotal_bytes{job="node-exporter"} * 100) > 90 - for: 15m - labels: - severity: warning - - alert: NodeDiskIOSaturation - annotations: - description: 'Disk IO queue (aqu-sq) is high on {{ $labels.device }} at {{ $labels.instance }}, has been above 10 for the last 30 minutes, is currently at {{ printf "%.2f" $value }}. - - This symptom might indicate disk saturation. - - ' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodediskiosaturation - summary: Disk IO queue is high. - expr: rate(node_disk_io_time_weighted_seconds_total{job="node-exporter", device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}[5m]) > 10 - for: 30m - labels: - severity: warning - - alert: NodeSystemdServiceFailed - annotations: - description: Systemd service {{ $labels.name }} has entered failed state at {{ $labels.instance }} - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodesystemdservicefailed - summary: Systemd service has entered failed state. - expr: node_systemd_unit_state{job="node-exporter", state="failed"} == 1 - for: 5m - labels: - severity: warning - - alert: NodeSystemdServiceCrashlooping - annotations: - description: Systemd service {{ $labels.name }} has being restarted too many times at {{ $labels.instance }} for the last 15 minutes. Please check if service is crash looping. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodesystemdservicecrashlooping - summary: Systemd service keeps restaring, possibly crash looping. - expr: increase(node_systemd_service_restart_total{job="node-exporter"}[5m]) > 2 - for: 15m - labels: - severity: warning - - alert: NodeBondingDegraded - annotations: - description: Bonding interface {{ $labels.master }} on {{ $labels.instance }} is in degraded state due to one or more slave failures. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodebondingdegraded - summary: Bonding interface is degraded. - expr: (node_bonding_slaves{job="node-exporter"} - node_bonding_active{job="node-exporter"}) != 0 - for: 5m - labels: - severity: warning ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/node-network.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-node-network - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: node-network - rules: - - alert: NodeNetworkInterfaceFlapping - annotations: - description: Network interface "{{ $labels.device }}" changing its up status often on node-exporter {{ $labels.namespace }}/{{ $labels.pod }} - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/nodenetworkinterfaceflapping - summary: Network interface is often changing its status - expr: changes(node_network_up{job="node-exporter",device!~"veth.+"}[2m]) > 2 - for: 2m - labels: - severity: warning ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/node.rules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-node.rules - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: node.rules - rules: - - expr: |- - topk by (cluster, namespace, pod) (1, - max by (cluster, node, namespace, pod) ( - label_replace(kube_pod_info{job="kube-state-metrics",node!=""}, "pod", "$1", "pod", "(.*)") - )) - record: 'node_namespace_pod:kube_pod_info:' - - expr: |- - count by (cluster, node) ( - node_cpu_seconds_total{mode="idle",job="node-exporter"} - * on (cluster, namespace, pod) group_left(node) - topk by (cluster, namespace, pod) (1, node_namespace_pod:kube_pod_info:) - ) - record: node:node_num_cpu:sum - - expr: |- - sum( - node_memory_MemAvailable_bytes{job="node-exporter"} or - ( - node_memory_Buffers_bytes{job="node-exporter"} + - node_memory_Cached_bytes{job="node-exporter"} + - node_memory_MemFree_bytes{job="node-exporter"} + - node_memory_Slab_bytes{job="node-exporter"} - ) - ) by (cluster) - record: :node_memory_MemAvailable_bytes:sum - - expr: |- - avg by (cluster, node) ( - sum without (mode) ( - rate(node_cpu_seconds_total{mode!="idle",mode!="iowait",mode!="steal",job="node-exporter"}[5m]) - ) - ) - record: node:node_cpu_utilization:ratio_rate5m - - expr: |- - avg by (cluster) ( - node:node_cpu_utilization:ratio_rate5m - ) - record: cluster:node_cpu:ratio_rate5m ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/prometheus-operator.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-prometheus-operator - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: prometheus-operator - rules: - - alert: PrometheusOperatorListErrors - annotations: - description: Errors while performing List operations in controller {{$labels.controller}} in {{$labels.namespace}} namespace. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorlisterrors - summary: Errors while performing list operations in controller. - expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_list_operations_failed_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[10m])) / sum by (cluster,controller,namespace) (rate(prometheus_operator_list_operations_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[10m]))) > 0.4 - for: 15m - labels: - severity: warning - - alert: PrometheusOperatorWatchErrors - annotations: - description: Errors while performing watch operations in controller {{$labels.controller}} in {{$labels.namespace}} namespace. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorwatcherrors - summary: Errors while performing watch operations in controller. - expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_watch_operations_failed_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m])) / sum by (cluster,controller,namespace) (rate(prometheus_operator_watch_operations_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]))) > 0.4 - for: 15m - labels: - severity: warning - - alert: PrometheusOperatorSyncFailed - annotations: - description: Controller {{ $labels.controller }} in {{ $labels.namespace }} namespace fails to reconcile {{ $value }} objects. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorsyncfailed - summary: Last controller reconciliation failed - expr: min_over_time(prometheus_operator_syncs{status="failed",job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 10m - labels: - severity: warning - - alert: PrometheusOperatorReconcileErrors - annotations: - description: '{{ $value | humanizePercentage }} of reconciling operations failed for {{ $labels.controller }} controller in {{ $labels.namespace }} namespace.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorreconcileerrors - summary: Errors while reconciling objects. - expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_reconcile_errors_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]))) / (sum by (cluster,controller,namespace) (rate(prometheus_operator_reconcile_operations_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]))) > 0.1 - for: 10m - labels: - severity: warning - - alert: PrometheusOperatorStatusUpdateErrors - annotations: - description: '{{ $value | humanizePercentage }} of status update operations failed for {{ $labels.controller }} controller in {{ $labels.namespace }} namespace.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorstatusupdateerrors - summary: Errors while updating objects status. - expr: (sum by (cluster,controller,namespace) (rate(prometheus_operator_status_update_errors_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]))) / (sum by (cluster,controller,namespace) (rate(prometheus_operator_status_update_operations_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]))) > 0.1 - for: 10m - labels: - severity: warning - - alert: PrometheusOperatorNodeLookupErrors - annotations: - description: Errors while reconciling Prometheus in {{ $labels.namespace }} Namespace. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatornodelookuperrors - summary: Errors while reconciling Prometheus. - expr: rate(prometheus_operator_node_address_lookup_errors_total{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]) > 0.1 - for: 10m - labels: - severity: warning - - alert: PrometheusOperatorNotReady - annotations: - description: Prometheus operator in {{ $labels.namespace }} namespace isn't ready to reconcile {{ $labels.controller }} resources. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatornotready - summary: Prometheus operator not ready - expr: min by (cluster,controller,namespace) (max_over_time(prometheus_operator_ready{job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]) == 0) - for: 5m - labels: - severity: warning - - alert: PrometheusOperatorRejectedResources - annotations: - description: Prometheus operator in {{ $labels.namespace }} namespace rejected {{ printf "%0.0f" $value }} {{ $labels.controller }}/{{ $labels.resource }} resources. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus-operator/prometheusoperatorrejectedresources - summary: Resources rejected by Prometheus operator - expr: min_over_time(prometheus_operator_managed_resources{state="rejected",job="kube-prometheus-stack-operator",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 5m - labels: - severity: warning ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/prometheus.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: kube-prometheus-stack-prometheus - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - groups: - - name: prometheus - rules: - - alert: PrometheusBadConfig - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has failed to reload its configuration. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusbadconfig - summary: Failed Prometheus configuration reload. - expr: |- - # Without max_over_time, failed scrapes could create false negatives, see - # https://www.robustperception.io/alerting-on-gauges-in-prometheus-2-0 for details. - max_over_time(prometheus_config_last_reload_successful{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) == 0 - for: 10m - labels: - severity: critical - - alert: PrometheusSDRefreshFailure - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has failed to refresh SD with mechanism {{$labels.mechanism}}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheussdrefreshfailure - summary: Failed Prometheus SD refresh. - expr: increase(prometheus_sd_refresh_failures_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[10m]) > 0 - for: 20m - labels: - severity: warning - - alert: PrometheusKubernetesListWatchFailures - annotations: - description: Kubernetes service discovery of Prometheus {{$labels.namespace}}/{{$labels.pod}} is experiencing {{ printf "%.0f" $value }} failures with LIST/WATCH requests to the Kubernetes API in the last 5 minutes. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheuskuberneteslistwatchfailures - summary: Requests in Kubernetes SD are failing. - expr: increase(prometheus_sd_kubernetes_failures_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 15m - labels: - severity: warning - - alert: PrometheusNotificationQueueRunningFull - annotations: - description: Alert notification queue of Prometheus {{$labels.namespace}}/{{$labels.pod}} is running full. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusnotificationqueuerunningfull - summary: Prometheus alert notification queue predicted to run full in less than 30m. - expr: |- - # Without min_over_time, failed scrapes could create false negatives, see - # https://www.robustperception.io/alerting-on-gauges-in-prometheus-2-0 for details. - ( - predict_linear(prometheus_notifications_queue_length{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m], 60 * 30) - > - min_over_time(prometheus_notifications_queue_capacity{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) - ) - for: 15m - labels: - severity: warning - - alert: PrometheusErrorSendingAlertsToSomeAlertmanagers - annotations: - description: '{{ printf "%.1f" $value }}% of alerts sent by Prometheus {{$labels.namespace}}/{{$labels.pod}} to Alertmanager {{$labels.alertmanager}} were affected by errors.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheuserrorsendingalertstosomealertmanagers - summary: More than 1% of alerts sent by Prometheus to a specific Alertmanager were affected by errors. - expr: |- - ( - rate(prometheus_notifications_errors_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) - / - rate(prometheus_notifications_sent_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) - ) - * 100 - > 1 - for: 15m - labels: - severity: warning - - alert: PrometheusNotConnectedToAlertmanagers - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} is not connected to any Alertmanagers. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusnotconnectedtoalertmanagers - summary: Prometheus is not connected to any Alertmanagers. - expr: |- - # Without max_over_time, failed scrapes could create false negatives, see - # https://www.robustperception.io/alerting-on-gauges-in-prometheus-2-0 for details. - max_over_time(prometheus_notifications_alertmanagers_discovered{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) < 1 - for: 10m - labels: - severity: warning - - alert: PrometheusTSDBReloadsFailing - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has detected {{$value | humanize}} reload failures over the last 3h. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheustsdbreloadsfailing - summary: Prometheus has issues reloading blocks from disk. - expr: increase(prometheus_tsdb_reloads_failures_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[3h]) > 0 - for: 4h - labels: - severity: warning - - alert: PrometheusTSDBCompactionsFailing - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has detected {{$value | humanize}} compaction failures over the last 3h. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheustsdbcompactionsfailing - summary: Prometheus has issues compacting blocks. - expr: increase(prometheus_tsdb_compactions_failed_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[3h]) > 0 - for: 4h - labels: - severity: warning - - alert: PrometheusNotIngestingSamples - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} is not ingesting samples. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusnotingestingsamples - summary: Prometheus is not ingesting samples. - expr: |- - ( - sum without(type) (rate(prometheus_tsdb_head_samples_appended_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m])) <= 0 - and - ( - sum without(scrape_job) (prometheus_target_metadata_cache_entries{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}) > 0 - or - sum without(rule_group) (prometheus_rule_group_rules{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}) > 0 - ) - ) - for: 10m - labels: - severity: warning - - alert: PrometheusDuplicateTimestamps - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} is dropping {{ printf "%.4g" $value }} samples/s with different values but duplicated timestamp. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusduplicatetimestamps - summary: Prometheus is dropping samples with duplicate timestamps. - expr: rate(prometheus_target_scrapes_sample_duplicate_timestamp_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 10m - labels: - severity: warning - - alert: PrometheusOutOfOrderTimestamps - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} is dropping {{ printf "%.4g" $value }} samples/s with timestamps arriving out of order. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusoutofordertimestamps - summary: Prometheus drops samples with out-of-order timestamps. - expr: rate(prometheus_target_scrapes_sample_out_of_order_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 10m - labels: - severity: warning - - alert: PrometheusRemoteStorageFailures - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} failed to send {{ printf "%.1f" $value }}% of the samples to {{ $labels.remote_name}}:{{ $labels.url }} - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusremotestoragefailures - summary: Prometheus fails to send samples to remote storage. - expr: |- - ( - (rate(prometheus_remote_storage_failed_samples_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) or rate(prometheus_remote_storage_samples_failed_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m])) - / - ( - (rate(prometheus_remote_storage_failed_samples_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) or rate(prometheus_remote_storage_samples_failed_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m])) - + - (rate(prometheus_remote_storage_succeeded_samples_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) or rate(prometheus_remote_storage_samples_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m])) - ) - ) - * 100 - > 1 - for: 15m - labels: - severity: critical - - alert: PrometheusRemoteWriteBehind - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} remote write is {{ printf "%.1f" $value }}s behind for {{ $labels.remote_name}}:{{ $labels.url }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusremotewritebehind - summary: Prometheus remote write is behind. - expr: |- - # Without max_over_time, failed scrapes could create false negatives, see - # https://www.robustperception.io/alerting-on-gauges-in-prometheus-2-0 for details. - ( - max_over_time(prometheus_remote_storage_queue_highest_timestamp_seconds{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) - - - max_over_time(prometheus_remote_storage_queue_highest_sent_timestamp_seconds{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) - ) - > 120 - for: 15m - labels: - severity: critical - - alert: PrometheusRemoteWriteDesiredShards - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} remote write desired shards calculation wants to run {{ $value }} shards for queue {{ $labels.remote_name}}:{{ $labels.url }}, which is more than the max of {{ printf `prometheus_remote_storage_shards_max{instance="%s",job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}` $labels.instance | query | first | value }}. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusremotewritedesiredshards - summary: Prometheus remote write desired shards calculation wants to run more than configured max shards. - expr: |- - # Without max_over_time, failed scrapes could create false negatives, see - # https://www.robustperception.io/alerting-on-gauges-in-prometheus-2-0 for details. - ( - max_over_time(prometheus_remote_storage_shards_desired{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) - > - max_over_time(prometheus_remote_storage_shards_max{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) - ) - for: 15m - labels: - severity: warning - - alert: PrometheusRuleFailures - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has failed to evaluate {{ printf "%.0f" $value }} rules in the last 5m. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusrulefailures - summary: Prometheus is failing rule evaluations. - expr: increase(prometheus_rule_evaluation_failures_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 15m - labels: - severity: critical - - alert: PrometheusMissingRuleEvaluations - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has missed {{ printf "%.0f" $value }} rule group evaluations in the last 5m. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusmissingruleevaluations - summary: Prometheus is missing rule evaluations due to slow rule group evaluation. - expr: increase(prometheus_rule_group_iterations_missed_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 15m - labels: - severity: warning - - alert: PrometheusTargetLimitHit - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has dropped {{ printf "%.0f" $value }} targets because the number of targets exceeded the configured target_limit. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheustargetlimithit - summary: Prometheus has dropped targets because some scrape configs have exceeded the targets limit. - expr: increase(prometheus_target_scrape_pool_exceeded_target_limit_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 15m - labels: - severity: warning - - alert: PrometheusLabelLimitHit - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has dropped {{ printf "%.0f" $value }} targets because some samples exceeded the configured label_limit, label_name_length_limit or label_value_length_limit. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheuslabellimithit - summary: Prometheus has dropped targets because some scrape configs have exceeded the labels limit. - expr: increase(prometheus_target_scrape_pool_exceeded_label_limits_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 15m - labels: - severity: warning - - alert: PrometheusScrapeBodySizeLimitHit - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has failed {{ printf "%.0f" $value }} scrapes in the last 5m because some targets exceeded the configured body_size_limit. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusscrapebodysizelimithit - summary: Prometheus has dropped some targets that exceeded body size limit. - expr: increase(prometheus_target_scrapes_exceeded_body_size_limit_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 15m - labels: - severity: warning - - alert: PrometheusScrapeSampleLimitHit - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} has failed {{ printf "%.0f" $value }} scrapes in the last 5m because some targets exceeded the configured sample_limit. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheusscrapesamplelimithit - summary: Prometheus has failed scrapes that have exceeded the configured sample limit. - expr: increase(prometheus_target_scrapes_exceeded_sample_limit_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0 - for: 15m - labels: - severity: warning - - alert: PrometheusTargetSyncFailure - annotations: - description: '{{ printf "%.0f" $value }} targets in Prometheus {{$labels.namespace}}/{{$labels.pod}} have failed to sync because invalid configuration was supplied.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheustargetsyncfailure - summary: Prometheus has failed to sync targets. - expr: increase(prometheus_target_sync_failed_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[30m]) > 0 - for: 5m - labels: - severity: critical - - alert: PrometheusHighQueryLoad - annotations: - description: Prometheus {{$labels.namespace}}/{{$labels.pod}} query API has less than 20% available capacity in its query engine for the last 15 minutes. - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheushighqueryload - summary: Prometheus is reaching its maximum capacity serving concurrent requests. - expr: avg_over_time(prometheus_engine_queries{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) / max_over_time(prometheus_engine_queries_concurrent_max{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack"}[5m]) > 0.8 - for: 15m - labels: - severity: warning - - alert: PrometheusErrorSendingAlertsToAnyAlertmanager - annotations: - description: '{{ printf "%.1f" $value }}% minimum errors while sending alerts from Prometheus {{$labels.namespace}}/{{$labels.pod}} to any Alertmanager.' - runbook_url: https://runbooks.prometheus-operator.dev/runbooks/prometheus/prometheuserrorsendingalertstoanyalertmanager - summary: Prometheus encounters more than 3% errors sending alerts to any Alertmanager. - expr: |- - min without (alertmanager) ( - rate(prometheus_notifications_errors_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack",alertmanager!~``}[5m]) - / - rate(prometheus_notifications_sent_total{job="kube-prometheus-stack-prometheus",namespace="kube-prometheus-stack",alertmanager!~``}[5m]) - ) - * 100 - > 3 - for: 15m - labels: - severity: critical ---- -# Source: kube-prometheus-stack/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-kube-prometheus-stack - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: redis-replication-kube-prometheus-stack - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: kube-prometheus-stack/templates/scrape-config.yaml -apiVersion: monitoring.coreos.com/v1alpha1 -kind: ScrapeConfig -metadata: - name: external-nodes-http - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: external-nodes-http - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - staticConfigs: - - labels: - job: external-nodes - targets: - - ps08rp.alexlebens.net:9100 - - ps09rp.alexlebens.net:9100 - metricsPath: /metrics - scheme: HTTP ---- -# Source: kube-prometheus-stack/templates/scrape-config.yaml -apiVersion: monitoring.coreos.com/v1alpha1 -kind: ScrapeConfig -metadata: - name: external-nodes-https - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: external-nodes-https - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - staticConfigs: - - labels: - job: external-nodes - targets: - - node-exporter-ps10rp.boreal-beaufort.ts.net - metricsPath: /metrics - scheme: HTTPS ---- -# Source: kube-prometheus-stack/templates/scrape-config.yaml -apiVersion: monitoring.coreos.com/v1alpha1 -kind: ScrapeConfig -metadata: - name: airgradient-http - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: airgradient-http - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - staticConfigs: - - labels: - job: airgradient - targets: - - it01ag.alexlebens.net:9926 - metricsPath: /metrics - scheme: HTTP ---- -# Source: kube-prometheus-stack/templates/scrape-config.yaml -apiVersion: monitoring.coreos.com/v1alpha1 -kind: ScrapeConfig -metadata: - name: garage-https - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: garage-https - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - staticConfigs: - - labels: - job: garage - targets: - - garage-ps10rp.boreal-beaufort.ts.net:3903 - metricsPath: /metrics - scrapeInterval: 1m - scheme: HTTPS - authorization: - type: Bearer - credentials: - key: token - name: garage-metric-secret ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-kube-state-metrics - namespace: kube-prometheus-stack - labels: - helm.sh/chart: kube-state-metrics-6.4.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: kube-state-metrics - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "2.17.0" - release: kube-prometheus-stack -spec: - jobLabel: app.kubernetes.io/name - selector: - matchLabels: - app.kubernetes.io/name: kube-state-metrics - app.kubernetes.io/instance: kube-prometheus-stack - endpoints: - - port: http - honorLabels: true ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-prometheus-node-exporter - namespace: kube-prometheus-stack - labels: - helm.sh/chart: prometheus-node-exporter-4.49.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: prometheus-node-exporter - app.kubernetes.io/name: prometheus-node-exporter - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "1.10.2" - release: kube-prometheus-stack -spec: - jobLabel: jobLabel - - selector: - matchLabels: - app.kubernetes.io/name: prometheus-node-exporter - app.kubernetes.io/instance: kube-prometheus-stack - attachMetadata: - node: false - endpoints: - - port: http-metrics - scheme: http ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/alertmanager/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-alertmanager - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-alertmanager - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - - selector: - matchLabels: - app: kube-prometheus-stack-alertmanager - release: "kube-prometheus-stack" - self-monitor: "true" - namespaceSelector: - matchNames: - - "kube-prometheus-stack" - endpoints: - - port: http-web - enableHttp2: true - path: "/metrics" - - port: reloader-web - path: "/metrics" ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/exporters/core-dns/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-coredns - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-coredns - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - jobLabel: jobLabel - - selector: - matchLabels: - app: kube-prometheus-stack-coredns - release: "kube-prometheus-stack" - namespaceSelector: - matchNames: - - "kube-system" - endpoints: - - port: http-metrics - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/exporters/kube-api-server/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-apiserver - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-apiserver - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - - endpoints: - - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - port: https - scheme: https - metricRelabelings: - - action: drop - regex: (etcd_request|apiserver_request_slo|apiserver_request_sli|apiserver_request)_duration_seconds_bucket;(0\.15|0\.2|0\.3|0\.35|0\.4|0\.45|0\.6|0\.7|0\.8|0\.9|1\.25|1\.5|1\.75|2|3|3\.5|4|4\.5|6|7|8|9|15|20|40|45|50)(\.0)? - sourceLabels: - - __name__ - - le - tlsConfig: - caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - serverName: kubernetes - insecureSkipVerify: true - jobLabel: component - namespaceSelector: - matchNames: - - default - selector: - matchLabels: - component: apiserver - provider: kubernetes ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/exporters/kube-etcd/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-kube-etcd - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-kube-etcd - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - jobLabel: jobLabel - - selector: - matchLabels: - app: kube-prometheus-stack-kube-etcd - release: "kube-prometheus-stack" - namespaceSelector: - matchNames: - - "kube-system" - endpoints: - - port: http-metrics - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - metricRelabelings: - - action: labeldrop - regex: pod - relabelings: - - action: replace - regex: ^(.*)$ - replacement: $1 - separator: ; - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: nodename ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/exporters/kubelet/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-kubelet - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-kubelet - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - - attachMetadata: - node: false - jobLabel: k8s-app - namespaceSelector: - matchNames: - - kube-system - selector: - matchLabels: - app.kubernetes.io/name: kubelet - k8s-app: kubelet - endpoints: - - port: https-metrics - scheme: https - tlsConfig: - caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecureSkipVerify: true - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - honorLabels: true - honorTimestamps: true - metricRelabelings: - - action: drop - regex: (csi_operations|storage_operation_duration)_seconds_bucket;(0.25|2.5|15|25|120|600)(\.0)? - sourceLabels: - - __name__ - - le - relabelings: - - action: replace - sourceLabels: - - __metrics_path__ - targetLabel: metrics_path - - port: https-metrics - scheme: https - path: /metrics/cadvisor - interval: 10s - honorLabels: true - honorTimestamps: true - trackTimestampsStaleness: true - tlsConfig: - caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecureSkipVerify: true - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - metricRelabelings: - - action: drop - regex: container_cpu_(cfs_throttled_seconds_total|load_average_10s|system_seconds_total|user_seconds_total) - sourceLabels: - - __name__ - - action: drop - regex: container_fs_(io_current|io_time_seconds_total|io_time_weighted_seconds_total|reads_merged_total|sector_reads_total|sector_writes_total|writes_merged_total) - sourceLabels: - - __name__ - - action: drop - regex: container_memory_(mapped_file|swap) - sourceLabels: - - __name__ - - action: drop - regex: container_(file_descriptors|tasks_state|threads_max) - sourceLabels: - - __name__ - - action: drop - regex: container_memory_failures_total;hierarchy - sourceLabels: - - __name__ - - scope - - action: drop - regex: container_network_.*;(cali|cilium|cni|lxc|nodelocaldns|tunl).* - sourceLabels: - - __name__ - - interface - - action: drop - regex: container_spec.* - sourceLabels: - - __name__ - - action: drop - regex: .+; - sourceLabels: - - id - - pod - relabelings: - - action: replace - sourceLabels: - - __metrics_path__ - targetLabel: metrics_path - - port: https-metrics - scheme: https - path: /metrics/probes - honorLabels: true - honorTimestamps: true - tlsConfig: - caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecureSkipVerify: true - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - relabelings: - - action: replace - sourceLabels: - - __metrics_path__ - targetLabel: metrics_path ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-operator - namespace: kube-prometheus-stack - labels: - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app: kube-prometheus-stack-operator - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator -spec: - - endpoints: - - port: https - scheme: https - tlsConfig: - serverName: kube-prometheus-stack-operator - ca: - secret: - name: kube-prometheus-stack-admission - key: ca - optional: false - honorLabels: true - selector: - matchLabels: - app: kube-prometheus-stack-operator - release: "kube-prometheus-stack" - namespaceSelector: - matchNames: - - "kube-prometheus-stack" ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kube-prometheus-stack-prometheus - namespace: kube-prometheus-stack - labels: - app: kube-prometheus-stack-prometheus - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" -spec: - - selector: - matchLabels: - app: kube-prometheus-stack-prometheus - release: "kube-prometheus-stack" - self-monitor: "true" - namespaceSelector: - matchNames: - - "kube-prometheus-stack" - endpoints: - - port: http-web - path: "/metrics" - - port: reloader-web - path: "/metrics" ---- -# Source: kube-prometheus-stack/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-kube-prometheus-stack - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: redis-replication-kube-prometheus-stack - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: kube-prometheus-stack-admission - annotations: - - argocd.argoproj.io/hook: PreSync - labels: - app: kube-prometheus-stack-admission - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -webhooks: - - name: prometheusrulevalidate.monitoring.coreos.com - failurePolicy: Ignore - rules: - - apiGroups: - - monitoring.coreos.com - apiVersions: - - "*" - resources: - - prometheusrules - operations: - - CREATE - - UPDATE - clientConfig: - service: - namespace: kube-prometheus-stack - name: kube-prometheus-stack-operator - path: /admission-prometheusrules/validate - timeoutSeconds: 10 - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - - name: alertmanagerconfigsvalidate.monitoring.coreos.com - failurePolicy: Ignore - rules: - - apiGroups: - - monitoring.coreos.com - apiVersions: - - v1alpha1 - resources: - - alertmanagerconfigs - operations: - - CREATE - - UPDATE - clientConfig: - service: - namespace: kube-prometheus-stack - name: kube-prometheus-stack-operator - path: /admission-alertmanagerconfigs/validate - timeoutSeconds: 10 - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-prometheus-stack-admission - namespace: kube-prometheus-stack - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: kube-prometheus-stack-admission - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -automountServiceAccountToken: true ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kube-prometheus-stack-admission - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: kube-prometheus-stack-admission - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - - mutatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-prometheus-stack-admission - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: kube-prometheus-stack-admission - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kube-prometheus-stack-admission -subjects: - - kind: ServiceAccount - name: kube-prometheus-stack-admission - namespace: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kube-prometheus-stack-admission - namespace: kube-prometheus-stack - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: kube-prometheus-stack-admission - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kube-prometheus-stack-admission - namespace: kube-prometheus-stack - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - app: kube-prometheus-stack-admission - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kube-prometheus-stack-admission -subjects: - - kind: ServiceAccount - name: kube-prometheus-stack-admission - namespace: kube-prometheus-stack ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: kube-prometheus-stack-admission-create - namespace: kube-prometheus-stack - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - argocd.argoproj.io/hook: PreSync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - labels: - app: kube-prometheus-stack-admission-create - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -spec: - ttlSecondsAfterFinished: 60 - template: - metadata: - name: kube-prometheus-stack-admission-create - labels: - app: kube-prometheus-stack-admission-create - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook - spec: - containers: - - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5 - imagePullPolicy: IfNotPresent - args: - - create - - --host=kube-prometheus-stack-operator,kube-prometheus-stack-operator.kube-prometheus-stack.svc - - --namespace=kube-prometheus-stack - - --secret-name=kube-prometheus-stack-admission - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - resources: - {} - restartPolicy: OnFailure - serviceAccountName: kube-prometheus-stack-admission - securityContext: - runAsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - seccompProfile: - type: RuntimeDefault ---- -# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: kube-prometheus-stack-admission-patch - namespace: kube-prometheus-stack - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - argocd.argoproj.io/hook: PreSync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - labels: - app: kube-prometheus-stack-admission-patch - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook -spec: - ttlSecondsAfterFinished: 60 - template: - metadata: - name: kube-prometheus-stack-admission-patch - labels: - app: kube-prometheus-stack-admission-patch - - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/version: "79.11.0" - app.kubernetes.io/part-of: kube-prometheus-stack - chart: kube-prometheus-stack-79.11.0 - release: "kube-prometheus-stack" - heritage: "Helm" - app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator - app.kubernetes.io/component: prometheus-operator-webhook - spec: - containers: - - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=kube-prometheus-stack-admission - - --namespace=kube-prometheus-stack - - --secret-name=kube-prometheus-stack-admission - - --patch-failure-policy= - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - resources: - {} - restartPolicy: OnFailure - serviceAccountName: kube-prometheus-stack-admission - securityContext: - runAsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - seccompProfile: - type: RuntimeDefault diff --git a/clusters/cl01tl/manifests/kubelet-serving-cert-approver/kubelet-serving-cert-approver.yaml b/clusters/cl01tl/manifests/kubelet-serving-cert-approver/kubelet-serving-cert-approver.yaml deleted file mode 100644 index 36c1a92d3..000000000 --- a/clusters/cl01tl/manifests/kubelet-serving-cert-approver/kubelet-serving-cert-approver.yaml +++ /dev/null @@ -1,254 +0,0 @@ ---- -# Source: kubelet-serving-cert-approver/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: kubelet-serving-cert-approver - labels: - app.kubernetes.io/name: kubelet-serving-cert-approver - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/part-of: kubelet-serving-cert-approver - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/warn: restricted ---- -# Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kubelet-serving-cert-approver - labels: - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kubelet-serving-cert-approver - helm.sh/chart: kubelet-serving-cert-approver-4.4.0 - namespace: kubelet-serving-cert-approver -secrets: - - name: kubelet-serving-cert-approver-kubelet-serving-cert-approver-sa-token ---- -# Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml -apiVersion: v1 -kind: Secret -type: kubernetes.io/service-account-token -metadata: - name: kubelet-serving-cert-approver-kubelet-serving-cert-approver-sa-token - labels: - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kubelet-serving-cert-approver - helm.sh/chart: kubelet-serving-cert-approver-4.4.0 - annotations: - kubernetes.io/service-account.name: kubelet-serving-cert-approver - namespace: kubelet-serving-cert-approver ---- -# Source: kubelet-serving-cert-approver/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "certificates-kubelet-serving-cert-approver" - namespace: kubelet-serving-cert-approver - labels: - app.kubernetes.io/name: "certificates-kubelet-serving-cert-approver" - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/part-of: kubelet-serving-cert-approver -rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - verbs: - - update - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - certificates.k8s.io - resourceNames: - - kubernetes.io/kubelet-serving - resources: - - signers - verbs: - - approve ---- -# Source: kubelet-serving-cert-approver/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "events-kubelet-serving-cert-approver" - namespace: kubelet-serving-cert-approver - labels: - app.kubernetes.io/name: "events-kubelet-serving-cert-approver" - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/part-of: kubelet-serving-cert-approver -rules: - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -# Source: kubelet-serving-cert-approver/templates/cluster-role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubelet-serving-cert-approver - namespace: kubelet-serving-cert-approver - labels: - app.kubernetes.io/name: kubelet-serving-cert-approver - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/part-of: kubelet-serving-cert-approver -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "certificates-kubelet-serving-cert-approver" -subjects: - - kind: ServiceAccount - name: kubelet-serving-cert-approver - namespace: kubelet-serving-cert-approver ---- -# Source: kubelet-serving-cert-approver/templates/role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "events-kubelet-serving-cert-approver" - namespace: kubelet-serving-cert-approver - labels: - app.kubernetes.io/name: "events-kubelet-serving-cert-approver" - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/part-of: kubelet-serving-cert-approver -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "events-kubelet-serving-cert-approver" -subjects: - - kind: ServiceAccount - name: kubelet-serving-cert-approver - namespace: kubelet-serving-cert-approver ---- -# Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: kubelet-serving-cert-approver - labels: - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kubelet-serving-cert-approver - app.kubernetes.io/service: kubelet-serving-cert-approver - helm.sh/chart: kubelet-serving-cert-approver-4.4.0 - namespace: kubelet-serving-cert-approver -spec: - type: ClusterIP - ports: - - port: 8080 - targetPort: 8080 - protocol: TCP - name: health - - port: 9090 - targetPort: 9090 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/name: kubelet-serving-cert-approver ---- -# Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kubelet-serving-cert-approver - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kubelet-serving-cert-approver - helm.sh/chart: kubelet-serving-cert-approver-4.4.0 - namespace: kubelet-serving-cert-approver -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: kubelet-serving-cert-approver - app.kubernetes.io/instance: kubelet-serving-cert-approver - template: - metadata: - annotations: - checksum/secrets: 591a33eca0bc5c4a8475d0538f3f4840841582c86a3ac2c97147b2b00e5774c5 - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kubelet-serving-cert-approver - app.kubernetes.io/name: kubelet-serving-cert-approver - spec: - enableServiceLinks: false - serviceAccountName: kubelet-serving-cert-approver - automountServiceAccountToken: true - priorityClassName: system-cluster-critical - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: node-role.kubernetes.io/master - operator: DoesNotExist - - key: node-role.kubernetes.io/control-plane - operator: DoesNotExist - weight: 100 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - containers: - - args: - - serve - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/alex1989hu/kubelet-serving-cert-approver:0.10.0 - imagePullPolicy: Always - name: main - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true diff --git a/clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/kubernetes-cloudflare-ddns.yaml b/clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/kubernetes-cloudflare-ddns.yaml deleted file mode 100644 index 6e3db6ae2..000000000 --- a/clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/kubernetes-cloudflare-ddns.yaml +++ /dev/null @@ -1,96 +0,0 @@ ---- -# Source: kubernetes-cloudflare-ddns/charts/kubernetes-cloudflare-ddns/templates/common.yaml ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: kubernetes-cloudflare-ddns - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kubernetes-cloudflare-ddns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: kubernetes-cloudflare-ddns - helm.sh/chart: kubernetes-cloudflare-ddns-4.4.0 - namespace: kubernetes-cloudflare-ddns -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "30 4 * * *" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: kubernetes-cloudflare-ddns - app.kubernetes.io/name: kubernetes-cloudflare-ddns - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - containers: - - envFrom: - - secretRef: - name: kubernetes-cloudflare-ddns-secret - image: kubitodev/kubernetes-cloudflare-ddns:2.0.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: kubernetes-cloudflare-ddns/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: kubernetes-cloudflare-ddns-secret - namespace: kubernetes-cloudflare-ddns - labels: - app.kubernetes.io/name: kubernetes-cloudflare-ddns-secret - app.kubernetes.io/instance: kubernetes-cloudflare-ddns - app.kubernetes.io/part-of: kubernetes-cloudflare-ddns -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AUTH_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/alexlebens.net/ddns - metadataPolicy: None - property: token - - secretKey: NAME - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/alexlebens.net/ddns - metadataPolicy: None - property: name - - secretKey: RECORD_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/alexlebens.net/ddns - metadataPolicy: None - property: record-id - - secretKey: ZONE_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/alexlebens.net/ddns - metadataPolicy: None - property: zone-id diff --git a/clusters/cl01tl/manifests/libation/libation.yaml b/clusters/cl01tl/manifests/libation/libation.yaml deleted file mode 100644 index d7a8a0d3c..000000000 --- a/clusters/cl01tl/manifests/libation/libation.yaml +++ /dev/null @@ -1,129 +0,0 @@ ---- -# Source: libation/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: libation-nfs-storage - namespace: libation - labels: - app.kubernetes.io/name: libation-nfs-storage - app.kubernetes.io/instance: libation - app.kubernetes.io/part-of: libation -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Audiobooks/ - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: libation/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: libation-config - namespace: libation - labels: - app.kubernetes.io/name: libation-config - app.kubernetes.io/instance: libation - app.kubernetes.io/part-of: libation -spec: - storageClassName: nfs-client - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - volumeMode: Filesystem ---- -# Source: libation/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: libation-nfs-storage - namespace: libation - labels: - app.kubernetes.io/name: libation-nfs-storage - app.kubernetes.io/instance: libation - app.kubernetes.io/part-of: libation -spec: - volumeName: libation-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: libation/charts/libation/templates/common.yaml ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: libation - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: libation - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: libation - helm.sh/chart: libation-4.4.0 - namespace: libation -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "30 4 * * *" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: libation - app.kubernetes.io/name: libation - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - containers: - - env: - - name: SLEEP_TIME - value: "-1" - - name: LIBATION_BOOKS_DIR - value: /data - image: rmcrackan/libation:12.8.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /data - name: data - volumes: - - name: config - persistentVolumeClaim: - claimName: libation-config - - name: data - persistentVolumeClaim: - claimName: libation-nfs-storage diff --git a/clusters/cl01tl/manifests/lidarr/lidarr.yaml b/clusters/cl01tl/manifests/lidarr/lidarr.yaml deleted file mode 100644 index 956cf19d9..000000000 --- a/clusters/cl01tl/manifests/lidarr/lidarr.yaml +++ /dev/null @@ -1,928 +0,0 @@ ---- -# Source: lidarr/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: lidarr-nfs-storage - namespace: lidarr - labels: - app.kubernetes.io/name: lidarr-nfs-storage - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: lidarr/charts/lidarr/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: lidarr-config - labels: - app.kubernetes.io/instance: lidarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: lidarr - helm.sh/chart: lidarr-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: lidarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: lidarr/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: lidarr-nfs-storage - namespace: lidarr - labels: - app.kubernetes.io/name: lidarr-nfs-storage - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - volumeName: lidarr-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: lidarr/charts/lidarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: lidarr - labels: - app.kubernetes.io/instance: lidarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: lidarr - app.kubernetes.io/service: lidarr - helm.sh/chart: lidarr-4.4.0 - namespace: lidarr -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8686 - protocol: TCP - name: http - - port: 9792 - targetPort: 9792 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: lidarr - app.kubernetes.io/name: lidarr ---- -# Source: lidarr/charts/lidarr/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: lidarr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: lidarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: lidarr - helm.sh/chart: lidarr-4.4.0 - namespace: lidarr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: lidarr - app.kubernetes.io/instance: lidarr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: lidarr - app.kubernetes.io/name: lidarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/lidarr:2.14.5@sha256:5e1235d00b5d1c1f60ca0d472e554a6611aef41aa7b5b6d88260214bf4809af0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - args: - - lidarr - env: - - name: URL - value: http://localhost - - name: CONFIG - value: /config/config.xml - - name: PORT - value: "9792" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "false" - image: ghcr.io/onedr0p/exportarr:v2.3.0 - imagePullPolicy: IfNotPresent - name: metrics - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - readOnly: true - volumes: - - name: config - persistentVolumeClaim: - claimName: lidarr-config - - name: media - persistentVolumeClaim: - claimName: lidarr-nfs-storage ---- -# Source: lidarr/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: lidarr2-postgresql-17-cluster - namespace: lidarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: lidarr2-postgresql-17 - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "lidarr2-postgresql-17-external-backup" - serverName: "lidarr2-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "lidarr2-postgresql-17-garage-local-backup" - serverName: "lidarr2-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "lidarr2-postgresql-17-recovery" - serverName: lidarr2-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 200m - memory: 1Gi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: lidarr2-postgresql-17-backup-1 - - externalClusters: - - name: lidarr2-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "lidarr2-postgresql-17-recovery" - serverName: lidarr2-postgresql-17-backup-1 ---- -# Source: lidarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: lidarr-config-backup-secret - namespace: lidarr - labels: - app.kubernetes.io/name: lidarr-config-backup-secret - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/lidarr2/lidarr2-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: lidarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: lidarr-postgresql-17-cluster-backup-secret - namespace: lidarr - labels: - app.kubernetes.io/name: lidarr-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: lidarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: lidarr-postgresql-17-cluster-backup-secret-garage - namespace: lidarr - labels: - app.kubernetes.io/name: lidarr-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: lidarr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-lidarr - namespace: lidarr - labels: - app.kubernetes.io/name: http-route-lidarr - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - lidarr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: lidarr - port: 80 - weight: 100 ---- -# Source: lidarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "lidarr2-postgresql-17-external-backup" - namespace: lidarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: lidarr2-postgresql-17 - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/lidarr2/lidarr2-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: lidarr-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: lidarr-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: lidarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "lidarr2-postgresql-17-garage-local-backup" - namespace: lidarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: lidarr2-postgresql-17 - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/lidarr/lidarr2-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: lidarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: lidarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: lidarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: lidarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "lidarr2-postgresql-17-recovery" - namespace: lidarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: lidarr2-postgresql-17 - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/lidarr/lidarr2-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: lidarr-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: lidarr-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: lidarr/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: lidarr2-postgresql-17-alert-rules - namespace: lidarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: lidarr2-postgresql-17 - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/lidarr2-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="lidarr"} - cnpg_pg_replication_is_wal_receiver_up{namespace="lidarr"}) < 1 - for: 5m - labels: - severity: critical - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="lidarr"} - cnpg_pg_replication_is_wal_receiver_up{namespace="lidarr"}) < 2 - for: 5m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "lidarr/lidarr2-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="lidarr", pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="lidarr", pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "lidarr/lidarr2-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="lidarr", pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="lidarr", pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "lidarr/lidarr2-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="lidarr",pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "lidarr/lidarr2-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="lidarr", pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "lidarr/lidarr2-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "lidarr/lidarr2-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="lidarr", persistentvolumeclaim=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "lidarr/lidarr2-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="lidarr",pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "lidarr/lidarr2-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="lidarr", pod=~"lidarr2-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: lidarr - cnpg_cluster: lidarr2-postgresql-17-cluster ---- -# Source: lidarr/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: lidarr - namespace: lidarr - labels: - app.kubernetes.io/name: lidarr - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - groups: - - name: lidarr - rules: - - alert: ExportarrAbsent - annotations: - description: Lidarr Exportarr has disappeared from Prometheus - service discovery. - summary: Exportarr is down. - expr: | - absent(up{job=~".*lidarr.*"} == 1) - for: 5m - labels: - severity: critical - - alert: LidarrDown - annotations: - description: Lidarr service is down. - summary: Lidarr is down. - expr: | - lidarr_system_status{job=~".*lidarr.*"} == 0 - for: 5m - labels: - severity: critical ---- -# Source: lidarr/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: lidarr-config-backup-source - namespace: lidarr - labels: - app.kubernetes.io/name: lidarr-config-backup-source - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - sourcePVC: lidarr-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: lidarr-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: lidarr/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "lidarr2-postgresql-17-daily-backup-scheduled-backup" - namespace: lidarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: lidarr2-postgresql-17 - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: lidarr2-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "lidarr2-postgresql-17-external-backup" ---- -# Source: lidarr/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "lidarr2-postgresql-17-live-backup-scheduled-backup" - namespace: lidarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: lidarr2-postgresql-17 - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: lidarr2-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "lidarr2-postgresql-17-garage-local-backup" ---- -# Source: lidarr/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: lidarr - namespace: lidarr - labels: - app.kubernetes.io/name: lidarr - app.kubernetes.io/instance: lidarr - app.kubernetes.io/part-of: lidarr -spec: - selector: - matchLabels: - app.kubernetes.io/name: lidarr - app.kubernetes.io/instance: lidarr - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/lidatube/lidatube.yaml b/clusters/cl01tl/manifests/lidatube/lidatube.yaml deleted file mode 100644 index d9eb9fdc7..000000000 --- a/clusters/cl01tl/manifests/lidatube/lidatube.yaml +++ /dev/null @@ -1,221 +0,0 @@ ---- -# Source: lidatube/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: lidatube-nfs-storage - namespace: lidatube - labels: - app.kubernetes.io/name: lidatube-nfs-storage - app.kubernetes.io/instance: lidatube - app.kubernetes.io/part-of: lidatube -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Music - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: lidatube/charts/lidatube/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: lidatube-config - labels: - app.kubernetes.io/instance: lidatube - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: lidatube - helm.sh/chart: lidatube-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: lidatube -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: lidatube/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: lidatube-nfs-storage - namespace: lidatube - labels: - app.kubernetes.io/name: lidatube-nfs-storage - app.kubernetes.io/instance: lidatube - app.kubernetes.io/part-of: lidatube -spec: - volumeName: lidatube-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: lidatube/charts/lidatube/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: lidatube - labels: - app.kubernetes.io/instance: lidatube - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: lidatube - app.kubernetes.io/service: lidatube - helm.sh/chart: lidatube-4.4.0 - namespace: lidatube -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 5000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: lidatube - app.kubernetes.io/name: lidatube ---- -# Source: lidatube/charts/lidatube/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: lidatube - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: lidatube - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: lidatube - helm.sh/chart: lidatube-4.4.0 - namespace: lidatube -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: lidatube - app.kubernetes.io/instance: lidatube - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: lidatube - app.kubernetes.io/name: lidatube - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: PUID - value: "1000" - - name: PGID - value: "1000" - - name: lidarr_address - value: http://lidarr.lidarr:80 - - name: lidarr_api_key - valueFrom: - secretKeyRef: - key: lidarr_api_key - name: lidatube-secret - - name: sleep_interval - value: "360" - - name: sync_schedule - value: "4" - - name: attempt_lidarr_import - value: "true" - image: thewicklowwolf/lidatube:0.2.41 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /lidatube/config - name: config - - mountPath: /lidatube/downloads - name: music - volumes: - - name: config - persistentVolumeClaim: - claimName: lidatube-config - - name: music - persistentVolumeClaim: - claimName: lidatube-nfs-storage ---- -# Source: lidatube/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: lidatube-secret - namespace: lidatube - labels: - app.kubernetes.io/name: lidatube-secret - app.kubernetes.io/instance: lidatube - app.kubernetes.io/part-of: lidatube -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: lidarr_api_key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/lidarr2/key - metadataPolicy: None - property: key ---- -# Source: lidatube/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-lidatube - namespace: lidatube - labels: - app.kubernetes.io/name: http-route-lidatube - app.kubernetes.io/instance: lidatube - app.kubernetes.io/part-of: lidatube -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - lidatube.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: lidatube - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/listenarr/listenarr.yaml b/clusters/cl01tl/manifests/listenarr/listenarr.yaml deleted file mode 100644 index 001012d3a..000000000 --- a/clusters/cl01tl/manifests/listenarr/listenarr.yaml +++ /dev/null @@ -1,180 +0,0 @@ ---- -# Source: listenarr/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: listenarr-nfs-storage - namespace: listenarr - labels: - app.kubernetes.io/name: listenarr-nfs-storage - app.kubernetes.io/instance: listenarr - app.kubernetes.io/part-of: listenarr -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Audiobooks - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: listenarr/charts/listenarr/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: listenarr - labels: - app.kubernetes.io/instance: listenarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: listenarr - helm.sh/chart: listenarr-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: listenarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: listenarr/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: listenarr-nfs-storage - namespace: listenarr - labels: - app.kubernetes.io/name: listenarr-nfs-storage - app.kubernetes.io/instance: listenarr - app.kubernetes.io/part-of: listenarr -spec: - volumeName: listenarr-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: listenarr/charts/listenarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: listenarr - labels: - app.kubernetes.io/instance: listenarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: listenarr - app.kubernetes.io/service: listenarr - helm.sh/chart: listenarr-4.4.0 - namespace: listenarr -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 5000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: listenarr - app.kubernetes.io/name: listenarr ---- -# Source: listenarr/charts/listenarr/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: listenarr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: listenarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: listenarr - helm.sh/chart: listenarr-4.4.0 - namespace: listenarr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: listenarr - app.kubernetes.io/instance: listenarr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: listenarr - app.kubernetes.io/name: listenarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: LISTENARR_PUBLIC_URL - value: https://listenarr.alexlebens.net - image: therobbiedavis/listenarr:canary-0.2.35 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 50m - memory: 128Mi - volumeMounts: - - mountPath: /app/config - name: config - - mountPath: /data - name: media - volumes: - - name: config - persistentVolumeClaim: - claimName: listenarr - - name: media - persistentVolumeClaim: - claimName: listenarr-nfs-storage ---- -# Source: listenarr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-listenarr - namespace: listenarr - labels: - app.kubernetes.io/name: http-route-listenarr - app.kubernetes.io/instance: listenarr - app.kubernetes.io/part-of: listenarr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - listenarr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: listenarr - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/local-path-provisioner/local-path-provisioner.yaml b/clusters/cl01tl/manifests/local-path-provisioner/local-path-provisioner.yaml deleted file mode 100644 index 582acf97f..000000000 --- a/clusters/cl01tl/manifests/local-path-provisioner/local-path-provisioner.yaml +++ /dev/null @@ -1,270 +0,0 @@ ---- -# Source: local-path-provisioner/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: local-path-provisioner - labels: - app.kubernetes.io/name: local-path-provisioner - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/part-of: local-path-provisioner - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: local-path-provisioner - namespace: local-path-provisioner - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm -imagePullSecrets: ---- -# Source: local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: local-path-config - namespace: local-path-provisioner - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm -data: - config.json: |- - { - "nodePathMap": [ - { - "node": "talos-2di-ktg", - "paths": [ - "/var/local-path-provisioner" - ] - }, - { - "node": "talos-9vs-6hh", - "paths": [ - "/var/local-path-provisioner" - ] - }, - { - "node": "talos-aoq-hpv", - "paths": [ - "/var/local-path-provisioner" - ] - } - ] - } - setup: |- - #!/bin/sh - set -eu - mkdir -m 0777 -p "$VOL_DIR" - teardown: |- - #!/bin/sh - set -eu - rm -rf "$VOL_DIR" - helperPod.yaml: |- - apiVersion: v1 - kind: Pod - metadata: - name: helper-pod - namespace: local-path-provisioner - spec: - priorityClassName: system-node-critical - tolerations: - - key: node.kubernetes.io/disk-pressure - operator: Exists - effect: NoSchedule - containers: - - name: helper-pod - image: busybox:1.37.0 - imagePullPolicy: IfNotPresent - resources: - {} ---- -# Source: local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: local-path - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm - annotations: - storageclass.kubernetes.io/is-default-class: "false" - defaultVolumeType: "hostPath" -provisioner: cluster.local/local-path-provisioner -volumeBindingMode: WaitForFirstConsumer -reclaimPolicy: Delete -allowVolumeExpansion: true ---- -# Source: local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: local-path-provisioner - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] - resources: ["nodes", "persistentvolumeclaims", "configmaps", "pods", "pods/log"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] ---- -# Source: local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: local-path-provisioner - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: local-path-provisioner -subjects: - - kind: ServiceAccount - name: local-path-provisioner - namespace: local-path-provisioner ---- -# Source: local-path-provisioner/charts/local-path-provisioner/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: local-path-provisioner - namespace: local-path-provisioner - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] ---- -# Source: local-path-provisioner/charts/local-path-provisioner/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: local-path-provisioner - namespace: local-path-provisioner - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: local-path-provisioner -subjects: - - kind: ServiceAccount - name: local-path-provisioner - namespace: local-path-provisioner ---- -# Source: local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: local-path-provisioner - namespace: local-path-provisioner - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: local-path-provisioner - app.kubernetes.io/instance: local-path-provisioner - template: - metadata: - labels: - app.kubernetes.io/name: local-path-provisioner - helm.sh/chart: local-path-provisioner-0.0.33 - app.kubernetes.io/instance: local-path-provisioner - app.kubernetes.io/version: "v0.0.32" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: local-path-provisioner - securityContext: - {} - containers: - - name: local-path-provisioner - securityContext: - {} - image: "rancher/local-path-provisioner:v0.0.32" - imagePullPolicy: IfNotPresent - command: - - local-path-provisioner - - --debug - - start - - --config - - /etc/config/config.json - - --service-account-name - - local-path-provisioner - - --provisioner-name - - cluster.local/local-path-provisioner - - --helper-image - - "busybox:1.37.0" - - --configmap-name - - local-path-config - volumeMounts: - - name: config-volume - mountPath: /etc/config/ - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_MOUNT_PATH - value: /etc/config/ - resources: - {} - volumes: - - name: config-volume - configMap: - name: local-path-config - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: - - talos-2di-ktg - - talos-9vs-6hh - - talos-aoq-hpv diff --git a/clusters/cl01tl/manifests/loki/loki.yaml b/clusters/cl01tl/manifests/loki/loki.yaml deleted file mode 100644 index 41b20d9e2..000000000 --- a/clusters/cl01tl/manifests/loki/loki.yaml +++ /dev/null @@ -1,1535 +0,0 @@ ---- -# Source: loki/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: loki - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/part-of: loki - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: loki/charts/loki/templates/loki-canary/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: loki-canary - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: canary -automountServiceAccountToken: true ---- -# Source: loki/charts/loki/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: loki - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" -automountServiceAccountToken: true ---- -# Source: loki/charts/promtail/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: loki-promtail - namespace: loki - labels: - helm.sh/chart: promtail-6.17.1 - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.1" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: loki/charts/promtail/templates/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: loki-promtail - namespace: loki - labels: - helm.sh/chart: promtail-6.17.1 - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.1" - app.kubernetes.io/managed-by: Helm -stringData: - promtail.yaml: | - server: - log_level: info - log_format: logfmt - http_listen_port: 3101 - - - clients: - - tenant_id: 1 - url: http://loki-gateway.loki.svc.cluster.local:80/loki/api/v1/push - - positions: - filename: /run/promtail/positions.yaml - - scrape_configs: - # See also https://github.com/grafana/loki/blob/master/production/ksonnet/promtail/scrape_config.libsonnet for reference - - job_name: kubernetes-pods - pipeline_stages: - - cri: {} - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_controller_name - regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})? - action: replace - target_label: __tmp_controller_name - - source_labels: - - __meta_kubernetes_pod_label_app_kubernetes_io_name - - __meta_kubernetes_pod_label_app - - __tmp_controller_name - - __meta_kubernetes_pod_name - regex: ^;*([^;]+)(;.*)?$ - action: replace - target_label: app - - source_labels: - - __meta_kubernetes_pod_label_app_kubernetes_io_instance - - __meta_kubernetes_pod_label_instance - regex: ^;*([^;]+)(;.*)?$ - action: replace - target_label: instance - - source_labels: - - __meta_kubernetes_pod_label_app_kubernetes_io_component - - __meta_kubernetes_pod_label_component - regex: ^;*([^;]+)(;.*)?$ - action: replace - target_label: component - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node_name - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - replacement: $1 - separator: / - source_labels: - - namespace - - app - target_label: job - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: pod - - action: replace - source_labels: - - __meta_kubernetes_pod_container_name - target_label: container - - action: replace - replacement: /var/log/pods/*$1/*.log - separator: / - source_labels: - - __meta_kubernetes_pod_uid - - __meta_kubernetes_pod_container_name - target_label: __path__ - - action: replace - regex: true/(.*) - replacement: /var/log/pods/*$1/*.log - separator: / - source_labels: - - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash - - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash - - __meta_kubernetes_pod_container_name - target_label: __path__ - - - - limits_config: - - - tracing: - enabled: false ---- -# Source: loki/charts/loki/templates/config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" -data: - config.yaml: | - - auth_enabled: false - bloom_build: - builder: - planner_address: "" - enabled: false - bloom_gateway: - client: - addresses: "" - enabled: false - chunk_store_config: - chunk_cache_config: - background: - writeback_buffer: 500000 - writeback_goroutines: 1 - writeback_size_limit: 500MB - default_validity: 0s - memcached: - batch_size: 4 - parallelism: 5 - memcached_client: - addresses: dnssrvnoa+_memcached-client._tcp.loki-chunks-cache.loki.svc.cluster.local - consistent_hash: true - max_idle_conns: 72 - timeout: 2000ms - common: - compactor_grpc_address: 'loki.loki.svc.cluster.local:9095' - path_prefix: /var/loki - replication_factor: 1 - storage: - filesystem: - chunks_directory: /var/loki/chunks - rules_directory: /var/loki/rules - compactor: - compaction_interval: 10m - delete_request_store: filesystem - retention_delete_delay: 2h - retention_delete_worker_count: 150 - retention_enabled: true - working_directory: /var/loki/compactor - frontend: - scheduler_address: "" - tail_proxy_url: "" - frontend_worker: - scheduler_address: "" - index_gateway: - mode: simple - ingester_client: - pool_config: - remote_timeout: 10s - remote_timeout: 10s - limits_config: - allow_structured_metadata: false - ingestion_burst_size_mb: 1024 - ingestion_rate_mb: 1024 - max_cache_freshness_per_query: 10m - max_streams_per_user: 100000 - query_timeout: 300s - reject_old_samples: true - reject_old_samples_max_age: 168h - retention_period: 7d - split_queries_by_interval: 15m - volume_enabled: true - memberlist: - join_members: - - loki-memberlist.loki.svc.cluster.local - pattern_ingester: - enabled: false - query_range: - align_queries_with_step: true - cache_results: true - results_cache: - cache: - background: - writeback_buffer: 500000 - writeback_goroutines: 1 - writeback_size_limit: 500MB - default_validity: 12h - memcached_client: - addresses: dnssrvnoa+_memcached-client._tcp.loki-results-cache.loki.svc.cluster.local - consistent_hash: true - timeout: 500ms - update_interval: 1m - ruler: - storage: - type: local - wal: - dir: /var/loki/ruler-wal - runtime_config: - file: /etc/loki/runtime-config/runtime-config.yaml - schema_config: - configs: - - from: "2024-01-11" - index: - period: 24h - object_store: filesystem - schema: v13 - store: boltdb-shipper - server: - grpc_listen_port: 9095 - http_listen_port: 3100 - http_server_read_timeout: 600s - http_server_write_timeout: 600s - storage_config: - bloom_shipper: - working_directory: /var/loki/data/bloomshipper - boltdb_shipper: - index_gateway_client: - server_address: "" - hedging: - at: 250ms - max_per_second: 20 - up_to: 3 - tsdb_shipper: - index_gateway_client: - server_address: "" - use_thanos_objstore: false - tracing: - enabled: false ---- -# Source: loki/charts/loki/templates/gateway/configmap-gateway.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki-gateway - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: gateway -data: - nginx.conf: | - worker_processes 5; ## Default: 1 - error_log /dev/stderr; - pid /tmp/nginx.pid; - worker_rlimit_nofile 8192; - - events { - worker_connections 4096; ## Default: 1024 - } - - http { - client_body_temp_path /tmp/client_temp; - proxy_temp_path /tmp/proxy_temp_path; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - client_max_body_size 4M; - - proxy_read_timeout 600; ## 10 minutes - proxy_send_timeout 600; - proxy_connect_timeout 600; - - proxy_http_version 1.1; - - default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] $status ' - '"$request" $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /dev/stderr main; - - sendfile on; - tcp_nopush on; - resolver kube-dns.kube-system.svc.cluster.local.; - - # if the X-Query-Tags header is empty, set a noop= without a value as empty values are not logged - map $http_x_query_tags $query_tags { - "" "noop="; # When header is empty, set noop= - default $http_x_query_tags; # Otherwise, preserve the original value - } - - server { - listen 8080; - listen [::]:8080; - - location = / { - - return 200 'OK'; - auth_basic off; - } - - ######################################################## - # Configure backend targets - location ^~ /ui { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - # Distributor - location = /api/prom/push { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /loki/api/v1/push { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /distributor/ring { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /otlp/v1/logs { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - # Ingester - location = /flush { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location ^~ /ingester/ { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /ingester { - - internal; # to suppress 301 - } - - # Ring - location = /ring { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - # MemberListKV - location = /memberlist { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - # Ruler - location = /ruler/ring { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /api/prom/rules { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location ^~ /api/prom/rules/ { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /loki/api/v1/rules { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location ^~ /loki/api/v1/rules/ { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /prometheus/api/v1/alerts { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /prometheus/api/v1/rules { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - # Compactor - location = /compactor/ring { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /loki/api/v1/delete { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /loki/api/v1/cache/generation_numbers { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - # IndexGateway - location = /indexgateway/ring { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - # QueryScheduler - location = /scheduler/ring { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - # Config - location = /config { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - - - # QueryFrontend, Querier - location = /api/prom/tail { - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /loki/api/v1/tail { - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location ^~ /api/prom/ { - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /api/prom { - - internal; # to suppress 301 - } - location ^~ /loki/api/v1/ { - # pass custom headers set by Grafana as X-Query-Tags which are logged as key/value pairs in metrics.go log messages - proxy_set_header X-Query-Tags "${query_tags},user=${http_x_grafana_user},dashboard_id=${http_x_dashboard_uid},dashboard_title=${http_x_dashboard_title},panel_id=${http_x_panel_id},panel_title=${http_x_panel_title},source_rule_uid=${http_x_rule_uid},rule_name=${http_x_rule_name},rule_folder=${http_x_rule_folder},rule_version=${http_x_rule_version},rule_source=${http_x_rule_source},rule_type=${http_x_rule_type}"; - - proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri; - } - location = /loki/api/v1 { - - internal; # to suppress 301 - } - } - } ---- -# Source: loki/charts/loki/templates/runtime-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki-runtime - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" -data: - runtime-config.yaml: | - {} ---- -# Source: loki/charts/loki/templates/backend/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - name: loki-clusterrole -rules: -- apiGroups: [""] # "" indicates the core API group - resources: ["configmaps", "secrets"] - verbs: ["get", "watch", "list"] ---- -# Source: loki/charts/promtail/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: loki-promtail - labels: - helm.sh/chart: promtail-6.17.1 - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.1" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - services - - endpoints - - pods - verbs: - - get - - watch - - list ---- -# Source: loki/charts/loki/templates/backend/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: loki-clusterrolebinding - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" -subjects: - - kind: ServiceAccount - name: loki - namespace: loki -roleRef: - kind: ClusterRole - name: loki-clusterrole - apiGroup: rbac.authorization.k8s.io ---- -# Source: loki/charts/promtail/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: loki-promtail - labels: - helm.sh/chart: promtail-6.17.1 - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.1" - app.kubernetes.io/managed-by: Helm -subjects: - - kind: ServiceAccount - name: loki-promtail - namespace: loki -roleRef: - kind: ClusterRole - name: loki-promtail - apiGroup: rbac.authorization.k8s.io ---- -# Source: loki/charts/loki/templates/chunks-cache/service-chunks-cache-headless.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-chunks-cache - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: "memcached-chunks-cache" - annotations: - {} - namespace: "loki" -spec: - type: ClusterIP - clusterIP: None - ports: - - name: memcached-client - port: 11211 - targetPort: client - - name: http-metrics - port: 9150 - targetPort: http-metrics - - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: "memcached-chunks-cache" ---- -# Source: loki/charts/loki/templates/gateway/service-gateway.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-gateway - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: gateway - prometheus.io/service-monitor: "false" - annotations: -spec: - type: ClusterIP - ports: - - name: http-metrics - port: 80 - targetPort: http-metrics - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: gateway ---- -# Source: loki/charts/loki/templates/loki-canary/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-canary - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: canary - annotations: -spec: - type: ClusterIP - ports: - - name: http-metrics - port: 3500 - targetPort: http-metrics - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: canary ---- -# Source: loki/charts/loki/templates/results-cache/service-results-cache-headless.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-results-cache - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: "memcached-results-cache" - annotations: - {} - namespace: "loki" -spec: - type: ClusterIP - clusterIP: None - ports: - - name: memcached-client - port: 11211 - targetPort: client - - name: http-metrics - port: 9150 - targetPort: http-metrics - - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: "memcached-results-cache" ---- -# Source: loki/charts/loki/templates/service-memberlist.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-memberlist - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - annotations: -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp - port: 7946 - targetPort: http-memberlist - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/part-of: memberlist ---- -# Source: loki/charts/loki/templates/single-binary/service-headless.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-headless - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - variant: headless - prometheus.io/service-monitor: "false" - annotations: -spec: - clusterIP: None - ports: - - name: http-metrics - port: 3100 - targetPort: http-metrics - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki ---- -# Source: loki/charts/loki/templates/single-binary/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - annotations: -spec: - type: ClusterIP - ports: - - name: http-metrics - port: 3100 - targetPort: http-metrics - protocol: TCP - - name: grpc - port: 9095 - targetPort: grpc - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary ---- -# Source: loki/charts/promtail/templates/service-metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-promtail-metrics - namespace: loki - labels: - helm.sh/chart: promtail-6.17.1 - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.1" - app.kubernetes.io/managed-by: Helm - promtail: 3.0.0 -spec: - clusterIP: None - ports: - - name: http-metrics - port: 3101 - targetPort: http-metrics - protocol: TCP - selector: - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki ---- -# Source: loki/charts/loki/templates/loki-canary/daemonset.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: loki-canary - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: canary -spec: - selector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: canary - updateStrategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: canary - spec: - serviceAccountName: loki-canary - - securityContext: - fsGroup: 10001 - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10001 - containers: - - name: loki-canary - image: docker.io/grafana/loki-canary:3.5.7 - imagePullPolicy: IfNotPresent - args: - - -addr=loki-gateway.loki.svc.cluster.local.:80 - - -labelname=pod - - -labelvalue=$(POD_NAME) - - -push=true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - ports: - - name: http-metrics - containerPort: 3500 - protocol: TCP - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - readinessProbe: - httpGet: - path: /metrics - port: http-metrics - initialDelaySeconds: 15 - timeoutSeconds: 1 - volumes: ---- -# Source: loki/charts/promtail/templates/daemonset.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: loki-promtail - namespace: loki - labels: - helm.sh/chart: promtail-6.17.1 - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.1" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - updateStrategy: - {} - template: - metadata: - labels: - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - annotations: - checksum/config: c63810d2a03283062a5987b913985abc93a7e5cb90fde608a9f3ef77cb4e3412 - spec: - serviceAccountName: loki-promtail - automountServiceAccountToken: true - enableServiceLinks: true - securityContext: - runAsGroup: 0 - runAsUser: 0 - containers: - - name: promtail - image: "docker.io/grafana/promtail:3.5.1" - imagePullPolicy: IfNotPresent - args: - - "-config.file=/etc/promtail/promtail.yaml" - volumeMounts: - - name: config - mountPath: /etc/promtail - - mountPath: /run/promtail - name: run - - mountPath: /var/lib/docker/containers - name: containers - readOnly: true - - mountPath: /var/log/pods - name: pods - readOnly: true - env: - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - ports: - - name: http-metrics - containerPort: 3101 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 5 - httpGet: - path: '/ready' - port: http-metrics - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - volumes: - - name: config - secret: - secretName: loki-promtail - - hostPath: - path: /run/promtail - name: run - - hostPath: - path: /var/lib/docker/containers - name: containers - - hostPath: - path: /var/log/pods - name: pods ---- -# Source: loki/charts/loki/templates/gateway/deployment-gateway-nginx.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: loki-gateway - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: gateway -spec: - replicas: 1 - strategy: - type: RollingUpdate - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: gateway - template: - metadata: - annotations: - checksum/config: d76bd0b627b1549dddc6ce5304d9322ebdeb13e5b813234d8067357925630015 - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: gateway - spec: - serviceAccountName: loki - enableServiceLinks: true - - securityContext: - fsGroup: 101 - runAsGroup: 101 - runAsNonRoot: true - runAsUser: 101 - terminationGracePeriodSeconds: 30 - containers: - - name: nginx - image: docker.io/nginxinc/nginx-unprivileged:1.29-alpine - imagePullPolicy: IfNotPresent - ports: - - name: http-metrics - containerPort: 8080 - protocol: TCP - readinessProbe: - httpGet: - path: / - port: http-metrics - initialDelaySeconds: 15 - timeoutSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - name: config - mountPath: /etc/nginx - - name: tmp - mountPath: /tmp - - name: docker-entrypoint-d-override - mountPath: /docker-entrypoint.d - resources: - {} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/component: gateway - app.kubernetes.io/instance: 'loki' - app.kubernetes.io/name: 'loki' - topologyKey: kubernetes.io/hostname - volumes: - - name: config - configMap: - name: loki-gateway - - name: tmp - emptyDir: {} - - name: docker-entrypoint-d-override - emptyDir: {} ---- -# Source: loki/charts/loki/templates/chunks-cache/statefulset-chunks-cache.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: loki-chunks-cache - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: "memcached-chunks-cache" - name: "memcached-chunks-cache" - annotations: - {} - namespace: "loki" -spec: - podManagementPolicy: Parallel - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: "memcached-chunks-cache" - name: "memcached-chunks-cache" - updateStrategy: - type: RollingUpdate - serviceName: loki-chunks-cache - template: - metadata: - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: "memcached-chunks-cache" - name: "memcached-chunks-cache" - annotations: - spec: - serviceAccountName: loki - securityContext: - fsGroup: 11211 - runAsGroup: 11211 - runAsNonRoot: true - runAsUser: 11211 - initContainers: - [] - nodeSelector: - {} - affinity: - {} - topologySpreadConstraints: - [] - tolerations: - [] - terminationGracePeriodSeconds: 60 - containers: - - name: memcached - image: memcached:1.6.39-alpine - imagePullPolicy: IfNotPresent - resources: - limits: - memory: 9830Mi - requests: - cpu: 500m - memory: 9830Mi - ports: - - containerPort: 11211 - name: client - args: - - -m 8192 - - --extended=modern,track_sizes - - -I 5m - - -c 16384 - - -v - - -u 11211 - env: - envFrom: - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 5 - periodSeconds: 5 - tcpSocket: - port: client - timeoutSeconds: 3 - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - tcpSocket: - port: client - timeoutSeconds: 5 - - name: exporter - image: prom/memcached-exporter:v0.15.3 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9150 - name: http-metrics - args: - - "--memcached.address=localhost:11211" - - "--web.listen-address=0.0.0.0:9150" - resources: - limits: {} - requests: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /metrics - port: http-metrics - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 3 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /metrics - port: http-metrics - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 ---- -# Source: loki/charts/loki/templates/results-cache/statefulset-results-cache.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: loki-results-cache - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: "memcached-results-cache" - name: "memcached-results-cache" - annotations: - {} - namespace: "loki" -spec: - podManagementPolicy: Parallel - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: "memcached-results-cache" - name: "memcached-results-cache" - updateStrategy: - type: RollingUpdate - serviceName: loki-results-cache - template: - metadata: - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: "memcached-results-cache" - name: "memcached-results-cache" - annotations: - spec: - serviceAccountName: loki - securityContext: - fsGroup: 11211 - runAsGroup: 11211 - runAsNonRoot: true - runAsUser: 11211 - initContainers: - [] - nodeSelector: - {} - affinity: - {} - topologySpreadConstraints: - [] - tolerations: - [] - terminationGracePeriodSeconds: 60 - containers: - - name: memcached - image: memcached:1.6.39-alpine - imagePullPolicy: IfNotPresent - resources: - limits: - memory: 1229Mi - requests: - cpu: 500m - memory: 1229Mi - ports: - - containerPort: 11211 - name: client - args: - - -m 1024 - - --extended=modern,track_sizes - - -I 5m - - -c 16384 - - -v - - -u 11211 - env: - envFrom: - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 5 - periodSeconds: 5 - tcpSocket: - port: client - timeoutSeconds: 3 - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - tcpSocket: - port: client - timeoutSeconds: 5 - - name: exporter - image: prom/memcached-exporter:v0.15.3 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9150 - name: http-metrics - args: - - "--memcached.address=localhost:11211" - - "--web.listen-address=0.0.0.0:9150" - resources: - limits: {} - requests: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /metrics - port: http-metrics - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 3 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /metrics - port: http-metrics - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 ---- -# Source: loki/charts/loki/templates/single-binary/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: loki - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: single-binary - app.kubernetes.io/part-of: memberlist -spec: - replicas: 1 - podManagementPolicy: Parallel - updateStrategy: - rollingUpdate: - partition: 0 - serviceName: loki-headless - revisionHistoryLimit: 10 - - persistentVolumeClaimRetentionPolicy: - whenDeleted: Delete - whenScaled: Delete - selector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - template: - metadata: - annotations: - checksum/config: 9cded33d7ba292eb76711b451f5ecd9bade13c7fb5ffb5622229f5706f8f90dd - storage/size: "150Gi" - kubectl.kubernetes.io/default-container: "loki" - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - app.kubernetes.io/part-of: memberlist - spec: - serviceAccountName: loki - automountServiceAccountToken: true - enableServiceLinks: true - - securityContext: - fsGroup: 10001 - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10001 - terminationGracePeriodSeconds: 30 - containers: - - name: loki - image: docker.io/grafana/loki:3.5.7 - imagePullPolicy: IfNotPresent - args: - - -config.file=/etc/loki/config/config.yaml - - -target=all - ports: - - name: http-metrics - containerPort: 3100 - protocol: TCP - - name: grpc - containerPort: 9095 - protocol: TCP - - name: http-memberlist - containerPort: 7946 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - failureThreshold: 3 - httpGet: - path: /ready - port: http-metrics - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: config - mountPath: /etc/loki/config - - name: runtime-config - mountPath: /etc/loki/runtime-config - - name: storage - mountPath: /var/loki - - name: sc-rules-volume - mountPath: "/rules" - resources: - {} - - name: loki-sc-rules - image: docker.io/kiwigrid/k8s-sidecar:1.30.10 - imagePullPolicy: IfNotPresent - env: - - name: METHOD - value: WATCH - - name: LABEL - value: "loki_rule" - - name: FOLDER - value: "/rules" - - name: RESOURCE - value: "both" - - name: WATCH_SERVER_TIMEOUT - value: "60" - - name: WATCH_CLIENT_TIMEOUT - value: "60" - - name: LOG_LEVEL - value: "INFO" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - name: sc-rules-volume - mountPath: "/rules" - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/component: single-binary - app.kubernetes.io/instance: 'loki' - app.kubernetes.io/name: 'loki' - topologyKey: kubernetes.io/hostname - volumes: - - name: tmp - emptyDir: {} - - name: config - configMap: - name: loki - items: - - key: "config.yaml" - path: "config.yaml" - - name: runtime-config - configMap: - name: loki-runtime - - name: sc-rules-volume - emptyDir: {} - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: storage - spec: - accessModes: - - ReadWriteOnce - storageClassName: synology-iscsi-delete - resources: - requests: - storage: "150Gi" ---- -# Source: loki/charts/promtail/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: loki-promtail - labels: - helm.sh/chart: promtail-6.17.1 - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.1" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: promtail - app.kubernetes.io/instance: loki - endpoints: - - port: http-metrics - scheme: http ---- -# Source: loki/charts/loki/templates/tests/test-canary.yaml -apiVersion: v1 -kind: Pod -metadata: - name: "loki-helm-test" - namespace: loki - labels: - helm.sh/chart: loki-6.46.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.5.7" - app.kubernetes.io/component: helm-test - annotations: - "helm.sh/hook": test -spec: - containers: - - name: loki-helm-test - image: docker.io/grafana/loki-helm-test:latest - env: - - name: CANARY_SERVICE_ADDRESS - value: "http://loki-canary.loki.svc.cluster.local:3500/metrics" - - name: CANARY_PROMETHEUS_ADDRESS - value: "" - - name: CANARY_TEST_TIMEOUT - value: "1m" - args: - - -test.v - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/mariadb-operator/mariadb-operator.yaml b/clusters/cl01tl/manifests/mariadb-operator/mariadb-operator.yaml deleted file mode 100644 index 94d37f7bf..000000000 --- a/clusters/cl01tl/manifests/mariadb-operator/mariadb-operator.yaml +++ /dev/null @@ -1,16053 +0,0 @@ ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/pdb.yaml -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: mariadb-operator - labels: - - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm -spec: - maxUnavailable: 1 - selector: - matchLabels: - - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/cert-controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: mariadb-operator-cert-controller-cert-controller - labels: - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-cert-controller - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: mariadb-operator - labels: - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/webhook/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: mariadb-operator-webhook - labels: - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/configmap.yaml -apiVersion: v1 -data: - MARIADB_OPERATOR_IMAGE: "docker-registry3.mariadb.com/mariadb-operator/mariadb-operator:25.10.2" - MARIADB_GALERA_LIB_PATH: "/usr/lib/galera/libgalera_smm.so" - MARIADB_DEFAULT_VERSION: "11.8" - RELATED_IMAGE_MARIADB: "docker-registry1.mariadb.com/library/mariadb:11.8.2" - RELATED_IMAGE_MARIADB_NAME: "docker-registry1.mariadb.com/library/mariadb" - RELATED_IMAGE_MAXSCALE: "docker-registry2.mariadb.com/mariadb/maxscale:23.08.5" - RELATED_IMAGE_EXPORTER: "prom/mysqld-exporter:v0.15.1" - RELATED_IMAGE_EXPORTER_MAXSCALE: "docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1" -kind: ConfigMap -metadata: - creationTimestamp: null - name: mariadb-operator-env ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: backups.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: Backup - listKind: BackupList - plural: backups - shortNames: - - bmdb - singular: backup - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Complete")].status - name: Complete - type: string - - jsonPath: .status.conditions[?(@.type=="Complete")].message - name: Status - type: string - - jsonPath: .spec.mariaDbRef.name - name: MariaDB - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: Backup is the Schema for the backups API. It is used to define - backup jobs and its storage. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BackupSpec defines the desired state of Backup - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator - is the set of operators that can be - used in a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator is - the set of operators that can be used in - a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - backoffLimit: - description: BackoffLimit defines the maximum number of attempts to - successfully take a Backup. - format: int32 - type: integer - compression: - description: Compression algorithm to be used in the Backup. - enum: - - none - - bzip2 - - gzip - type: string - databases: - description: Databases defines the logical databases to be backed - up. If not provided, all databases are backed up. - items: - type: string - type: array - failedJobsHistoryLimit: - description: FailedJobsHistoryLimit defines the maximum number of - failed Jobs to be displayed. - format: int32 - minimum: 0 - type: integer - ignoreGlobalPriv: - description: |- - IgnoreGlobalPriv indicates to ignore the mysql.global_priv in backups. - If not provided, it will default to true when the referred MariaDB instance has Galera enabled and otherwise to false. - See: https://github.com/mariadb-operator/mariadb-operator/issues/556 - type: boolean - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets to be used - to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - inheritMetadata: - description: InheritMetadata defines the metadata to be inherited - by children resources. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - logLevel: - default: info - description: LogLevel to be used n the Backup Job. It defaults to - 'info'. - type: string - mariaDbRef: - description: MariaDBRef is a reference to a MariaDB object. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - maxRetention: - description: |- - MaxRetention defines the retention policy for backups. Old backups will be cleaned up by the Backup Job. - It defaults to 30 days. - type: string - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - podMetadata: - description: PodMetadata defines extra metadata for the Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security attributes and - common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's AppArmor - settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied to the - container - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - restartPolicy: - default: OnFailure - description: RestartPolicy to be added to the Backup Pod. - enum: - - Always - - OnFailure - - Never - type: string - schedule: - description: Schedule defines when the Backup will be taken. - properties: - cron: - description: Cron is a cron expression that defines the schedule. - type: string - suspend: - default: false - description: Suspend defines whether the schedule is active or - not. - type: boolean - required: - - cron - type: object - securityContext: - description: SecurityContext holds security configuration that will - be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from running - containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - serviceAccountName: - description: ServiceAccountName is the name of the ServiceAccount - to be used by the Pods. - type: string - stagingStorage: - description: |- - StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. - It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Backup Job is scheduled. - The staging area gets cleaned up after each backup is completed, consider this for sizing it appropriately. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim is a Kubernetes PVC specification. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: VolumeResourceRequirements describes the storage - resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - volume: - description: Volume is a Kubernetes volume specification. - properties: - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage can - be allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - type: object - type: object - storage: - description: Storage defines the final storage for backups. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim is a Kubernetes PVC specification. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: VolumeResourceRequirements describes the storage - resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - s3: - description: S3 defines the configuration to store backups in - a S3 compatible storage. - properties: - accessKeyIdSecretKeyRef: - description: AccessKeyIdSecretKeyRef is a reference to a Secret - key containing the S3 access key id. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - description: Bucket is the name Name of the bucket to store - backups. - type: string - endpoint: - description: Endpoint is the S3 API endpoint without scheme. - type: string - prefix: - description: 'Prefix indicates a folder/subfolder in the bucket. - For example: mariadb/ or mariadb/backups. A trailing slash - ''/'' is added if not provided.' - type: string - region: - description: Region is the S3 region name to use. - type: string - secretAccessKeySecretKeyRef: - description: AccessKeyIdSecretKeyRef is a reference to a Secret - key containing the S3 secret key. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - sessionTokenSecretKeyRef: - description: SessionTokenSecretKeyRef is a reference to a - Secret key containing the S3 session token. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - tls: - description: TLS provides the configuration required to establish - TLS connections with S3. - properties: - caSecretKeyRef: - description: |- - CASecretKeyRef is a reference to a Secret key containing a CA bundle in PEM format used to establish TLS connections with S3. - By default, the system trust chain will be used, but you can use this field to add more CAs to the bundle. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - enabled: - description: Enabled is a flag to enable TLS. - type: boolean - type: object - required: - - bucket - - endpoint - type: object - volume: - description: Volume is a Kubernetes volume specification. - properties: - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage can - be allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - type: object - type: object - successfulJobsHistoryLimit: - description: SuccessfulJobsHistoryLimit defines the maximum number - of successful Jobs to be displayed. - format: int32 - minimum: 0 - type: integer - timeZone: - description: TimeZone defines the timezone associated with the cron - expression. - type: string - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - required: - - mariaDbRef - - storage - type: object - status: - description: BackupStatus defines the observed state of Backup - properties: - conditions: - description: Conditions for the Backup object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: connections.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: Connection - listKind: ConnectionList - plural: connections - shortNames: - - cmdb - singular: connection - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: Connection is the Schema for the connections API. It is used - to configure connection strings for the applications connecting to MariaDB. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ConnectionSpec defines the desired state of Connection - properties: - database: - description: Database to use when configuring the Connection. - type: string - healthCheck: - description: HealthCheck to be used in the Connection. - properties: - interval: - description: Interval used to perform health checks. - type: string - retryInterval: - description: RetryInterval is the interval used to perform health - check retries. - type: string - type: object - host: - description: Host to connect to. If not provided, it defaults to the - MariaDB host or to the MaxScale host. - type: string - mariaDbRef: - description: MariaDBRef is a reference to the MariaDB to connect to. - Either MariaDBRef or MaxScaleRef must be provided. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - maxScaleRef: - description: MaxScaleRef is a reference to the MaxScale to connect - to. Either MariaDBRef or MaxScaleRef must be provided. - properties: - name: - type: string - namespace: - type: string - type: object - params: - additionalProperties: - type: string - description: Params to be used in the Connection. - type: object - passwordSecretKeyRef: - description: |- - PasswordSecretKeyRef is a reference to the password to use for configuring the Connection. - Either passwordSecretKeyRef or tlsClientCertSecretRef must be provided as client credentials. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - port: - description: Port to connect to. If not provided, it defaults to the - MariaDB port or to the first MaxScale listener. - format: int32 - type: integer - secretName: - description: SecretName to be used in the Connection. - type: string - secretTemplate: - description: SecretTemplate to be used in the Connection. - properties: - databaseKey: - description: DatabaseKey to be used in the Secret. - type: string - format: - description: Format to be used in the Secret. - type: string - hostKey: - description: HostKey to be used in the Secret. - type: string - key: - description: Key to be used in the Secret. - type: string - metadata: - description: Metadata to be added to the Secret object. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - passwordKey: - description: PasswordKey to be used in the Secret. - type: string - portKey: - description: PortKey to be used in the Secret. - type: string - usernameKey: - description: UsernameKey to be used in the Secret. - type: string - type: object - serviceName: - description: ServiceName to be used in the Connection. - type: string - tlsClientCertSecretRef: - description: |- - TLSClientCertSecretRef is a reference to a Kubernetes TLS Secret used as authentication when checking the connection health. - Either passwordSecretKeyRef or tlsClientCertSecretRef must be provided as client credentials. - If not provided, the client certificate provided by the referred MariaDB is used if TLS is enabled. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the client certificate. - properties: - name: - default: "" - type: string - type: object - username: - description: Username to use for configuring the Connection. - type: string - required: - - username - type: object - status: - description: ConnectionStatus defines the observed state of Connection - properties: - conditions: - description: Conditions for the Connection object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: databases.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: Database - listKind: DatabaseList - plural: databases - shortNames: - - dmdb - singular: database - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .spec.characterSet - name: CharSet - type: string - - jsonPath: .spec.collate - name: Collate - type: string - - jsonPath: .spec.mariaDbRef.name - name: MariaDB - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.name - name: Name - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Database is the Schema for the databases API. It is used to define - a logical database as if you were running a 'CREATE DATABASE' statement. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DatabaseSpec defines the desired state of Database - properties: - characterSet: - default: utf8 - description: CharacterSet to use in the Database. - type: string - cleanupPolicy: - description: CleanupPolicy defines the behavior for cleaning up a - SQL resource. - enum: - - Skip - - Delete - type: string - collate: - default: utf8_general_ci - description: Collate to use in the Database. - type: string - mariaDbRef: - description: MariaDBRef is a reference to a MariaDB object. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - name: - description: Name overrides the default Database name provided by - metadata.name. - maxLength: 80 - type: string - requeueInterval: - description: RequeueInterval is used to perform requeue reconciliations. - type: string - retryInterval: - description: RetryInterval is the interval used to perform retries. - type: string - required: - - mariaDbRef - type: object - status: - description: DatabaseStatus defines the observed state of Database - properties: - conditions: - description: Conditions for the Database object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: externalmariadbs.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: ExternalMariaDB - listKind: ExternalMariaDBList - plural: externalmariadbs - shortNames: - - emdb - singular: externalmariadb - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalMariaDB is the Schema for the external MariaDBs API. - It is used to define external MariaDB server. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalMariaDBSpec defines the desired state of an External - MariaDB - properties: - connection: - description: Connection defines a template to configure a Connection - for the external MariaDB. - properties: - healthCheck: - description: HealthCheck to be used in the Connection. - properties: - interval: - description: Interval used to perform health checks. - type: string - retryInterval: - description: RetryInterval is the interval used to perform - health check retries. - type: string - type: object - params: - additionalProperties: - type: string - description: Params to be used in the Connection. - type: object - port: - description: Port to connect to. If not provided, it defaults - to the MariaDB port or to the first MaxScale listener. - format: int32 - type: integer - secretName: - description: SecretName to be used in the Connection. - type: string - secretTemplate: - description: SecretTemplate to be used in the Connection. - properties: - databaseKey: - description: DatabaseKey to be used in the Secret. - type: string - format: - description: Format to be used in the Secret. - type: string - hostKey: - description: HostKey to be used in the Secret. - type: string - key: - description: Key to be used in the Secret. - type: string - metadata: - description: Metadata to be added to the Secret object. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - passwordKey: - description: PasswordKey to be used in the Secret. - type: string - portKey: - description: PortKey to be used in the Secret. - type: string - usernameKey: - description: UsernameKey to be used in the Secret. - type: string - type: object - serviceName: - description: ServiceName to be used in the Connection. - type: string - type: object - host: - description: Hostname of the external MariaDB. - type: string - image: - description: |- - Image name to be used to perform operations on the external MariaDB, for example, for taking backups. - The supported format is `:`. Only MariaDB official images are supported. - If not provided, the MariaDB image version be inferred by the operator in runtime. The default MariaDB image will be used in this case, - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One of `Always`, - `Never` or `IfNotPresent`. If not defined, it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets to be used - to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - inheritMetadata: - description: InheritMetadata defines the metadata to be inherited - by children resources. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - passwordSecretKeyRef: - description: PasswordSecretKeyRef is a reference to the password to - connect to the external MariaDB. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - port: - default: 3306 - description: Port of the external MariaDB. - format: int32 - type: integer - tls: - description: TLS defines the PKI to be used with the external MariaDB. - properties: - clientCASecretRef: - description: |- - ClientCASecretRef is a reference to a Secret containing the client certificate authority keypair. It is used to establish trust and issue client certificates. - One of: - - Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates. - - Secret containing only the 'ca.crt' in order to establish trust. In this case, either clientCertSecretRef or clientCertIssuerRef fields must be provided. - If not provided, a self-signed CA will be provisioned to issue the client certificate. - properties: - name: - default: "" - type: string - type: object - clientCertIssuerRef: - description: |- - ClientCertIssuerRef is a reference to a cert-manager issuer object used to issue the client certificate. cert-manager must be installed previously in the cluster. - It is mutually exclusive with clientCertSecretRef. - By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via clientCASecretRef. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - clientCertSecretRef: - description: |- - ClientCertSecretRef is a reference to a TLS Secret containing the client certificate. - It is mutually exclusive with clientCertIssuerRef. - properties: - name: - default: "" - type: string - type: object - enabled: - description: |- - Enabled indicates whether TLS is enabled, determining if certificates should be issued and mounted to the MariaDB instance. - It is enabled by default. - type: boolean - galeraSSTEnabled: - description: |- - GaleraSSTEnabled determines whether Galera SST connections should use TLS. - It disabled by default. - type: boolean - required: - description: |- - Required specifies whether TLS must be enforced for all connections. - User TLS requirements take precedence over this. - It disabled by default. - type: boolean - serverCASecretRef: - description: |- - ServerCASecretRef is a reference to a Secret containing the server certificate authority keypair. It is used to establish trust and issue server certificates. - One of: - - Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates. - - Secret containing only the 'ca.crt' in order to establish trust. In this case, either serverCertSecretRef or serverCertIssuerRef must be provided. - If not provided, a self-signed CA will be provisioned to issue the server certificate. - properties: - name: - default: "" - type: string - type: object - serverCertIssuerRef: - description: |- - ServerCertIssuerRef is a reference to a cert-manager issuer object used to issue the server certificate. cert-manager must be installed previously in the cluster. - It is mutually exclusive with serverCertSecretRef. - By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via serverCASecretRef. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - serverCertSecretRef: - description: |- - ServerCertSecretRef is a reference to a TLS Secret containing the server certificate. - It is mutually exclusive with serverCertIssuerRef. - properties: - name: - default: "" - type: string - type: object - type: object - username: - description: Username is the username to connect to the external MariaDB. - type: string - required: - - host - - username - type: object - status: - description: ExternalMariaDBStatus defines the observed state of MariaDB - properties: - conditions: - description: Conditions for the ExternalMariadb object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - isGaleraEnabled: - description: IsGaleraEnabled indicates that the external MariaDb has - Galera enabled. - type: boolean - version: - description: Version of the external MariaDB server. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: grants.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: Grant - listKind: GrantList - plural: grants - shortNames: - - gmdb - singular: grant - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .spec.database - name: Database - type: string - - jsonPath: .spec.table - name: Table - type: string - - jsonPath: .spec.username - name: Username - type: string - - jsonPath: .spec.grantOption - name: GrantOpt - type: string - - jsonPath: .spec.mariaDbRef.name - name: MariaDB - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: Grant is the Schema for the grants API. It is used to define - grants as if you were running a 'GRANT' statement. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GrantSpec defines the desired state of Grant - properties: - cleanupPolicy: - description: CleanupPolicy defines the behavior for cleaning up a - SQL resource. - enum: - - Skip - - Delete - type: string - database: - default: '*' - description: Database to use in the Grant. - type: string - grantOption: - default: false - description: GrantOption to use in the Grant. - type: boolean - host: - description: Host to use in the Grant. It can be localhost, an IP - or '%'. - type: string - mariaDbRef: - description: MariaDBRef is a reference to a MariaDB object. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - privileges: - description: Privileges to use in the Grant. - items: - type: string - minItems: 1 - type: array - requeueInterval: - description: RequeueInterval is used to perform requeue reconciliations. - type: string - retryInterval: - description: RetryInterval is the interval used to perform retries. - type: string - table: - default: '*' - description: Table to use in the Grant. - type: string - username: - description: Username to use in the Grant. - type: string - required: - - mariaDbRef - - privileges - - username - type: object - status: - description: GrantStatus defines the observed state of Grant - properties: - conditions: - description: Conditions for the Grant object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - currentPrivileges: - description: |- - CurrentPrivileges is the list of current privileges used in the Grant. - It allows to detect the divergence from the desired privileges. - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: mariadbs.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: MariaDB - listKind: MariaDBList - plural: mariadbs - shortNames: - - mdb - singular: mariadb - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .status.currentPrimary - name: Primary - type: string - - jsonPath: .spec.updateStrategy.type - name: Updates - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: MariaDB is the Schema for the mariadbs API. It is used to define - MariaDB clusters. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: MariaDBSpec defines the desired state of MariaDB - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator - is the set of operators that can be - used in a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator is - the set of operators that can be used in - a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - bootstrapFrom: - description: BootstrapFrom defines a source to bootstrap from. - properties: - backupContentType: - description: |- - BackupContentType is the backup content type available in the source to bootstrap from. - It is inferred based on the BackupRef and VolumeSnapshotRef fields. If inference is not possible, it defaults to Logical. - Set this field explicitly when using physical backups from S3 or Volume sources. - enum: - - Logical - - Physical - type: string - backupRef: - description: |- - BackupRef is reference to a backup object. If the Kind is not specified, a logical Backup is assumed. - This field takes precedence over S3 and Volume sources. - properties: - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - type: object - restoreJob: - description: RestoreJob defines additional properties for the - Job used to perform the restoration. - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector - operator is the set of operators - that can be used in a selector - requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator - is the set of operators that can - be used in a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - metadata: - description: Metadata defines additional metadata for the - bootstrap Jobs. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - s3: - description: |- - S3 defines the configuration to restore backups from a S3 compatible storage. - This field takes precedence over the Volume source. - properties: - accessKeyIdSecretKeyRef: - description: AccessKeyIdSecretKeyRef is a reference to a Secret - key containing the S3 access key id. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - description: Bucket is the name Name of the bucket to store - backups. - type: string - endpoint: - description: Endpoint is the S3 API endpoint without scheme. - type: string - prefix: - description: 'Prefix indicates a folder/subfolder in the bucket. - For example: mariadb/ or mariadb/backups. A trailing slash - ''/'' is added if not provided.' - type: string - region: - description: Region is the S3 region name to use. - type: string - secretAccessKeySecretKeyRef: - description: AccessKeyIdSecretKeyRef is a reference to a Secret - key containing the S3 secret key. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - sessionTokenSecretKeyRef: - description: SessionTokenSecretKeyRef is a reference to a - Secret key containing the S3 session token. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - tls: - description: TLS provides the configuration required to establish - TLS connections with S3. - properties: - caSecretKeyRef: - description: |- - CASecretKeyRef is a reference to a Secret key containing a CA bundle in PEM format used to establish TLS connections with S3. - By default, the system trust chain will be used, but you can use this field to add more CAs to the bundle. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - enabled: - description: Enabled is a flag to enable TLS. - type: boolean - type: object - required: - - bucket - - endpoint - type: object - stagingStorage: - description: |- - StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. - It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Job is scheduled. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim is a Kubernetes PVC specification. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: VolumeResourceRequirements describes the - storage resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - volume: - description: Volume is a Kubernetes volume specification. - properties: - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage - can be allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - type: object - type: object - targetRecoveryTime: - description: |- - TargetRecoveryTime is a RFC3339 (1970-01-01T00:00:00Z) date and time that defines the point in time recovery objective. - It is used to determine the closest restoration source in time. - format: date-time - type: string - volume: - description: Volume is a Kubernetes Volume object that contains - a backup. - properties: - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage can - be allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - type: object - volumeSnapshotRef: - description: |- - VolumeSnapshotRef is a reference to a VolumeSnapshot object. - This field takes precedence over S3 and Volume sources. - properties: - name: - default: "" - type: string - type: object - type: object - command: - description: Command to be used in the Container. - items: - type: string - type: array - connection: - description: |- - Connection defines a template to configure the general Connection object. - This Connection provides the initial User access to the initial Database. - It will make use of the Service to route network traffic to all Pods. - properties: - healthCheck: - description: HealthCheck to be used in the Connection. - properties: - interval: - description: Interval used to perform health checks. - type: string - retryInterval: - description: RetryInterval is the interval used to perform - health check retries. - type: string - type: object - params: - additionalProperties: - type: string - description: Params to be used in the Connection. - type: object - port: - description: Port to connect to. If not provided, it defaults - to the MariaDB port or to the first MaxScale listener. - format: int32 - type: integer - secretName: - description: SecretName to be used in the Connection. - type: string - secretTemplate: - description: SecretTemplate to be used in the Connection. - properties: - databaseKey: - description: DatabaseKey to be used in the Secret. - type: string - format: - description: Format to be used in the Secret. - type: string - hostKey: - description: HostKey to be used in the Secret. - type: string - key: - description: Key to be used in the Secret. - type: string - metadata: - description: Metadata to be added to the Secret object. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - passwordKey: - description: PasswordKey to be used in the Secret. - type: string - portKey: - description: PortKey to be used in the Secret. - type: string - usernameKey: - description: UsernameKey to be used in the Secret. - type: string - type: object - serviceName: - description: ServiceName to be used in the Connection. - type: string - type: object - database: - description: Database is the name of the initial Database. - type: string - env: - description: Env represents the environment variables to be injected - in a container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - type: string - valueFrom: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - configMapKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#objectfieldselector-v1-core.' - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: EnvFrom represents the references (via ConfigMap and - Secrets) to environment variables to be injected in the container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envfromsource-v1-core.' - properties: - configMapRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - prefix: - type: string - secretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: object - type: array - galera: - description: Replication configures high availability via Galera. - properties: - agent: - description: Agent is a sidecar agent that co-operates with mariadb-operator. - properties: - args: - description: Args to be used in the Container. - items: - type: string - type: array - basicAuth: - description: BasicAuth to be used by the agent container - properties: - enabled: - description: Enabled is a flag to enable BasicAuth - type: boolean - passwordSecretKeyRef: - description: PasswordSecretKeyRef to be used for basic - authentication - properties: - generate: - default: false - description: Generate indicates whether the Secret - should be generated if the Secret referenced is - not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: Username to be used for basic authentication - type: string - type: object - command: - description: Command to be used in the Container. - items: - type: string - type: array - env: - description: Env represents the environment variables to be - injected in a container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - type: string - valueFrom: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - configMapKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#objectfieldselector-v1-core.' - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: EnvFrom represents the references (via ConfigMap - and Secrets) to environment variables to be injected in - the container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envfromsource-v1-core.' - properties: - configMapRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - prefix: - type: string - secretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: object - type: array - gracefulShutdownTimeout: - description: GracefulShutdownTimeout is the time we give to - the agent container in order to gracefully terminate in-flight - requests. - type: string - image: - description: Image name to be used by the MariaDB instances. - The supported format is `:`. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One - of `Always`, `Never` or `IfNotPresent`. If not defined, - it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - kubernetesAuth: - description: KubernetesAuth to be used by the agent container - properties: - authDelegatorRoleName: - description: |- - AuthDelegatorRoleName is the name of the ClusterRoleBinding that is associated with the "system:auth-delegator" ClusterRole. - It is necessary for creating TokenReview objects in order for the agent to validate the service account token. - type: string - enabled: - description: Enabled is a flag to enable KubernetesAuth - type: boolean - type: object - livenessProbe: - description: LivenessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - port: - description: Port where the agent will be listening for API - connections. - format: int32 - type: integer - probePort: - description: Port where the agent will be listening for probe - connections. - format: int32 - type: integer - readinessProbe: - description: ReadinessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - securityContext: - description: SecurityContext holds security configuration - that will be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from - running containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - startupProbe: - description: StartupProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - volumeMounts: - description: VolumeMounts to be used in the Container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volumemount-v1-core.' - properties: - mountPath: - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - type: boolean - subPath: - type: string - required: - - mountPath - - name - type: object - type: array - type: object - availableWhenDonor: - description: AvailableWhenDonor indicates whether a donor node - should be responding to queries. It defaults to false. - type: boolean - config: - description: GaleraConfig defines storage options for the Galera - configuration files. - properties: - reuseStorageVolume: - description: |- - ReuseStorageVolume indicates that storage volume used by MariaDB should be reused to store the Galera configuration files. - It defaults to false, which implies that a dedicated volume for the Galera configuration files is provisioned. - type: boolean - volumeClaimTemplate: - description: VolumeClaimTemplate is a template for the PVC - that will contain the Galera configuration files shared - between the InitContainer, Agent and MariaDB. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - metadata: - description: Metadata to be added to the PVC metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - resources: - description: VolumeResourceRequirements describes the - storage resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - type: object - enabled: - description: Enabled is a flag to enable Galera. - type: boolean - galeraLibPath: - description: |- - GaleraLibPath is a path inside the MariaDB image to the wsrep provider plugin. It is defaulted if not provided. - More info: https://galeracluster.com/library/documentation/mysql-wsrep-options.html#wsrep-provider. - type: string - initContainer: - description: InitContainer is an init container that runs in the - MariaDB Pod and co-operates with mariadb-operator. - properties: - args: - description: Args to be used in the Container. - items: - type: string - type: array - command: - description: Command to be used in the Container. - items: - type: string - type: array - env: - description: Env represents the environment variables to be - injected in a container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - type: string - valueFrom: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - configMapKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#objectfieldselector-v1-core.' - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: EnvFrom represents the references (via ConfigMap - and Secrets) to environment variables to be injected in - the container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envfromsource-v1-core.' - properties: - configMapRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - prefix: - type: string - secretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: object - type: array - image: - description: Image name to be used by the MariaDB instances. - The supported format is `:`. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One - of `Always`, `Never` or `IfNotPresent`. If not defined, - it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - livenessProbe: - description: LivenessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - readinessProbe: - description: ReadinessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - securityContext: - description: SecurityContext holds security configuration - that will be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from - running containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - startupProbe: - description: StartupProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - volumeMounts: - description: VolumeMounts to be used in the Container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volumemount-v1-core.' - properties: - mountPath: - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - type: boolean - subPath: - type: string - required: - - mountPath - - name - type: object - type: array - required: - - image - type: object - initJob: - description: InitJob defines a Job that co-operates with mariadb-operator - by performing initialization tasks. - properties: - metadata: - description: Metadata defines additional metadata for the - Galera init Job. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - type: object - primary: - description: Primary is the Galera configuration for the primary - node. - properties: - autoFailover: - description: AutoFailover indicates whether the operator should - automatically update PodIndex to perform an automatic primary - failover. - type: boolean - podIndex: - description: PodIndex is the StatefulSet index of the primary - node. The user may change this field to perform a manual - switchover. - type: integer - type: object - providerOptions: - additionalProperties: - type: string - description: |- - ProviderOptions is map of Galera configuration parameters. - More info: https://mariadb.com/kb/en/galera-cluster-system-variables/#wsrep_provider_options. - type: object - recovery: - description: |- - GaleraRecovery is the recovery process performed by the operator whenever the Galera cluster is not healthy. - More info: https://galeracluster.com/library/documentation/crash-recovery.html. - properties: - clusterBootstrapTimeout: - description: |- - ClusterBootstrapTimeout is the time limit for bootstrapping a cluster. - Once this timeout is reached, the Galera recovery state is reset and a new cluster bootstrap will be attempted. - type: string - clusterDownscaleTimeout: - description: ClusterDownscaleTimeout represents the maximum - duration for downscaling the cluster's StatefulSet during - the recovery process. - type: string - clusterHealthyTimeout: - description: |- - ClusterHealthyTimeout represents the duration at which a Galera cluster, that consistently failed health checks, - is considered unhealthy, and consequently the Galera recovery process will be initiated by the operator. - type: string - clusterMonitorInterval: - description: ClusterMonitorInterval represents the interval - used to monitor the Galera cluster health. - type: string - clusterUpscaleTimeout: - description: ClusterUpscaleTimeout represents the maximum - duration for upscaling the cluster's StatefulSet during - the recovery process. - type: string - enabled: - description: Enabled is a flag to enable GaleraRecovery. - type: boolean - forceClusterBootstrapInPod: - description: |- - ForceClusterBootstrapInPod allows you to manually initiate the bootstrap process in a specific Pod. - IMPORTANT: Use this option only in exceptional circumstances. Not selecting the Pod with the highest sequence number may result in data loss. - IMPORTANT: Ensure you unset this field after completing the bootstrap to allow the operator to choose the appropriate Pod to bootstrap from in an event of cluster recovery. - type: string - job: - description: Job defines a Job that co-operates with mariadb-operator - by performing the Galera cluster recovery . - properties: - metadata: - description: Metadata defines additional metadata for - the Galera recovery Jobs. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podAffinity: - description: PodAffinity indicates whether the recovery - Jobs should run in the same Node as the MariaDB Pods. - It defaults to true. - type: boolean - resources: - description: Resources describes the compute resource - requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - type: object - minClusterSize: - anyOf: - - type: integer - - type: string - description: |- - MinClusterSize is the minimum number of replicas to consider the cluster healthy. It can be either a number of replicas (1) or a percentage (50%). - If Galera consistently reports less replicas than this value for the given 'ClusterHealthyTimeout' interval, a cluster recovery is iniated. - It defaults to '1' replica, and it is highly recommendeded to keep this value at '1' in most cases. - If set to more than one replica, the cluster recovery process may restart the healthy replicas as well. - x-kubernetes-int-or-string: true - podRecoveryTimeout: - description: PodRecoveryTimeout is the time limit for recevorying - the sequence of a Pod during the cluster recovery. - type: string - podSyncTimeout: - description: PodSyncTimeout is the time limit for a Pod to - join the cluster after having performed a cluster bootstrap - during the cluster recovery. - type: string - type: object - replicaThreads: - description: |- - ReplicaThreads is the number of replica threads used to apply Galera write sets in parallel. - More info: https://mariadb.com/kb/en/galera-cluster-system-variables/#wsrep_slave_threads. - type: integer - sst: - description: |- - SST is the Snapshot State Transfer used when new Pods join the cluster. - More info: https://galeracluster.com/library/documentation/sst.html. - enum: - - rsync - - mariabackup - - mysqldump - type: string - type: object - image: - description: |- - Image name to be used by the MariaDB instances. The supported format is `:`. - Only MariaDB official images are supported. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One of `Always`, - `Never` or `IfNotPresent`. If not defined, it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets to be used - to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - inheritMetadata: - description: InheritMetadata defines the metadata to be inherited - by children resources. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - initContainers: - description: InitContainers to be used in the Pod. - items: - description: Container object definition. - properties: - args: - description: Args to be used in the Container. - items: - type: string - type: array - command: - description: Command to be used in the Container. - items: - type: string - type: array - env: - description: Env represents the environment variables to be - injected in a container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. - type: string - value: - type: string - valueFrom: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - configMapKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#objectfieldselector-v1-core.' - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - description: Image name to be used by the container. The supported - format is `:`. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One of - `Always`, `Never` or `IfNotPresent`. If not defined, it defaults - to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - name: - description: Name to be given to the container. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - volumeMounts: - description: VolumeMounts to be used in the Container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volumemount-v1-core.' - properties: - mountPath: - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - type: boolean - subPath: - type: string - required: - - mountPath - - name - type: object - type: array - required: - - image - type: object - type: array - livenessProbe: - description: LivenessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used for connection - to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - maxScale: - description: |- - MaxScale is the MaxScale specification that defines the MaxScale resource to be used with the current MariaDB. - When enabling this field, MaxScaleRef is automatically set. - properties: - admin: - description: Admin configures the admin REST API and GUI. - properties: - guiEnabled: - description: GuiEnabled indicates whether the admin GUI should - be enabled. - type: boolean - port: - description: Port where the admin REST API and GUI will be - exposed. - format: int32 - type: integer - type: object - auth: - description: Auth defines the credentials required for MaxScale - to connect to MariaDB. - properties: - adminPasswordSecretKeyRef: - description: AdminPasswordSecretKeyRef is Secret key reference - to the admin password to call the admin REST API. It is - defaulted if not provided. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - adminUsername: - description: AdminUsername is an admin username to call the - admin REST API. It is defaulted if not provided. - type: string - clientMaxConnections: - description: |- - ClientMaxConnections defines the maximum number of connections that the client can establish. - If HA is enabled, make sure to increase this value, as more MaxScale replicas implies more connections. - It defaults to 30 times the number of MaxScale replicas. - format: int32 - type: integer - clientPasswordSecretKeyRef: - description: |- - ClientPasswordSecretKeyRef is Secret key reference to the password to connect to MaxScale. It is defaulted if not provided. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - clientUsername: - description: ClientUsername is the user to connect to MaxScale. - It is defaulted if not provided. - type: string - deleteDefaultAdmin: - description: DeleteDefaultAdmin determines whether the default - admin user should be deleted after the initial configuration. - If not provided, it defaults to true. - type: boolean - generate: - description: |- - Generate defies whether the operator should generate users and grants for MaxScale to work. - It only supports MariaDBs specified via spec.mariaDbRef. - type: boolean - metricsPasswordSecretKeyRef: - description: MetricsPasswordSecretKeyRef is Secret key reference - to the metrics password to call the admib REST API. It is - defaulted if metrics are enabled. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - metricsUsername: - description: MetricsUsername is an metrics username to call - the REST API. It is defaulted if metrics are enabled. - type: string - monitorMaxConnections: - description: |- - MonitorMaxConnections defines the maximum number of connections that the monitor can establish. - If HA is enabled, make sure to increase this value, as more MaxScale replicas implies more connections. - It defaults to 30 times the number of MaxScale replicas. - format: int32 - type: integer - monitorPasswordSecretKeyRef: - description: |- - MonitorPasswordSecretKeyRef is Secret key reference to the password used by MaxScale monitor to connect to MariaDB server. It is defaulted if not provided. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - monitorUsername: - description: MonitorUsername is the user used by MaxScale - monitor to connect to MariaDB server. It is defaulted if - not provided. - type: string - serverMaxConnections: - description: |- - ServerMaxConnections defines the maximum number of connections that the server can establish. - If HA is enabled, make sure to increase this value, as more MaxScale replicas implies more connections. - It defaults to 30 times the number of MaxScale replicas. - format: int32 - type: integer - serverPasswordSecretKeyRef: - description: |- - ServerPasswordSecretKeyRef is Secret key reference to the password used by MaxScale to connect to MariaDB server. It is defaulted if not provided. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - serverUsername: - description: ServerUsername is the user used by MaxScale to - connect to MariaDB server. It is defaulted if not provided. - type: string - syncMaxConnections: - description: |- - SyncMaxConnections defines the maximum number of connections that the sync can establish. - If HA is enabled, make sure to increase this value, as more MaxScale replicas implies more connections. - It defaults to 30 times the number of MaxScale replicas. - format: int32 - type: integer - syncPasswordSecretKeyRef: - description: |- - SyncPasswordSecretKeyRef is Secret key reference to the password used by MaxScale config to connect to MariaDB server. It is defaulted when HA is enabled. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - syncUsername: - description: MonitoSyncUsernamerUsername is the user used - by MaxScale config sync to connect to MariaDB server. It - is defaulted when HA is enabled. - type: string - type: object - config: - description: Config defines the MaxScale configuration. - properties: - params: - additionalProperties: - type: string - description: |- - Params is a key value pair of parameters to be used in the MaxScale static configuration file. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-maxscale-configuration-guide/#global-settings. - type: object - sync: - description: Sync defines how to replicate configuration across - MaxScale replicas. It is defaulted when HA is enabled. - properties: - database: - description: Database is the MariaDB logical database - where the 'maxscale_config' table will be created in - order to persist and synchronize config changes. If - not provided, it defaults to 'mysql'. - type: string - interval: - description: Interval defines the config synchronization - interval. It is defaulted if not provided. - type: string - timeout: - description: Interval defines the config synchronization - timeout. It is defaulted if not provided. - type: string - type: object - volumeClaimTemplate: - description: VolumeClaimTemplate provides a template to define - the PVCs for storing MaxScale runtime configuration files. - It is defaulted if not provided. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - metadata: - description: Metadata to be added to the PVC metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - resources: - description: VolumeResourceRequirements describes the - storage resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - type: object - connection: - description: Connection provides a template to define the Connection - for MaxScale. - properties: - healthCheck: - description: HealthCheck to be used in the Connection. - properties: - interval: - description: Interval used to perform health checks. - type: string - retryInterval: - description: RetryInterval is the interval used to perform - health check retries. - type: string - type: object - params: - additionalProperties: - type: string - description: Params to be used in the Connection. - type: object - port: - description: Port to connect to. If not provided, it defaults - to the MariaDB port or to the first MaxScale listener. - format: int32 - type: integer - secretName: - description: SecretName to be used in the Connection. - type: string - secretTemplate: - description: SecretTemplate to be used in the Connection. - properties: - databaseKey: - description: DatabaseKey to be used in the Secret. - type: string - format: - description: Format to be used in the Secret. - type: string - hostKey: - description: HostKey to be used in the Secret. - type: string - key: - description: Key to be used in the Secret. - type: string - metadata: - description: Metadata to be added to the Secret object. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - passwordKey: - description: PasswordKey to be used in the Secret. - type: string - portKey: - description: PortKey to be used in the Secret. - type: string - usernameKey: - description: UsernameKey to be used in the Secret. - type: string - type: object - serviceName: - description: ServiceName to be used in the Connection. - type: string - type: object - enabled: - description: Enabled is a flag to enable a MaxScale instance to - be used with the current MariaDB. - type: boolean - guiKubernetesService: - description: GuiKubernetesService define a template for a Kubernetes - Service object to connect to MaxScale's GUI. - properties: - allocateLoadBalancerNodePorts: - description: AllocateLoadBalancerNodePorts Service field. - type: boolean - externalTrafficPolicy: - description: ExternalTrafficPolicy Service field. - type: string - loadBalancerIP: - description: LoadBalancerIP Service field. - type: string - loadBalancerSourceRanges: - description: LoadBalancerSourceRanges Service field. - items: - type: string - type: array - metadata: - description: Metadata to be added to the Service metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - sessionAffinity: - description: SessionAffinity Service field. - type: string - type: - default: ClusterIP - description: Type is the Service type. One of `ClusterIP`, - `NodePort` or `LoadBalancer`. If not defined, it defaults - to `ClusterIP`. - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - type: object - image: - description: |- - Image name to be used by the MaxScale instances. The supported format is `:`. - Only MariaDB official images are supported. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One of - `Always`, `Never` or `IfNotPresent`. If not defined, it defaults - to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - kubernetesService: - description: KubernetesService defines a template for a Kubernetes - Service object to connect to MaxScale. - properties: - allocateLoadBalancerNodePorts: - description: AllocateLoadBalancerNodePorts Service field. - type: boolean - externalTrafficPolicy: - description: ExternalTrafficPolicy Service field. - type: string - loadBalancerIP: - description: LoadBalancerIP Service field. - type: string - loadBalancerSourceRanges: - description: LoadBalancerSourceRanges Service field. - items: - type: string - type: array - metadata: - description: Metadata to be added to the Service metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - sessionAffinity: - description: SessionAffinity Service field. - type: string - type: - default: ClusterIP - description: Type is the Service type. One of `ClusterIP`, - `NodePort` or `LoadBalancer`. If not defined, it defaults - to `ClusterIP`. - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - type: object - metrics: - description: Metrics configures metrics and how to scrape them. - properties: - enabled: - description: Enabled is a flag to enable Metrics - type: boolean - exporter: - description: Exporter defines the metrics exporter container. - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector - operator is the set of operators - that can be used in a selector - requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector - operator is the set of operators - that can be used in a selector - requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - image: - description: |- - Image name to be used as metrics exporter. The supported format is `:`. - Only mysqld-exporter >= v0.15.0 is supported: https://github.com/prometheus/mysqld_exporter - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. - One of `Always`, `Never` or `IfNotPresent`. If not defined, - it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets - to be used to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - podMetadata: - description: PodMetadata defines extra metadata for the - Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security - attributes and common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's - AppArmor settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied - to the container - properties: - level: - description: Level is SELinux level label that - applies to the container. - type: string - role: - description: Role is a SELinux role label that - applies to the container. - type: string - type: - description: Type is a SELinux type label that - applies to the container. - type: string - user: - description: User is a SELinux user label that - applies to the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - port: - description: Port where the exporter will be listening - for connections. - format: int32 - type: integer - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - resources: - description: Resources describes the compute resource - requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - securityContext: - description: SecurityContext holds container-level security - attributes. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from - running containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - serviceMonitor: - description: ServiceMonitor defines the ServiceMonior object. - properties: - interval: - description: Interval for scraping metrics. - type: string - jobLabel: - description: JobLabel to add to the ServiceMonitor object. - type: string - prometheusRelease: - description: PrometheusRelease is the release label to - add to the ServiceMonitor object. - type: string - scrapeTimeout: - description: ScrapeTimeout defines the timeout for scraping - metrics. - type: string - type: object - type: object - monitor: - description: Monitor monitors MariaDB server instances. - properties: - cooperativeMonitoring: - description: CooperativeMonitoring enables coordination between - multiple MaxScale instances running monitors. It is defaulted - when HA is enabled. - enum: - - majority_of_all - - majority_of_running - type: string - interval: - description: Interval used to monitor MariaDB servers. It - is defaulted if not provided. - type: string - module: - description: Module is the module to use to monitor MariaDB - servers. It is mandatory when no MariaDB reference is provided. - type: string - name: - description: Name is the identifier of the monitor. It is - defaulted if not provided. - type: string - params: - additionalProperties: - type: string - description: |- - Params defines extra parameters to pass to the monitor. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-common-monitor-parameters/. - Monitor specific parameter are also supported: - https://mariadb.com/kb/en/mariadb-maxscale-2308-galera-monitor/#galera-monitor-optional-parameters. - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-monitor/#configuration. - type: object - suspend: - default: false - description: |- - Suspend indicates whether the current resource should be suspended or not. - This can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities. - type: boolean - type: object - podDisruptionBudget: - description: PodDisruptionBudget defines the budget for replica - availability. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: MaxUnavailable defines the number of maximum - unavailable Pods. - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - description: MinAvailable defines the number of minimum available - Pods. - x-kubernetes-int-or-string: true - type: object - replicas: - description: Replicas indicates the number of desired instances. - format: int32 - type: integer - requeueInterval: - description: RequeueInterval is used to perform requeue reconciliations. - type: string - services: - description: Services define how the traffic is forwarded to the - MariaDB servers. - items: - description: Services define how the traffic is forwarded to - the MariaDB servers. - properties: - listener: - description: MaxScaleListener defines how the MaxScale server - will listen for connections. - properties: - name: - description: Name is the identifier of the listener. - It is defaulted if not provided - type: string - params: - additionalProperties: - type: string - description: |- - Params defines extra parameters to pass to the listener. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-maxscale-configuration-guide/#listener_1. - type: object - port: - description: Port is the network port where the MaxScale - server will listen. - format: int32 - type: integer - protocol: - description: Protocol is the MaxScale protocol to use - when communicating with the client. If not provided, - it defaults to MariaDBProtocol. - type: string - suspend: - default: false - description: |- - Suspend indicates whether the current resource should be suspended or not. - This can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities. - type: boolean - required: - - port - type: object - name: - description: Name is the identifier of the MaxScale service. - type: string - params: - additionalProperties: - type: string - description: |- - Params defines extra parameters to pass to the service. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-maxscale-configuration-guide/#service_1. - Router specific parameter are also supported: - https://mariadb.com/kb/en/mariadb-maxscale-2308-readwritesplit/#configuration. - https://mariadb.com/kb/en/mariadb-maxscale-2308-readconnroute/#configuration. - type: object - router: - description: Router is the type of router to use. - enum: - - readwritesplit - - readconnroute - type: string - suspend: - default: false - description: |- - Suspend indicates whether the current resource should be suspended or not. - This can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities. - type: boolean - required: - - listener - - name - - router - type: object - type: array - tls: - description: TLS defines the PKI to be used with MaxScale. - properties: - adminCASecretRef: - description: |- - AdminCASecretRef is a reference to a Secret containing the admin certificate authority keypair. It is used to establish trust and issue certificates for the MaxScale's administrative REST API and GUI. - One of: - - Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates. - - Secret containing only the 'ca.crt' in order to establish trust. In this case, either adminCertSecretRef or adminCertIssuerRef fields must be provided. - If not provided, a self-signed CA will be provisioned to issue the server certificate. - properties: - name: - default: "" - type: string - type: object - adminCertIssuerRef: - description: |- - AdminCertIssuerRef is a reference to a cert-manager issuer object used to issue the MaxScale's administrative REST API and GUI certificate. cert-manager must be installed previously in the cluster. - It is mutually exclusive with adminCertSecretRef. - By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via adminCASecretRef. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - adminCertSecretRef: - description: AdminCertSecretRef is a reference to a TLS Secret - used by the MaxScale's administrative REST API and GUI. - properties: - name: - default: "" - type: string - type: object - enabled: - description: |- - Enabled indicates whether TLS is enabled, determining if certificates should be issued and mounted to the MaxScale instance. - It is enabled by default when the referred MariaDB instance (via mariaDbRef) has TLS enabled and enforced. - type: boolean - listenerCASecretRef: - description: |- - ListenerCASecretRef is a reference to a Secret containing the listener certificate authority keypair. It is used to establish trust and issue certificates for the MaxScale's listeners. - One of: - - Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates. - - Secret containing only the 'ca.crt' in order to establish trust. In this case, either listenerCertSecretRef or listenerCertIssuerRef fields must be provided. - If not provided, a self-signed CA will be provisioned to issue the listener certificate. - properties: - name: - default: "" - type: string - type: object - listenerCertIssuerRef: - description: |- - ListenerCertIssuerRef is a reference to a cert-manager issuer object used to issue the MaxScale's listeners certificate. cert-manager must be installed previously in the cluster. - It is mutually exclusive with listenerCertSecretRef. - By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via listenerCASecretRef. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - listenerCertSecretRef: - description: ListenerCertSecretRef is a reference to a TLS - Secret used by the MaxScale's listeners. - properties: - name: - default: "" - type: string - type: object - replicationSSLEnabled: - description: |- - ReplicationSSLEnabled specifies whether the replication SSL is enabled. If enabled, the SSL options will be added to the server configuration. - It is enabled by default when the referred MariaDB instance (via mariaDbRef) has replication enabled. - If the MariaDB servers are manually provided by the user via the 'servers' field, this must be set by the user as well. - type: boolean - serverCASecretRef: - description: |- - ServerCASecretRef is a reference to a Secret containing the MariaDB server CA certificates. It is used to establish trust with MariaDB servers. - The Secret should contain a 'ca.crt' key in order to establish trust. - If not provided, and the reference to a MariaDB resource is set (mariaDbRef), it will be defaulted to the referred MariaDB CA bundle. - properties: - name: - default: "" - type: string - type: object - serverCertSecretRef: - description: |- - ServerCertSecretRef is a reference to a TLS Secret used by MaxScale to connect to the MariaDB servers. - If not provided, and the reference to a MariaDB resource is set (mariaDbRef), it will be defaulted to the referred MariaDB client certificate (clientCertSecretRef). - properties: - name: - default: "" - type: string - type: object - verifyPeerCertificate: - description: |- - VerifyPeerCertificate specifies whether the peer certificate's signature should be validated against the CA. - It is disabled by default. - type: boolean - verifyPeerHost: - description: |- - VerifyPeerHost specifies whether the peer certificate's SANs should match the peer host. - It is disabled by default. - type: boolean - type: object - updateStrategy: - description: UpdateStrategy defines the update strategy for the - StatefulSet object. - properties: - rollingUpdate: - description: RollingUpdate is used to communicate parameters - when Type is RollingUpdateStatefulSetStrategyType. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - description: |- - Type indicates the type of the StatefulSetUpdateStrategy. - Default is RollingUpdate. - type: string - type: object - type: object - maxScaleRef: - description: |- - MaxScaleRef is a reference to a MaxScale resource to be used with the current MariaDB. - Providing this field implies delegating high availability tasks such as primary failover to MaxScale. - properties: - name: - type: string - namespace: - type: string - type: object - metrics: - description: Metrics configures metrics and how to scrape them. - properties: - enabled: - description: Enabled is a flag to enable Metrics - type: boolean - exporter: - description: Exporter defines the metrics exporter container. - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector - operator is the set of operators - that can be used in a selector - requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator - is the set of operators that can - be used in a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - image: - description: |- - Image name to be used as metrics exporter. The supported format is `:`. - Only mysqld-exporter >= v0.15.0 is supported: https://github.com/prometheus/mysqld_exporter - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One - of `Always`, `Never` or `IfNotPresent`. If not defined, - it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets - to be used to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - podMetadata: - description: PodMetadata defines extra metadata for the Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security attributes - and common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's - AppArmor settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied - to the container - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - port: - description: Port where the exporter will be listening for - connections. - format: int32 - type: integer - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - securityContext: - description: SecurityContext holds container-level security - attributes. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from - running containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - passwordSecretKeyRef: - description: |- - PasswordSecretKeyRef is a reference to the password of the monitoring user used by the exporter. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - serviceMonitor: - description: ServiceMonitor defines the ServiceMonior object. - properties: - interval: - description: Interval for scraping metrics. - type: string - jobLabel: - description: JobLabel to add to the ServiceMonitor object. - type: string - prometheusRelease: - description: PrometheusRelease is the release label to add - to the ServiceMonitor object. - type: string - scrapeTimeout: - description: ScrapeTimeout defines the timeout for scraping - metrics. - type: string - type: object - username: - description: Username is the username of the monitoring user used - by the exporter. - type: string - type: object - myCnf: - description: |- - MyCnf allows to specify the my.cnf file mounted by Mariadb. - Updating this field will trigger an update to the Mariadb resource. - type: string - myCnfConfigMapKeyRef: - description: |- - MyCnfConfigMapKeyRef is a reference to the my.cnf config file provided via a ConfigMap. - If not provided, it will be defaulted with a reference to a ConfigMap containing the MyCnf field. - If the referred ConfigMap is labeled with "k8s.mariadb.com/watch", an update to the Mariadb resource will be triggered when the ConfigMap is updated. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - passwordHashSecretKeyRef: - description: |- - PasswordHashSecretKeyRef is a reference to the password hash to be used by the initial User. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password hash. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - passwordPlugin: - description: PasswordPlugin is a reference to the password plugin - and arguments to be used by the initial User. - properties: - pluginArgSecretKeyRef: - description: |- - PluginArgSecretKeyRef is a reference to the arguments to be provided to the authentication plugin for the User. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the authentication plugin arguments. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - pluginNameSecretKeyRef: - description: |- - PluginNameSecretKeyRef is a reference to the authentication plugin to be used by the User. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the authentication plugin. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - passwordSecretKeyRef: - description: |- - PasswordSecretKeyRef is a reference to a Secret that contains the password to be used by the initial User. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should be generated - if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - podDisruptionBudget: - description: PodDisruptionBudget defines the budget for replica availability. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: MaxUnavailable defines the number of maximum unavailable - Pods. - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - description: MinAvailable defines the number of minimum available - Pods. - x-kubernetes-int-or-string: true - type: object - podMetadata: - description: PodMetadata defines extra metadata for the Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security attributes and - common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's AppArmor - settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied to the - container - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - port: - default: 3306 - description: Port where the instances will be listening for connections. - format: int32 - type: integer - primaryConnection: - description: |- - PrimaryConnection defines a template to configure the primary Connection object. - This Connection provides the initial User access to the initial Database. - It will make use of the PrimaryService to route network traffic to the primary Pod. - properties: - healthCheck: - description: HealthCheck to be used in the Connection. - properties: - interval: - description: Interval used to perform health checks. - type: string - retryInterval: - description: RetryInterval is the interval used to perform - health check retries. - type: string - type: object - params: - additionalProperties: - type: string - description: Params to be used in the Connection. - type: object - port: - description: Port to connect to. If not provided, it defaults - to the MariaDB port or to the first MaxScale listener. - format: int32 - type: integer - secretName: - description: SecretName to be used in the Connection. - type: string - secretTemplate: - description: SecretTemplate to be used in the Connection. - properties: - databaseKey: - description: DatabaseKey to be used in the Secret. - type: string - format: - description: Format to be used in the Secret. - type: string - hostKey: - description: HostKey to be used in the Secret. - type: string - key: - description: Key to be used in the Secret. - type: string - metadata: - description: Metadata to be added to the Secret object. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - passwordKey: - description: PasswordKey to be used in the Secret. - type: string - portKey: - description: PortKey to be used in the Secret. - type: string - usernameKey: - description: UsernameKey to be used in the Secret. - type: string - type: object - serviceName: - description: ServiceName to be used in the Connection. - type: string - type: object - primaryService: - description: |- - PrimaryService defines a template to configure the primary Service object. - The network traffic of this Service will be routed to the primary Pod. - properties: - allocateLoadBalancerNodePorts: - description: AllocateLoadBalancerNodePorts Service field. - type: boolean - externalTrafficPolicy: - description: ExternalTrafficPolicy Service field. - type: string - loadBalancerIP: - description: LoadBalancerIP Service field. - type: string - loadBalancerSourceRanges: - description: LoadBalancerSourceRanges Service field. - items: - type: string - type: array - metadata: - description: Metadata to be added to the Service metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - sessionAffinity: - description: SessionAffinity Service field. - type: string - type: - default: ClusterIP - description: Type is the Service type. One of `ClusterIP`, `NodePort` - or `LoadBalancer`. If not defined, it defaults to `ClusterIP`. - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - type: object - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - readinessProbe: - description: ReadinessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used for connection - to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - replicas: - default: 1 - description: Replicas indicates the number of desired instances. - format: int32 - type: integer - replicasAllowEvenNumber: - default: false - description: disables the validation check for an odd number of replicas. - type: boolean - replication: - description: Replication configures high availability via replication. - This feature is still in alpha, use Galera if you are looking for - a more production-ready HA. - properties: - agent: - description: Agent is a sidecar agent that runs in the MariaDB - Pod and co-operates with mariadb-operator. - properties: - args: - description: Args to be used in the Container. - items: - type: string - type: array - basicAuth: - description: BasicAuth to be used by the agent container - properties: - enabled: - description: Enabled is a flag to enable BasicAuth - type: boolean - passwordSecretKeyRef: - description: PasswordSecretKeyRef to be used for basic - authentication - properties: - generate: - default: false - description: Generate indicates whether the Secret - should be generated if the Secret referenced is - not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: Username to be used for basic authentication - type: string - type: object - command: - description: Command to be used in the Container. - items: - type: string - type: array - env: - description: Env represents the environment variables to be - injected in a container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - type: string - valueFrom: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - configMapKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#objectfieldselector-v1-core.' - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: EnvFrom represents the references (via ConfigMap - and Secrets) to environment variables to be injected in - the container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envfromsource-v1-core.' - properties: - configMapRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - prefix: - type: string - secretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: object - type: array - gracefulShutdownTimeout: - description: GracefulShutdownTimeout is the time we give to - the agent container in order to gracefully terminate in-flight - requests. - type: string - image: - description: Image name to be used by the MariaDB instances. - The supported format is `:`. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One - of `Always`, `Never` or `IfNotPresent`. If not defined, - it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - kubernetesAuth: - description: KubernetesAuth to be used by the agent container - properties: - authDelegatorRoleName: - description: |- - AuthDelegatorRoleName is the name of the ClusterRoleBinding that is associated with the "system:auth-delegator" ClusterRole. - It is necessary for creating TokenReview objects in order for the agent to validate the service account token. - type: string - enabled: - description: Enabled is a flag to enable KubernetesAuth - type: boolean - type: object - livenessProbe: - description: LivenessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - port: - description: Port where the agent will be listening for API - connections. - format: int32 - type: integer - probePort: - description: Port where the agent will be listening for probe - connections. - format: int32 - type: integer - readinessProbe: - description: ReadinessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - securityContext: - description: SecurityContext holds security configuration - that will be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from - running containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - startupProbe: - description: StartupProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - volumeMounts: - description: VolumeMounts to be used in the Container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volumemount-v1-core.' - properties: - mountPath: - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - type: boolean - subPath: - type: string - required: - - mountPath - - name - type: object - type: array - type: object - enabled: - description: Enabled is a flag to enable replication. - type: boolean - gtidStrictMode: - description: |- - GtidStrictMode determines whether the GTID strict mode is enabled. - See: https://mariadb.com/docs/server/ha-and-performance/standard-replication/gtid#gtid_strict_mode. - It is enabled by default. - type: boolean - initContainer: - description: InitContainer is an init container that runs in the - MariaDB Pod and co-operates with mariadb-operator. - properties: - args: - description: Args to be used in the Container. - items: - type: string - type: array - command: - description: Command to be used in the Container. - items: - type: string - type: array - env: - description: Env represents the environment variables to be - injected in a container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - type: string - valueFrom: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - configMapKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#objectfieldselector-v1-core.' - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: EnvFrom represents the references (via ConfigMap - and Secrets) to environment variables to be injected in - the container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envfromsource-v1-core.' - properties: - configMapRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - prefix: - type: string - secretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: object - type: array - image: - description: Image name to be used by the MariaDB instances. - The supported format is `:`. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One - of `Always`, `Never` or `IfNotPresent`. If not defined, - it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - livenessProbe: - description: LivenessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - readinessProbe: - description: ReadinessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - securityContext: - description: SecurityContext holds security configuration - that will be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from - running containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - startupProbe: - description: StartupProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used - for connection to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - volumeMounts: - description: VolumeMounts to be used in the Container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volumemount-v1-core.' - properties: - mountPath: - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - type: boolean - subPath: - type: string - required: - - mountPath - - name - type: object - type: array - required: - - image - type: object - primary: - description: Primary is the replication configuration for the - primary node. - properties: - autoFailover: - description: |- - AutoFailover indicates whether the operator should automatically update PodIndex to perform an automatic primary failover. - It is enabled by default. - type: boolean - autoFailoverDelay: - description: |- - AutoFailoverDelay indicates the duration before performing an automatic primary failover. - By default, no extra delay is added. - type: string - podIndex: - description: PodIndex is the StatefulSet index of the primary - node. The user may change this field to perform a manual - switchover. - type: integer - type: object - replica: - description: ReplicaReplication is the replication configuration - for the replica nodes. - properties: - bootstrapFrom: - description: |- - ReplicaBootstrapFrom defines the data sources used to bootstrap new replicas. - This will be used as part of the scaling out and recovery operations, when new replicas are created. - If not provided, scale out and recovery operations will return an error. - properties: - physicalBackupTemplateRef: - description: |- - PhysicalBackupTemplateRef is a reference to a PhysicalBackup object that will be used as template to create a new PhysicalBackup object - used synchronize the data from an up to date replica to the new replica to be bootstrapped. - properties: - name: - default: "" - type: string - type: object - restoreJob: - description: RestoreJob defines additional properties - for the Job used to perform the restoration. - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the - Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector - operator is the set - of operators that can - be used in a selector - requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector - operator is the set of operators - that can be used in a selector - requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - metadata: - description: Metadata defines additional metadata - for the bootstrap Jobs. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children - resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - resources: - description: Resources describes the compute resource - requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource - name, quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource - name, quantity) pairs. - type: object - type: object - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - required: - - physicalBackupTemplateRef - type: object - connectionRetrySeconds: - description: |- - ConnectionRetrySeconds is the number of seconds that the replica will wait between connection retries. - See: https://mariadb.com/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to#master_connect_retry. - type: integer - gtid: - description: |- - Gtid indicates which Global Transaction ID (GTID) position mode should be used when connecting a replica to the master. - By default, CurrentPos is used. - See: https://mariadb.com/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to#master_use_gtid. - enum: - - CurrentPos - - SlavePos - type: string - maxLagSeconds: - description: |- - MaxLagSeconds is the maximum number of seconds that replicas are allowed to lag behind the primary. - If a replica exceeds this threshold, it is marked as not ready and read queries will no longer be forwarded to it. - If not provided, it defaults to 0, which means that replicas are not allowed to lag behind the primary (recommended). - Lagged replicas will not be taken into account as candidates for the new primary during failover, - and they will block other operations, such as switchover and upgrade. - This field is not taken into account by MaxScale, you can define the maximum lag as router parameters. - See: https://mariadb.com/docs/maxscale/reference/maxscale-routers/maxscale-readwritesplit#max_replication_lag. - type: integer - recovery: - description: |- - ReplicaRecovery defines how the replicas should be recovered after they enter an error state. - This process deletes data from faulty replicas and recreates them using the source defined in the bootstrapFrom field. - It is disabled by default, and it requires the bootstrapFrom field to be set. - properties: - enabled: - description: Enabled is a flag to enable replica recovery. - type: boolean - errorDurationThreshold: - description: |- - ErrorDurationThreshold defines the time duration after which, if a replica continues to report errors, - the operator will initiate the recovery process for that replica. - This threshold applies only to error codes not identified as recoverable by the operator. - Errors identified as recoverable will trigger the recovery process immediately. - It defaults to 5 minutes. - type: string - required: - - enabled - type: object - replPasswordSecretKeyRef: - description: |- - ReplPasswordSecretKeyRef provides a reference to the Secret to use as password for the replication user. - By default, a random password will be generated. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - syncTimeout: - description: |- - SyncTimeout defines the timeout for the synchronization phase during switchover and failover operations. - During switchover, all replicas must be synced with the current primary before promoting the new primary. - During failover, the new primary must be synced before being promoted as primary. This implies processing all the events in the relay log. - When the timeout is reached, the operator restarts the operation from the beginning. - It defaults to 10s. - See: https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/miscellaneous-functions/master_gtid_wait - type: string - type: object - semiSyncAckTimeout: - description: |- - SemiSyncAckTimeout for the replica to acknowledge transactions to the primary. - It requires semi-synchronous replication to be enabled. - See: https://mariadb.com/docs/server/ha-and-performance/standard-replication/semisynchronous-replication#rpl_semi_sync_master_timeout - type: string - semiSyncEnabled: - description: |- - SemiSyncEnabled determines whether semi-synchronous replication is enabled. - Semi-synchronous replication requires that at least one replica should have sent an ACK to the primary node - before committing the transaction back to the client. - See: https://mariadb.com/docs/server/ha-and-performance/standard-replication/semisynchronous-replication - It is enabled by default - type: boolean - semiSyncWaitPoint: - description: |- - SemiSyncWaitPoint determines whether the transaction should wait for an ACK after having synced the binlog (AfterSync) - or after having committed to the storage engine (AfterCommit, the default). - It requires semi-synchronous replication to be enabled. - See: https://mariadb.com/kb/en/semisynchronous-replication/#rpl_semi_sync_master_wait_point. - enum: - - AfterSync - - AfterCommit - type: string - standaloneProbes: - description: |- - StandaloneProbes indicates whether to use the default non-HA startup and liveness probes. - It is disabled by default - type: boolean - syncBinlog: - description: |- - SyncBinlog indicates after how many events the binary log is synchronized to the disk. - See: https://mariadb.com/docs/server/ha-and-performance/standard-replication/replication-and-binary-log-system-variables#sync_binlog - type: integer - type: object - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - rootEmptyPassword: - description: RootEmptyPassword indicates if the root password should - be empty. Don't use this feature in production, it is only intended - for development and test environments. - type: boolean - rootPasswordSecretKeyRef: - description: RootPasswordSecretKeyRef is a reference to a Secret key - containing the root password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should be generated - if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - secondaryConnection: - description: |- - SecondaryConnection defines a template to configure the secondary Connection object. - This Connection provides the initial User access to the initial Database. - It will make use of the SecondaryService to route network traffic to the secondary Pods. - properties: - healthCheck: - description: HealthCheck to be used in the Connection. - properties: - interval: - description: Interval used to perform health checks. - type: string - retryInterval: - description: RetryInterval is the interval used to perform - health check retries. - type: string - type: object - params: - additionalProperties: - type: string - description: Params to be used in the Connection. - type: object - port: - description: Port to connect to. If not provided, it defaults - to the MariaDB port or to the first MaxScale listener. - format: int32 - type: integer - secretName: - description: SecretName to be used in the Connection. - type: string - secretTemplate: - description: SecretTemplate to be used in the Connection. - properties: - databaseKey: - description: DatabaseKey to be used in the Secret. - type: string - format: - description: Format to be used in the Secret. - type: string - hostKey: - description: HostKey to be used in the Secret. - type: string - key: - description: Key to be used in the Secret. - type: string - metadata: - description: Metadata to be added to the Secret object. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - passwordKey: - description: PasswordKey to be used in the Secret. - type: string - portKey: - description: PortKey to be used in the Secret. - type: string - usernameKey: - description: UsernameKey to be used in the Secret. - type: string - type: object - serviceName: - description: ServiceName to be used in the Connection. - type: string - type: object - secondaryService: - description: |- - SecondaryService defines a template to configure the secondary Service object. - The network traffic of this Service will be routed to the secondary Pods. - properties: - allocateLoadBalancerNodePorts: - description: AllocateLoadBalancerNodePorts Service field. - type: boolean - externalTrafficPolicy: - description: ExternalTrafficPolicy Service field. - type: string - loadBalancerIP: - description: LoadBalancerIP Service field. - type: string - loadBalancerSourceRanges: - description: LoadBalancerSourceRanges Service field. - items: - type: string - type: array - metadata: - description: Metadata to be added to the Service metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - sessionAffinity: - description: SessionAffinity Service field. - type: string - type: - default: ClusterIP - description: Type is the Service type. One of `ClusterIP`, `NodePort` - or `LoadBalancer`. If not defined, it defaults to `ClusterIP`. - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - type: object - securityContext: - description: SecurityContext holds security configuration that will - be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from running - containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - service: - description: |- - Service defines a template to configure the general Service object. - The network traffic of this Service will be routed to all Pods. - properties: - allocateLoadBalancerNodePorts: - description: AllocateLoadBalancerNodePorts Service field. - type: boolean - externalTrafficPolicy: - description: ExternalTrafficPolicy Service field. - type: string - loadBalancerIP: - description: LoadBalancerIP Service field. - type: string - loadBalancerSourceRanges: - description: LoadBalancerSourceRanges Service field. - items: - type: string - type: array - metadata: - description: Metadata to be added to the Service metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - sessionAffinity: - description: SessionAffinity Service field. - type: string - type: - default: ClusterIP - description: Type is the Service type. One of `ClusterIP`, `NodePort` - or `LoadBalancer`. If not defined, it defaults to `ClusterIP`. - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - type: object - serviceAccountName: - description: ServiceAccountName is the name of the ServiceAccount - to be used by the Pods. - type: string - servicePorts: - description: ServicePorts is the list of additional named ports to - be added to the Services created by the operator. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#serviceport-v1-core' - properties: - name: - type: string - port: - format: int32 - type: integer - required: - - name - - port - type: object - type: array - sidecarContainers: - description: SidecarContainers to be used in the Pod. - items: - description: Container object definition. - properties: - args: - description: Args to be used in the Container. - items: - type: string - type: array - command: - description: Command to be used in the Container. - items: - type: string - type: array - env: - description: Env represents the environment variables to be - injected in a container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. - type: string - value: - type: string - valueFrom: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - configMapKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#objectfieldselector-v1-core.' - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - description: Image name to be used by the container. The supported - format is `:`. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One of - `Always`, `Never` or `IfNotPresent`. If not defined, it defaults - to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - name: - description: Name to be given to the container. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - volumeMounts: - description: VolumeMounts to be used in the Container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volumemount-v1-core.' - properties: - mountPath: - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - type: boolean - subPath: - type: string - required: - - mountPath - - name - type: object - type: array - required: - - image - type: object - type: array - startupProbe: - description: StartupProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used for connection - to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - storage: - description: Storage defines the storage options to be used for provisioning - the PVCs mounted by MariaDB. - properties: - ephemeral: - description: Ephemeral indicates whether to use ephemeral storage - in the PVCs. It is only compatible with non HA MariaDBs. - type: boolean - resizeInUseVolumes: - description: |- - ResizeInUseVolumes indicates whether the PVCs can be resized. The 'StorageClassName' used should have 'allowVolumeExpansion' set to 'true' to allow resizing. - It defaults to true. - type: boolean - size: - anyOf: - - type: integer - - type: string - description: Size of the PVCs to be mounted by MariaDB. Required - if not provided in 'VolumeClaimTemplate'. It supersedes the - storage size specified in 'VolumeClaimTemplate'. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - storageClassName: - description: |- - StorageClassName to be used to provision the PVCS. It supersedes the 'StorageClassName' specified in 'VolumeClaimTemplate'. - If not provided, the default 'StorageClass' configured in the cluster is used. - type: string - volumeClaimTemplate: - description: VolumeClaimTemplate provides a template to define - the PVCs. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - metadata: - description: Metadata to be added to the PVC metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - resources: - description: VolumeResourceRequirements describes the storage - resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - waitForVolumeResize: - description: |- - WaitForVolumeResize indicates whether to wait for the PVCs to be resized before marking the MariaDB object as ready. This will block other operations such as cluster recovery while the resize is in progress. - It defaults to true. - type: boolean - type: object - suspend: - default: false - description: |- - Suspend indicates whether the current resource should be suspended or not. - This can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities. - type: boolean - timeZone: - description: TimeZone sets the default timezone. If not provided, - it defaults to SYSTEM and the timezone data is not loaded. - type: string - tls: - description: TLS defines the PKI to be used with MariaDB. - properties: - clientCASecretRef: - description: |- - ClientCASecretRef is a reference to a Secret containing the client certificate authority keypair. It is used to establish trust and issue client certificates. - One of: - - Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates. - - Secret containing only the 'ca.crt' in order to establish trust. In this case, either clientCertSecretRef or clientCertIssuerRef fields must be provided. - If not provided, a self-signed CA will be provisioned to issue the client certificate. - properties: - name: - default: "" - type: string - type: object - clientCertIssuerRef: - description: |- - ClientCertIssuerRef is a reference to a cert-manager issuer object used to issue the client certificate. cert-manager must be installed previously in the cluster. - It is mutually exclusive with clientCertSecretRef. - By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via clientCASecretRef. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - clientCertSecretRef: - description: |- - ClientCertSecretRef is a reference to a TLS Secret containing the client certificate. - It is mutually exclusive with clientCertIssuerRef. - properties: - name: - default: "" - type: string - type: object - enabled: - description: |- - Enabled indicates whether TLS is enabled, determining if certificates should be issued and mounted to the MariaDB instance. - It is enabled by default. - type: boolean - galeraSSTEnabled: - description: |- - GaleraSSTEnabled determines whether Galera SST connections should use TLS. - It disabled by default. - type: boolean - required: - description: |- - Required specifies whether TLS must be enforced for all connections. - User TLS requirements take precedence over this. - It disabled by default. - type: boolean - serverCASecretRef: - description: |- - ServerCASecretRef is a reference to a Secret containing the server certificate authority keypair. It is used to establish trust and issue server certificates. - One of: - - Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates. - - Secret containing only the 'ca.crt' in order to establish trust. In this case, either serverCertSecretRef or serverCertIssuerRef must be provided. - If not provided, a self-signed CA will be provisioned to issue the server certificate. - properties: - name: - default: "" - type: string - type: object - serverCertIssuerRef: - description: |- - ServerCertIssuerRef is a reference to a cert-manager issuer object used to issue the server certificate. cert-manager must be installed previously in the cluster. - It is mutually exclusive with serverCertSecretRef. - By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via serverCASecretRef. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - serverCertSecretRef: - description: |- - ServerCertSecretRef is a reference to a TLS Secret containing the server certificate. - It is mutually exclusive with serverCertIssuerRef. - properties: - name: - default: "" - type: string - type: object - type: object - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: TopologySpreadConstraints to be used in the Pod. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#topologyspreadconstraint-v1-core.' - properties: - labelSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - description: NodeInclusionPolicy defines the type of node inclusion - policy - type: string - nodeTaintsPolicy: - description: NodeInclusionPolicy defines the type of node inclusion - policy - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - updateStrategy: - description: UpdateStrategy defines how a MariaDB resource is updated. - properties: - autoUpdateDataPlane: - description: |- - AutoUpdateDataPlane indicates whether the Galera data-plane version (agent and init containers) should be automatically updated based on the operator version. It defaults to false. - Updating the operator will trigger updates on all the MariaDB instances that have this flag set to true. Thus, it is recommended to progressively set this flag after having updated the operator. - type: boolean - rollingUpdate: - description: RollingUpdate defines parameters for the RollingUpdate - type. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - default: ReplicasFirstPrimaryLast - description: Type defines the type of updates. One of `ReplicasFirstPrimaryLast`, - `RollingUpdate` or `OnDelete`. If not defined, it defaults to - `ReplicasFirstPrimaryLast`. - enum: - - ReplicasFirstPrimaryLast - - RollingUpdate - - OnDelete - - Never - type: string - type: object - username: - description: |- - Username is the initial username to be created by the operator once MariaDB is ready. - The initial User will have ALL PRIVILEGES in the initial Database. - type: string - volumeMounts: - description: VolumeMounts to be used in the Container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volumemount-v1-core.' - properties: - mountPath: - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - type: boolean - subPath: - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: Volumes to be used in the Pod. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volume-v1-core.' - properties: - configMap: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapvolumesource-v1-core.' - properties: - defaultMode: - format: int32 - type: integer - name: - default: "" - type: string - type: object - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage can - be allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - name: - type: string - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - secret: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretvolumesource-v1-core.' - properties: - defaultMode: - format: int32 - type: integer - secretName: - type: string - type: object - required: - - name - type: object - type: array - type: object - x-kubernetes-validations: - - message: 'An odd number of MariaDB instances (mariadb.spec.replicas) - is required to avoid split brain situations for Galera. Use ''mariadb.spec.replicasAllowEvenNumber: - true'' to disable this validation.' - rule: '!has(self.galera) || !self.galera.enabled || (self.replicas % - 2 == 1 || self.replicasAllowEvenNumber)' - status: - description: MariaDBStatus defines the observed state of MariaDB - properties: - conditions: - description: Conditions for the Mariadb object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - currentPrimary: - description: CurrentPrimary is the primary Pod. - type: string - currentPrimaryFailingSince: - description: CurrentPrimaryFailingSince is the timestamp of the moment - when the primary became not ready. - format: date-time - type: string - currentPrimaryPodIndex: - description: CurrentPrimaryPodIndex is the primary Pod index. - type: integer - defaultVersion: - description: |- - DefaultVersion is the MariaDB version used by the operator when it cannot infer the version - from spec.image. This can happen if the image uses a digest (e.g. sha256) instead - of a version tag. - type: string - galeraRecovery: - description: GaleraRecovery is the Galera recovery current state. - properties: - bootstrap: - description: Bootstrap indicates when and in which Pod the cluster - bootstrap process has been performed. - properties: - pod: - type: string - time: - format: date-time - type: string - type: object - podsRestarted: - description: PodsRestarted that the Pods have been restarted after - the cluster bootstrap. - type: boolean - recovered: - additionalProperties: - properties: - seqno: - type: integer - uuid: - type: string - required: - - seqno - - uuid - type: object - description: State is a per Pod representation of the sequence - recovery process. - type: object - state: - additionalProperties: - properties: - safeToBootstrap: - type: boolean - seqno: - type: integer - uuid: - type: string - version: - type: string - required: - - safeToBootstrap - - seqno - - uuid - - version - type: object - description: State is a per Pod representation of the Galera state - file (grastate.dat). - type: object - type: object - replicas: - description: Replicas indicates the number of current instances. - format: int32 - type: integer - replication: - description: Replication is the replication current status per each - Pod. - properties: - replicaToRecover: - description: ReplicaToRecover is the replica that is being recovered - by the operator. - type: string - replicas: - additionalProperties: - description: ReplicaStatus is the observed replica status. - properties: - gtidCurrentPos: - description: GtidCurrentPos is the last GTID position executed - by the SQL thread. - type: string - gtidIOPos: - description: GtidIOPos is the last GTID position received - by the IO thread and written to the relay log. - type: string - lastErrorTransitionTime: - description: LastErrorTransitionTime is the last time the - replica transitioned to an error state. - format: date-time - type: string - lastIOErrno: - description: LastIOErrno is the error code returned by the - IO thread. - type: integer - lastIOError: - description: LastIOErrno is the error message returned by - the IO thread. - type: string - lastSQLErrno: - description: LastSQLErrno is the error code returned by - the SQL thread. - type: integer - lastSQLError: - description: LastSQLError is the error message returned - by the SQL thread. - type: string - secondsBehindMaster: - description: SecondsBehindMaster measures the replication - lag with the primary. - type: integer - slaveIORunning: - description: SlaveIORunning indicates whether the slave - IO thread is running. - type: boolean - slaveSQLRunning: - description: SlaveSQLRunning indicates whether the slave - SQL thread is running. - type: boolean - type: object - description: Replicas is the observed replication status for each - replica. - type: object - roles: - additionalProperties: - description: ReplicationRole represents the observed replication - roles. - type: string - description: Roles is the observed replication roles for each - Pod. - type: object - type: object - scaleOutInitialIndex: - description: ScaleOutInitialIndex is the initial index where the scale - out operation started. - type: integer - tls: - description: TLS aggregates the status of the certificates used by - the MariaDB instance. - properties: - caBundle: - description: CABundle is the status of the Certificate Authority - bundle. - items: - description: CertificateStatus represents the current status - of a TLS certificate. - properties: - issuer: - description: Issuer is the issuer of the current certificate. - type: string - notAfter: - description: NotAfter indicates that the certificate is - not valid after the given date. - format: date-time - type: string - notBefore: - description: NotBefore indicates that the certificate is - not valid before the given date. - format: date-time - type: string - subject: - description: Subject is the subject of the current certificate. - type: string - required: - - issuer - - subject - type: object - type: array - clientCert: - description: ClientCert is the status of the client certificate. - properties: - issuer: - description: Issuer is the issuer of the current certificate. - type: string - notAfter: - description: NotAfter indicates that the certificate is not - valid after the given date. - format: date-time - type: string - notBefore: - description: NotBefore indicates that the certificate is not - valid before the given date. - format: date-time - type: string - subject: - description: Subject is the subject of the current certificate. - type: string - required: - - issuer - - subject - type: object - serverCert: - description: ServerCert is the status of the server certificate. - properties: - issuer: - description: Issuer is the issuer of the current certificate. - type: string - notAfter: - description: NotAfter indicates that the certificate is not - valid after the given date. - format: date-time - type: string - notBefore: - description: NotBefore indicates that the certificate is not - valid before the given date. - format: date-time - type: string - subject: - description: Subject is the subject of the current certificate. - type: string - required: - - issuer - - subject - type: object - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - scale: - specReplicasPath: .spec.replicas - statusReplicasPath: .status.replicas - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: maxscales.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: MaxScale - listKind: MaxScaleList - plural: maxscales - shortNames: - - mxs - singular: maxscale - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .status.primaryServer - name: Primary - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: MaxScale is the Schema for the maxscales API. It is used to define - MaxScale clusters. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: MaxScaleSpec defines the desired state of MaxScale. - properties: - admin: - description: Admin configures the admin REST API and GUI. - properties: - guiEnabled: - description: GuiEnabled indicates whether the admin GUI should - be enabled. - type: boolean - port: - description: Port where the admin REST API and GUI will be exposed. - format: int32 - type: integer - type: object - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator - is the set of operators that can be - used in a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator is - the set of operators that can be used in - a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - auth: - description: Auth defines the credentials required for MaxScale to - connect to MariaDB. - properties: - adminPasswordSecretKeyRef: - description: AdminPasswordSecretKeyRef is Secret key reference - to the admin password to call the admin REST API. It is defaulted - if not provided. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - adminUsername: - description: AdminUsername is an admin username to call the admin - REST API. It is defaulted if not provided. - type: string - clientMaxConnections: - description: |- - ClientMaxConnections defines the maximum number of connections that the client can establish. - If HA is enabled, make sure to increase this value, as more MaxScale replicas implies more connections. - It defaults to 30 times the number of MaxScale replicas. - format: int32 - type: integer - clientPasswordSecretKeyRef: - description: |- - ClientPasswordSecretKeyRef is Secret key reference to the password to connect to MaxScale. It is defaulted if not provided. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - clientUsername: - description: ClientUsername is the user to connect to MaxScale. - It is defaulted if not provided. - type: string - deleteDefaultAdmin: - description: DeleteDefaultAdmin determines whether the default - admin user should be deleted after the initial configuration. - If not provided, it defaults to true. - type: boolean - generate: - description: |- - Generate defies whether the operator should generate users and grants for MaxScale to work. - It only supports MariaDBs specified via spec.mariaDbRef. - type: boolean - metricsPasswordSecretKeyRef: - description: MetricsPasswordSecretKeyRef is Secret key reference - to the metrics password to call the admib REST API. It is defaulted - if metrics are enabled. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - metricsUsername: - description: MetricsUsername is an metrics username to call the - REST API. It is defaulted if metrics are enabled. - type: string - monitorMaxConnections: - description: |- - MonitorMaxConnections defines the maximum number of connections that the monitor can establish. - If HA is enabled, make sure to increase this value, as more MaxScale replicas implies more connections. - It defaults to 30 times the number of MaxScale replicas. - format: int32 - type: integer - monitorPasswordSecretKeyRef: - description: |- - MonitorPasswordSecretKeyRef is Secret key reference to the password used by MaxScale monitor to connect to MariaDB server. It is defaulted if not provided. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - monitorUsername: - description: MonitorUsername is the user used by MaxScale monitor - to connect to MariaDB server. It is defaulted if not provided. - type: string - serverMaxConnections: - description: |- - ServerMaxConnections defines the maximum number of connections that the server can establish. - If HA is enabled, make sure to increase this value, as more MaxScale replicas implies more connections. - It defaults to 30 times the number of MaxScale replicas. - format: int32 - type: integer - serverPasswordSecretKeyRef: - description: |- - ServerPasswordSecretKeyRef is Secret key reference to the password used by MaxScale to connect to MariaDB server. It is defaulted if not provided. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - serverUsername: - description: ServerUsername is the user used by MaxScale to connect - to MariaDB server. It is defaulted if not provided. - type: string - syncMaxConnections: - description: |- - SyncMaxConnections defines the maximum number of connections that the sync can establish. - If HA is enabled, make sure to increase this value, as more MaxScale replicas implies more connections. - It defaults to 30 times the number of MaxScale replicas. - format: int32 - type: integer - syncPasswordSecretKeyRef: - description: |- - SyncPasswordSecretKeyRef is Secret key reference to the password used by MaxScale config to connect to MariaDB server. It is defaulted when HA is enabled. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - generate: - default: false - description: Generate indicates whether the Secret should - be generated if the Secret referenced is not present. - type: boolean - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - syncUsername: - description: MonitoSyncUsernamerUsername is the user used by MaxScale - config sync to connect to MariaDB server. It is defaulted when - HA is enabled. - type: string - type: object - command: - description: Command to be used in the Container. - items: - type: string - type: array - config: - description: Config defines the MaxScale configuration. - properties: - params: - additionalProperties: - type: string - description: |- - Params is a key value pair of parameters to be used in the MaxScale static configuration file. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-maxscale-configuration-guide/#global-settings. - type: object - sync: - description: Sync defines how to replicate configuration across - MaxScale replicas. It is defaulted when HA is enabled. - properties: - database: - description: Database is the MariaDB logical database where - the 'maxscale_config' table will be created in order to - persist and synchronize config changes. If not provided, - it defaults to 'mysql'. - type: string - interval: - description: Interval defines the config synchronization interval. - It is defaulted if not provided. - type: string - timeout: - description: Interval defines the config synchronization timeout. - It is defaulted if not provided. - type: string - type: object - volumeClaimTemplate: - description: VolumeClaimTemplate provides a template to define - the PVCs for storing MaxScale runtime configuration files. It - is defaulted if not provided. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - metadata: - description: Metadata to be added to the PVC metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - resources: - description: VolumeResourceRequirements describes the storage - resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - type: object - connection: - description: Connection provides a template to define the Connection - for MaxScale. - properties: - healthCheck: - description: HealthCheck to be used in the Connection. - properties: - interval: - description: Interval used to perform health checks. - type: string - retryInterval: - description: RetryInterval is the interval used to perform - health check retries. - type: string - type: object - params: - additionalProperties: - type: string - description: Params to be used in the Connection. - type: object - port: - description: Port to connect to. If not provided, it defaults - to the MariaDB port or to the first MaxScale listener. - format: int32 - type: integer - secretName: - description: SecretName to be used in the Connection. - type: string - secretTemplate: - description: SecretTemplate to be used in the Connection. - properties: - databaseKey: - description: DatabaseKey to be used in the Secret. - type: string - format: - description: Format to be used in the Secret. - type: string - hostKey: - description: HostKey to be used in the Secret. - type: string - key: - description: Key to be used in the Secret. - type: string - metadata: - description: Metadata to be added to the Secret object. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - passwordKey: - description: PasswordKey to be used in the Secret. - type: string - portKey: - description: PortKey to be used in the Secret. - type: string - usernameKey: - description: UsernameKey to be used in the Secret. - type: string - type: object - serviceName: - description: ServiceName to be used in the Connection. - type: string - type: object - env: - description: Env represents the environment variables to be injected - in a container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - type: string - valueFrom: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envvarsource-v1-core.' - properties: - configMapKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#configmapkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#objectfieldselector-v1-core.' - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#secretkeyselector-v1-core.' - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: EnvFrom represents the references (via ConfigMap and - Secrets) to environment variables to be injected in the container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#envfromsource-v1-core.' - properties: - configMapRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - prefix: - type: string - secretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: object - type: array - guiKubernetesService: - description: GuiKubernetesService defines a template for a Kubernetes - Service object to connect to MaxScale's GUI. - properties: - allocateLoadBalancerNodePorts: - description: AllocateLoadBalancerNodePorts Service field. - type: boolean - externalTrafficPolicy: - description: ExternalTrafficPolicy Service field. - type: string - loadBalancerIP: - description: LoadBalancerIP Service field. - type: string - loadBalancerSourceRanges: - description: LoadBalancerSourceRanges Service field. - items: - type: string - type: array - metadata: - description: Metadata to be added to the Service metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - sessionAffinity: - description: SessionAffinity Service field. - type: string - type: - default: ClusterIP - description: Type is the Service type. One of `ClusterIP`, `NodePort` - or `LoadBalancer`. If not defined, it defaults to `ClusterIP`. - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - type: object - image: - description: |- - Image name to be used by the MaxScale instances. The supported format is `:`. - Only MaxScale official images are supported. - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One of `Always`, - `Never` or `IfNotPresent`. If not defined, it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets to be used - to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - inheritMetadata: - description: InheritMetadata defines the metadata to be inherited - by children resources. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - kubernetesService: - description: KubernetesService defines a template for a Kubernetes - Service object to connect to MaxScale. - properties: - allocateLoadBalancerNodePorts: - description: AllocateLoadBalancerNodePorts Service field. - type: boolean - externalTrafficPolicy: - description: ExternalTrafficPolicy Service field. - type: string - loadBalancerIP: - description: LoadBalancerIP Service field. - type: string - loadBalancerSourceRanges: - description: LoadBalancerSourceRanges Service field. - items: - type: string - type: array - metadata: - description: Metadata to be added to the Service metadata. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - sessionAffinity: - description: SessionAffinity Service field. - type: string - type: - default: ClusterIP - description: Type is the Service type. One of `ClusterIP`, `NodePort` - or `LoadBalancer`. If not defined, it defaults to `ClusterIP`. - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - type: object - livenessProbe: - description: LivenessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used for connection - to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - mariaDbRef: - description: MariaDBRef is a reference to the MariaDB that MaxScale - points to. It is used to initialize the servers field. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - metrics: - description: Metrics configures metrics and how to scrape them. - properties: - enabled: - description: Enabled is a flag to enable Metrics - type: boolean - exporter: - description: Exporter defines the metrics exporter container. - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector - operator is the set of operators - that can be used in a selector - requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes - docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator - is the set of operators that can - be used in a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - image: - description: |- - Image name to be used as metrics exporter. The supported format is `:`. - Only mysqld-exporter >= v0.15.0 is supported: https://github.com/prometheus/mysqld_exporter - type: string - imagePullPolicy: - description: ImagePullPolicy is the image pull policy. One - of `Always`, `Never` or `IfNotPresent`. If not defined, - it defaults to `IfNotPresent`. - enum: - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets - to be used to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - podMetadata: - description: PodMetadata defines extra metadata for the Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security attributes - and common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's - AppArmor settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied - to the container - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - port: - description: Port where the exporter will be listening for - connections. - format: int32 - type: integer - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, - quantity) pairs. - type: object - type: object - securityContext: - description: SecurityContext holds container-level security - attributes. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from - running containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - serviceMonitor: - description: ServiceMonitor defines the ServiceMonior object. - properties: - interval: - description: Interval for scraping metrics. - type: string - jobLabel: - description: JobLabel to add to the ServiceMonitor object. - type: string - prometheusRelease: - description: PrometheusRelease is the release label to add - to the ServiceMonitor object. - type: string - scrapeTimeout: - description: ScrapeTimeout defines the timeout for scraping - metrics. - type: string - type: object - type: object - monitor: - description: Monitor monitors MariaDB server instances. It is required - if 'spec.mariaDbRef' is not provided. - properties: - cooperativeMonitoring: - description: CooperativeMonitoring enables coordination between - multiple MaxScale instances running monitors. It is defaulted - when HA is enabled. - enum: - - majority_of_all - - majority_of_running - type: string - interval: - description: Interval used to monitor MariaDB servers. It is defaulted - if not provided. - type: string - module: - description: Module is the module to use to monitor MariaDB servers. - It is mandatory when no MariaDB reference is provided. - type: string - name: - description: Name is the identifier of the monitor. It is defaulted - if not provided. - type: string - params: - additionalProperties: - type: string - description: |- - Params defines extra parameters to pass to the monitor. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-common-monitor-parameters/. - Monitor specific parameter are also supported: - https://mariadb.com/kb/en/mariadb-maxscale-2308-galera-monitor/#galera-monitor-optional-parameters. - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-monitor/#configuration. - type: object - suspend: - default: false - description: |- - Suspend indicates whether the current resource should be suspended or not. - This can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities. - type: boolean - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - podDisruptionBudget: - description: PodDisruptionBudget defines the budget for replica availability. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: MaxUnavailable defines the number of maximum unavailable - Pods. - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - description: MinAvailable defines the number of minimum available - Pods. - x-kubernetes-int-or-string: true - type: object - podMetadata: - description: PodMetadata defines extra metadata for the Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security attributes and - common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's AppArmor - settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied to the - container - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - primaryServer: - description: |- - PrimaryServer specifies the desired primary server. Setting this field triggers a switchover operation in MaxScale to the desired server. - This option is only valid when using monitors that support switchover, currently limited to the MariaDB monitor. - type: string - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - readinessProbe: - description: ReadinessProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used for connection - to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - replicas: - default: 1 - description: Replicas indicates the number of desired instances. - format: int32 - type: integer - requeueInterval: - description: RequeueInterval is used to perform requeue reconciliations. - If not defined, it defaults to 10s. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - securityContext: - description: SecurityContext holds security configuration that will - be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from running - containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - servers: - description: Servers are the MariaDB servers to forward traffic to. - It is required if 'spec.mariaDbRef' is not provided. - items: - description: MaxScaleServer defines a MariaDB server to forward - traffic to. - properties: - address: - description: Address is the network address of the MariaDB server. - type: string - maintenance: - description: Maintenance indicates whether the server is in - maintenance mode. - type: boolean - name: - description: Name is the identifier of the MariaDB server. - type: string - params: - additionalProperties: - type: string - description: |- - Params defines extra parameters to pass to the server. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-maxscale-configuration-guide/#server_1. - type: object - port: - description: Port is the network port of the MariaDB server. - If not provided, it defaults to 3306. - format: int32 - type: integer - protocol: - description: Protocol is the MaxScale protocol to use when communicating - with this MariaDB server. If not provided, it defaults to - MariaDBBackend. - type: string - required: - - address - - name - type: object - type: array - serviceAccountName: - description: ServiceAccountName is the name of the ServiceAccount - to be used by the Pods. - type: string - services: - description: Services define how the traffic is forwarded to the MariaDB - servers. It is defaulted if not provided. - items: - description: Services define how the traffic is forwarded to the - MariaDB servers. - properties: - listener: - description: MaxScaleListener defines how the MaxScale server - will listen for connections. - properties: - name: - description: Name is the identifier of the listener. It - is defaulted if not provided - type: string - params: - additionalProperties: - type: string - description: |- - Params defines extra parameters to pass to the listener. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-maxscale-configuration-guide/#listener_1. - type: object - port: - description: Port is the network port where the MaxScale - server will listen. - format: int32 - type: integer - protocol: - description: Protocol is the MaxScale protocol to use when - communicating with the client. If not provided, it defaults - to MariaDBProtocol. - type: string - suspend: - default: false - description: |- - Suspend indicates whether the current resource should be suspended or not. - This can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities. - type: boolean - required: - - port - type: object - name: - description: Name is the identifier of the MaxScale service. - type: string - params: - additionalProperties: - type: string - description: |- - Params defines extra parameters to pass to the service. - Any parameter supported by MaxScale may be specified here. See reference: - https://mariadb.com/kb/en/mariadb-maxscale-2308-mariadb-maxscale-configuration-guide/#service_1. - Router specific parameter are also supported: - https://mariadb.com/kb/en/mariadb-maxscale-2308-readwritesplit/#configuration. - https://mariadb.com/kb/en/mariadb-maxscale-2308-readconnroute/#configuration. - type: object - router: - description: Router is the type of router to use. - enum: - - readwritesplit - - readconnroute - type: string - suspend: - default: false - description: |- - Suspend indicates whether the current resource should be suspended or not. - This can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities. - type: boolean - required: - - listener - - name - - router - type: object - type: array - startupProbe: - description: StartupProbe to be used in the Container. - properties: - exec: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#execaction-v1-core.' - properties: - command: - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - format: int32 - type: integer - httpGet: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#httpgetaction-v1-core.' - properties: - host: - type: string - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - description: URIScheme identifies the scheme used for connection - to a host for Get actions - type: string - required: - - port - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - tcpSocket: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#tcpsocketaction-v1-core.' - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - timeoutSeconds: - format: int32 - type: integer - type: object - suspend: - default: false - description: |- - Suspend indicates whether the current resource should be suspended or not. - This can be useful for maintenance, as disabling the reconciliation prevents the operator from interfering with user operations during maintenance activities. - type: boolean - tls: - description: TLS defines the PKI to be used with MaxScale. - properties: - adminCASecretRef: - description: |- - AdminCASecretRef is a reference to a Secret containing the admin certificate authority keypair. It is used to establish trust and issue certificates for the MaxScale's administrative REST API and GUI. - One of: - - Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates. - - Secret containing only the 'ca.crt' in order to establish trust. In this case, either adminCertSecretRef or adminCertIssuerRef fields must be provided. - If not provided, a self-signed CA will be provisioned to issue the server certificate. - properties: - name: - default: "" - type: string - type: object - adminCertIssuerRef: - description: |- - AdminCertIssuerRef is a reference to a cert-manager issuer object used to issue the MaxScale's administrative REST API and GUI certificate. cert-manager must be installed previously in the cluster. - It is mutually exclusive with adminCertSecretRef. - By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via adminCASecretRef. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - adminCertSecretRef: - description: AdminCertSecretRef is a reference to a TLS Secret - used by the MaxScale's administrative REST API and GUI. - properties: - name: - default: "" - type: string - type: object - enabled: - description: |- - Enabled indicates whether TLS is enabled, determining if certificates should be issued and mounted to the MaxScale instance. - It is enabled by default when the referred MariaDB instance (via mariaDbRef) has TLS enabled and enforced. - type: boolean - listenerCASecretRef: - description: |- - ListenerCASecretRef is a reference to a Secret containing the listener certificate authority keypair. It is used to establish trust and issue certificates for the MaxScale's listeners. - One of: - - Secret containing both the 'ca.crt' and 'ca.key' keys. This allows you to bring your own CA to Kubernetes to issue certificates. - - Secret containing only the 'ca.crt' in order to establish trust. In this case, either listenerCertSecretRef or listenerCertIssuerRef fields must be provided. - If not provided, a self-signed CA will be provisioned to issue the listener certificate. - properties: - name: - default: "" - type: string - type: object - listenerCertIssuerRef: - description: |- - ListenerCertIssuerRef is a reference to a cert-manager issuer object used to issue the MaxScale's listeners certificate. cert-manager must be installed previously in the cluster. - It is mutually exclusive with listenerCertSecretRef. - By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via listenerCASecretRef. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - listenerCertSecretRef: - description: ListenerCertSecretRef is a reference to a TLS Secret - used by the MaxScale's listeners. - properties: - name: - default: "" - type: string - type: object - replicationSSLEnabled: - description: |- - ReplicationSSLEnabled specifies whether the replication SSL is enabled. If enabled, the SSL options will be added to the server configuration. - It is enabled by default when the referred MariaDB instance (via mariaDbRef) has replication enabled. - If the MariaDB servers are manually provided by the user via the 'servers' field, this must be set by the user as well. - type: boolean - serverCASecretRef: - description: |- - ServerCASecretRef is a reference to a Secret containing the MariaDB server CA certificates. It is used to establish trust with MariaDB servers. - The Secret should contain a 'ca.crt' key in order to establish trust. - If not provided, and the reference to a MariaDB resource is set (mariaDbRef), it will be defaulted to the referred MariaDB CA bundle. - properties: - name: - default: "" - type: string - type: object - serverCertSecretRef: - description: |- - ServerCertSecretRef is a reference to a TLS Secret used by MaxScale to connect to the MariaDB servers. - If not provided, and the reference to a MariaDB resource is set (mariaDbRef), it will be defaulted to the referred MariaDB client certificate (clientCertSecretRef). - properties: - name: - default: "" - type: string - type: object - verifyPeerCertificate: - description: |- - VerifyPeerCertificate specifies whether the peer certificate's signature should be validated against the CA. - It is disabled by default. - type: boolean - verifyPeerHost: - description: |- - VerifyPeerHost specifies whether the peer certificate's SANs should match the peer host. - It is disabled by default. - type: boolean - type: object - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: TopologySpreadConstraints to be used in the Pod. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#topologyspreadconstraint-v1-core.' - properties: - labelSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - description: NodeInclusionPolicy defines the type of node inclusion - policy - type: string - nodeTaintsPolicy: - description: NodeInclusionPolicy defines the type of node inclusion - policy - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - updateStrategy: - description: UpdateStrategy defines the update strategy for the StatefulSet - object. - properties: - rollingUpdate: - description: RollingUpdate is used to communicate parameters when - Type is RollingUpdateStatefulSetStrategyType. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - description: |- - Type indicates the type of the StatefulSetUpdateStrategy. - Default is RollingUpdate. - type: string - type: object - volumeMounts: - description: VolumeMounts to be used in the Container. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#volumemount-v1-core.' - properties: - mountPath: - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - type: boolean - subPath: - type: string - required: - - mountPath - - name - type: object - type: array - type: object - status: - description: MaxScaleStatus defines the observed state of MaxScale - properties: - conditions: - description: Conditions for the MaxScale object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - configSync: - description: ConfigSync is the state of config sync. - properties: - databaseVersion: - type: integer - maxScaleVersion: - type: integer - required: - - databaseVersion - - maxScaleVersion - type: object - listeners: - description: Listeners is the state of the listeners in the MaxScale - API. - items: - description: MaxScaleResourceStatus indicates whether the resource - is in a given state. - properties: - name: - type: string - state: - type: string - required: - - name - - state - type: object - type: array - monitor: - description: Monitor is the state of the monitor in the MaxScale API. - properties: - name: - type: string - state: - type: string - required: - - name - - state - type: object - monitorSpec: - description: MonitorSpec is a hashed version of spec.monitor to be - able to track changes during reconciliation. - type: string - primaryServer: - description: PrimaryServer is the primary server in the MaxScale API. - type: string - replicas: - description: Replicas indicates the number of current instances. - format: int32 - type: integer - servers: - description: Servers is the state of the servers in the MaxScale API. - items: - description: MaxScaleAPIStatus is the state of the servers in the - MaxScale API. - properties: - name: - type: string - state: - type: string - required: - - name - - state - type: object - type: array - serversSpec: - description: ServersSpec is a hashed version of spec.servers to be - able to track changes during reconciliation. - type: string - services: - description: Services is the state of the services in the MaxScale - API. - items: - description: MaxScaleResourceStatus indicates whether the resource - is in a given state. - properties: - name: - type: string - state: - type: string - required: - - name - - state - type: object - type: array - servicesSpec: - description: ServicesSpec is a hashed version of spec.services to - be able to track changes during reconciliation. - type: string - tls: - description: TLS aggregates the status of the certificates used by - the MaxScale instance. - properties: - adminCert: - description: AdminCert is the status of the admin certificate. - properties: - issuer: - description: Issuer is the issuer of the current certificate. - type: string - notAfter: - description: NotAfter indicates that the certificate is not - valid after the given date. - format: date-time - type: string - notBefore: - description: NotBefore indicates that the certificate is not - valid before the given date. - format: date-time - type: string - subject: - description: Subject is the subject of the current certificate. - type: string - required: - - issuer - - subject - type: object - caBundle: - description: CABundle is the status of the Certificate Authority - bundle. - items: - description: CertificateStatus represents the current status - of a TLS certificate. - properties: - issuer: - description: Issuer is the issuer of the current certificate. - type: string - notAfter: - description: NotAfter indicates that the certificate is - not valid after the given date. - format: date-time - type: string - notBefore: - description: NotBefore indicates that the certificate is - not valid before the given date. - format: date-time - type: string - subject: - description: Subject is the subject of the current certificate. - type: string - required: - - issuer - - subject - type: object - type: array - listenerCert: - description: ListenerCert is the status of the listener certificate. - properties: - issuer: - description: Issuer is the issuer of the current certificate. - type: string - notAfter: - description: NotAfter indicates that the certificate is not - valid after the given date. - format: date-time - type: string - notBefore: - description: NotBefore indicates that the certificate is not - valid before the given date. - format: date-time - type: string - subject: - description: Subject is the subject of the current certificate. - type: string - required: - - issuer - - subject - type: object - serverCert: - description: ServerCert is the status of the MariaDB server certificate. - properties: - issuer: - description: Issuer is the issuer of the current certificate. - type: string - notAfter: - description: NotAfter indicates that the certificate is not - valid after the given date. - format: date-time - type: string - notBefore: - description: NotBefore indicates that the certificate is not - valid before the given date. - format: date-time - type: string - subject: - description: Subject is the subject of the current certificate. - type: string - required: - - issuer - - subject - type: object - type: object - type: object - type: object - served: true - storage: true - subresources: - scale: - specReplicasPath: .spec.replicas - statusReplicasPath: .status.replicas - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: physicalbackups.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: PhysicalBackup - listKind: PhysicalBackupList - plural: physicalbackups - shortNames: - - pbmdb - singular: physicalbackup - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Complete")].status - name: Complete - type: string - - jsonPath: .status.conditions[?(@.type=="Complete")].message - name: Status - type: string - - jsonPath: .spec.mariaDbRef.name - name: MariaDB - type: string - - jsonPath: .status.lastScheduleTime - name: Last Scheduled - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: PhysicalBackup is the Schema for the physicalbackups API. It - is used to define physical backup jobs and its storage. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PhysicalBackupSpec defines the desired state of PhysicalBackup. - properties: - args: - description: Args to be used in the Container. - items: - type: string - type: array - backoffLimit: - description: BackoffLimit defines the maximum number of attempts to - successfully take a PhysicalBackup. - format: int32 - type: integer - compression: - description: Compression algorithm to be used in the Backup. - enum: - - none - - bzip2 - - gzip - type: string - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets to be used - to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - inheritMetadata: - description: InheritMetadata defines the metadata to be inherited - by children resources. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - mariaDbRef: - description: MariaDBRef is a reference to a MariaDB object. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - maxRetention: - description: |- - MaxRetention defines the retention policy for backups. Old backups will be cleaned up by the Backup Job. - It defaults to 30 days. - type: string - podAffinity: - description: |- - PodAffinity indicates whether the Jobs should run in the same Node as the MariaDB Pods to be able to attach the PVC. - It defaults to true. - type: boolean - podMetadata: - description: PodMetadata defines extra metadata for the Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security attributes and - common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's AppArmor - settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied to the - container - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - restartPolicy: - default: OnFailure - description: RestartPolicy to be added to the PhysicalBackup Pod. - enum: - - Always - - OnFailure - - Never - type: string - schedule: - description: Schedule defines when the PhysicalBackup will be taken. - properties: - cron: - description: Cron is a cron expression that defines the schedule. - type: string - immediate: - description: Immediate indicates whether the first backup should - be taken immediately after creating the PhysicalBackup. - type: boolean - suspend: - default: false - description: Suspend defines whether the schedule is active or - not. - type: boolean - type: object - securityContext: - description: SecurityContext holds security configuration that will - be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from running - containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - serviceAccountName: - description: ServiceAccountName is the name of the ServiceAccount - to be used by the Pods. - type: string - stagingStorage: - description: |- - StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. - It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the PhysicalBackup Job is scheduled. - The staging area gets cleaned up after each backup is completed, consider this for sizing it appropriately. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim is a Kubernetes PVC specification. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: VolumeResourceRequirements describes the storage - resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - volume: - description: Volume is a Kubernetes volume specification. - properties: - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage can - be allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - type: object - type: object - storage: - description: Storage defines the final storage for backups. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim is a Kubernetes PVC specification. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: VolumeResourceRequirements describes the storage - resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - s3: - description: S3 defines the configuration to store backups in - a S3 compatible storage. - properties: - accessKeyIdSecretKeyRef: - description: AccessKeyIdSecretKeyRef is a reference to a Secret - key containing the S3 access key id. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - description: Bucket is the name Name of the bucket to store - backups. - type: string - endpoint: - description: Endpoint is the S3 API endpoint without scheme. - type: string - prefix: - description: 'Prefix indicates a folder/subfolder in the bucket. - For example: mariadb/ or mariadb/backups. A trailing slash - ''/'' is added if not provided.' - type: string - region: - description: Region is the S3 region name to use. - type: string - secretAccessKeySecretKeyRef: - description: AccessKeyIdSecretKeyRef is a reference to a Secret - key containing the S3 secret key. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - sessionTokenSecretKeyRef: - description: SessionTokenSecretKeyRef is a reference to a - Secret key containing the S3 session token. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - tls: - description: TLS provides the configuration required to establish - TLS connections with S3. - properties: - caSecretKeyRef: - description: |- - CASecretKeyRef is a reference to a Secret key containing a CA bundle in PEM format used to establish TLS connections with S3. - By default, the system trust chain will be used, but you can use this field to add more CAs to the bundle. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - enabled: - description: Enabled is a flag to enable TLS. - type: boolean - type: object - required: - - bucket - - endpoint - type: object - volume: - description: Volume is a Kubernetes volume specification. - properties: - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage can - be allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - type: object - volumeSnapshot: - description: VolumeSnapshot is a Kubernetes VolumeSnapshot specification. - properties: - metadata: - description: Metadata is extra metadata to the added to the - VolumeSnapshot objects. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - volumeSnapshotClassName: - description: VolumeSnapshotClassName is the VolumeSnapshot - class to be used to take snapshots. - type: string - required: - - volumeSnapshotClassName - type: object - type: object - successfulJobsHistoryLimit: - description: SuccessfulJobsHistoryLimit defines the maximum number - of successful Jobs to be displayed. It defaults to 5. - format: int32 - minimum: 0 - type: integer - timeout: - description: |- - Timeout defines the maximum duration of a PhysicalBackup job or snapshot. - If this duration is exceeded, the job or snapshot is considered expired and is deleted by the operator. - A new job or snapshot will then be created according to the schedule. - It defaults to 1 hour. - type: string - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - required: - - mariaDbRef - - storage - type: object - status: - description: PhysicalBackupStatus defines the observed state of PhysicalBackup. - properties: - conditions: - description: Conditions for the PhysicalBackup object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastScheduleCheckTime: - description: LastScheduleCheckTime is the last time that the schedule - was checked. - format: date-time - type: string - lastScheduleTime: - description: LastScheduleTime is the last time that a backup was scheduled. - format: date-time - type: string - nextScheduleTime: - description: NextScheduleTime is the next time that a backup will - be scheduled. - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: restores.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: Restore - listKind: RestoreList - plural: restores - shortNames: - - rmdb - singular: restore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Complete")].status - name: Complete - type: string - - jsonPath: .status.conditions[?(@.type=="Complete")].message - name: Status - type: string - - jsonPath: .spec.mariaDbRef.name - name: MariaDB - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: Restore is the Schema for the restores API. It is used to define - restore jobs and its restoration source. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: RestoreSpec defines the desired state of restore - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator - is the set of operators that can be - used in a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator is - the set of operators that can be used in - a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - backoffLimit: - default: 5 - description: BackoffLimit defines the maximum number of attempts to - successfully perform a Backup. - format: int32 - type: integer - backupRef: - description: BackupRef is a reference to a Backup object. It has priority - over S3 and Volume. - properties: - name: - default: "" - type: string - type: object - database: - description: |- - Database defines the logical database to be restored. If not provided, all databases available in the backup are restored. - IMPORTANT: The database must previously exist. - type: string - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets to be used - to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - inheritMetadata: - description: InheritMetadata defines the metadata to be inherited - by children resources. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - logLevel: - default: info - description: LogLevel to be used n the Backup Job. It defaults to - 'info'. - type: string - mariaDbRef: - description: MariaDBRef is a reference to a MariaDB object. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - podMetadata: - description: PodMetadata defines extra metadata for the Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security attributes and - common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's AppArmor - settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied to the - container - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - restartPolicy: - default: OnFailure - description: RestartPolicy to be added to the Backup Job. - enum: - - Always - - OnFailure - - Never - type: string - s3: - description: S3 defines the configuration to restore backups from - a S3 compatible storage. It has priority over Volume. - properties: - accessKeyIdSecretKeyRef: - description: AccessKeyIdSecretKeyRef is a reference to a Secret - key containing the S3 access key id. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - bucket: - description: Bucket is the name Name of the bucket to store backups. - type: string - endpoint: - description: Endpoint is the S3 API endpoint without scheme. - type: string - prefix: - description: 'Prefix indicates a folder/subfolder in the bucket. - For example: mariadb/ or mariadb/backups. A trailing slash ''/'' - is added if not provided.' - type: string - region: - description: Region is the S3 region name to use. - type: string - secretAccessKeySecretKeyRef: - description: AccessKeyIdSecretKeyRef is a reference to a Secret - key containing the S3 secret key. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - sessionTokenSecretKeyRef: - description: SessionTokenSecretKeyRef is a reference to a Secret - key containing the S3 session token. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - tls: - description: TLS provides the configuration required to establish - TLS connections with S3. - properties: - caSecretKeyRef: - description: |- - CASecretKeyRef is a reference to a Secret key containing a CA bundle in PEM format used to establish TLS connections with S3. - By default, the system trust chain will be used, but you can use this field to add more CAs to the bundle. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - enabled: - description: Enabled is a flag to enable TLS. - type: boolean - type: object - required: - - bucket - - endpoint - type: object - securityContext: - description: SecurityContext holds security configuration that will - be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from running - containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - serviceAccountName: - description: ServiceAccountName is the name of the ServiceAccount - to be used by the Pods. - type: string - stagingStorage: - description: |- - StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. - It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Restore Job is scheduled. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim is a Kubernetes PVC specification. - properties: - accessModes: - items: - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: VolumeResourceRequirements describes the storage - resource requirements for a volume. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - type: string - type: object - volume: - description: Volume is a Kubernetes volume specification. - properties: - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage can - be allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - type: object - type: object - targetRecoveryTime: - description: |- - TargetRecoveryTime is a RFC3339 (1970-01-01T00:00:00Z) date and time that defines the point in time recovery objective. - It is used to determine the closest restoration source in time. - format: date-time - type: string - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - volume: - description: Volume is a Kubernetes Volume object that contains a - backup. - properties: - csi: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#csivolumesource-v1-core.' - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - required: - - driver - type: object - emptyDir: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#emptydirvolumesource-v1-core.' - properties: - medium: - description: StorageMedium defines ways that storage can be - allocated to a volume. - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#hostpathvolumesource-v1-core' - properties: - path: - type: string - type: - type: string - required: - - path - type: object - nfs: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nfsvolumesource-v1-core.' - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#persistentvolumeclaimvolumesource-v1-core.' - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - type: object - required: - - mariaDbRef - type: object - status: - description: RestoreStatus defines the observed state of restore - properties: - conditions: - description: Conditions for the Restore object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: sqljobs.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: SqlJob - listKind: SqlJobList - plural: sqljobs - shortNames: - - smdb - singular: sqljob - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Complete")].status - name: Complete - type: string - - jsonPath: .status.conditions[?(@.type=="Complete")].message - name: Status - type: string - - jsonPath: .spec.mariaDbRef.name - name: MariaDB - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: SqlJob is the Schema for the sqljobs API. It is used to run sql - scripts as jobs. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SqlJobSpec defines the desired state of SqlJob - properties: - affinity: - description: Affinity to be used in the Pod. - properties: - antiAffinityEnabled: - description: |- - AntiAffinityEnabled configures PodAntiAffinity so each Pod is scheduled in a different Node, enabling HA. - Make sure you have at least as many Nodes available as the replicas to not end up with unscheduled Pods. - type: boolean - nodeAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeaffinity-v1-core' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#preferredschedulingterm-v1-core' - properties: - preference: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselector-v1-core' - properties: - nodeSelectorTerms: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorterm-v1-core' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#nodeselectorrequirement-v1-core' - properties: - key: - type: string - operator: - description: |- - A node selector operator is the set of operators that can be used in - a node selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - type: object - podAntiAffinity: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podantiaffinity-v1-core.' - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#weightedpodaffinityterm-v1-core.' - properties: - podAffinityTerm: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator - is the set of operators that can be - used in a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#podaffinityterm-v1-core.' - properties: - labelSelector: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselector-v1-meta' - properties: - matchExpressions: - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#labelselectorrequirement-v1-meta' - properties: - key: - type: string - operator: - description: A label selector operator is - the set of operators that can be used in - a selector requirement. - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - args: - description: Args to be used in the Container. - items: - type: string - type: array - backoffLimit: - default: 5 - description: BackoffLimit defines the maximum number of attempts to - successfully execute a SqlJob. - format: int32 - type: integer - database: - description: Username to be used when executing the SqlJob. - type: string - dependsOn: - description: DependsOn defines dependencies with other SqlJob objectecs. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - failedJobsHistoryLimit: - description: FailedJobsHistoryLimit defines the maximum number of - failed Jobs to be displayed. - format: int32 - minimum: 0 - type: integer - imagePullSecrets: - description: ImagePullSecrets is the list of pull Secrets to be used - to pull the image. - items: - description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.34/#localobjectreference-v1-core.' - properties: - name: - default: "" - type: string - type: object - type: array - inheritMetadata: - description: InheritMetadata defines the metadata to be inherited - by children resources. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - mariaDbRef: - description: MariaDBRef is a reference to a MariaDB object. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to be used in the Pod. - type: object - passwordSecretKeyRef: - description: UserPasswordSecretKeyRef is a reference to the impersonated - user's password to be used when executing the SqlJob. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - podMetadata: - description: PodMetadata defines extra metadata for the Pod. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to children resources. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to children resources. - type: object - type: object - podSecurityContext: - description: SecurityContext holds pod-level security attributes and - common container settings. - properties: - appArmorProfile: - description: AppArmorProfile defines a pod or container's AppArmor - settings. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume - when volume is mounted. - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - description: SELinuxOptions are the labels to be applied to the - container - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - SeccompProfile defines a pod/container's seccomp profile settings. - Only one profile source may be set. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - type: object - priorityClassName: - description: PriorityClassName to be used in the Pod. - type: string - resources: - description: Resources describes the compute resource requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. - type: object - type: object - restartPolicy: - default: OnFailure - description: RestartPolicy to be added to the SqlJob Pod. - enum: - - Always - - OnFailure - - Never - type: string - schedule: - description: Schedule defines when the SqlJob will be executed. - properties: - cron: - description: Cron is a cron expression that defines the schedule. - type: string - suspend: - default: false - description: Suspend defines whether the schedule is active or - not. - type: boolean - required: - - cron - type: object - securityContext: - description: SecurityContext holds security configuration that will - be applied to a container. - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - description: Adds and removes POSIX capabilities from running - containers. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - type: boolean - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - type: object - serviceAccountName: - description: ServiceAccountName is the name of the ServiceAccount - to be used by the Pods. - type: string - sql: - description: Sql is the script to be executed by the SqlJob. - type: string - sqlConfigMapKeyRef: - description: |- - SqlConfigMapKeyRef is a reference to a ConfigMap containing the Sql script. - It is defaulted to a ConfigMap with the contents of the Sql field. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - successfulJobsHistoryLimit: - description: SuccessfulJobsHistoryLimit defines the maximum number - of successful Jobs to be displayed. - format: int32 - minimum: 0 - type: integer - timeZone: - description: TimeZone defines the timezone associated with the cron - expression. - type: string - tlsCASecretRef: - description: |- - TLSCACertSecretRef is a reference toa CA Secret used to establish trust when executing the SqlJob. - If not provided, the CA bundle provided by the referred MariaDB is used. - properties: - name: - default: "" - type: string - type: object - tlsClientCertSecretRef: - description: |- - TLSClientCertSecretRef is a reference to a Kubernetes TLS Secret used as authentication when executing the SqlJob. - If not provided, the client certificate provided by the referred MariaDB is used. - properties: - name: - default: "" - type: string - type: object - tolerations: - description: Tolerations to be used in the Pod. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - username: - description: Username to be impersonated when executing the SqlJob. - type: string - required: - - mariaDbRef - - passwordSecretKeyRef - - username - type: object - status: - description: SqlJobStatus defines the observed state of SqlJob - properties: - conditions: - description: Conditions for the SqlJob object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator-crds/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: users.k8s.mariadb.com -spec: - group: k8s.mariadb.com - names: - kind: User - listKind: UserList - plural: users - shortNames: - - umdb - singular: user - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .spec.maxUserConnections - name: MaxConns - type: string - - jsonPath: .spec.mariaDbRef.name - name: MariaDB - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: User is the Schema for the users API. It is used to define grants - as if you were running a 'CREATE USER' statement. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: UserSpec defines the desired state of User - properties: - cleanupPolicy: - description: CleanupPolicy defines the behavior for cleaning up a - SQL resource. - enum: - - Skip - - Delete - type: string - host: - description: Host related to the User. - maxLength: 255 - type: string - mariaDbRef: - description: MariaDBRef is a reference to a MariaDB object. - properties: - kind: - description: Kind of the referent. - type: string - name: - type: string - namespace: - type: string - waitForIt: - default: true - description: WaitForIt indicates whether the controller using - this reference should wait for MariaDB to be ready. - type: boolean - type: object - maxUserConnections: - default: 10 - description: MaxUserConnections defines the maximum number of simultaneous - connections that the User can establish. - format: int32 - type: integer - name: - description: Name overrides the default name provided by metadata.name. - maxLength: 80 - type: string - passwordHashSecretKeyRef: - description: |- - PasswordHashSecretKeyRef is a reference to the password hash to be used by the User. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password hash. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - passwordPlugin: - description: PasswordPlugin is a reference to the password plugin - and arguments to be used by the User. - properties: - pluginArgSecretKeyRef: - description: |- - PluginArgSecretKeyRef is a reference to the arguments to be provided to the authentication plugin for the User. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the authentication plugin arguments. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - pluginNameSecretKeyRef: - description: |- - PluginNameSecretKeyRef is a reference to the authentication plugin to be used by the User. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the authentication plugin. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - passwordSecretKeyRef: - description: |- - PasswordSecretKeyRef is a reference to the password to be used by the User. - If not provided, the account will be locked and the password will expire. - If the referred Secret is labeled with "k8s.mariadb.com/watch", updates may be performed to the Secret in order to update the password. - properties: - key: - type: string - name: - default: "" - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - requeueInterval: - description: RequeueInterval is used to perform requeue reconciliations. - type: string - require: - description: 'Require specifies TLS requirements for the user to connect. - See: https://mariadb.com/kb/en/securing-connections-for-client-and-server/#requiring-tls.' - properties: - issuer: - description: Issuer indicates that the TLS certificate provided - by the user must be issued by a specific issuer. - type: string - ssl: - description: SSL indicates that the user must connect via TLS. - type: boolean - subject: - description: Subject indicates that the TLS certificate provided - by the user must have a specific subject. - type: string - x509: - description: X509 indicates that the user must provide a valid - x509 certificate to connect. - type: boolean - type: object - retryInterval: - description: RetryInterval is the interval used to perform retries. - type: string - required: - - mariaDbRef - type: object - status: - description: UserStatus defines the observed state of User - properties: - conditions: - description: Conditions for the User object. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/cert-controller/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: mariadb-operator-cert-controller -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - - mutatingwebhookconfigurations - verbs: - - get - - list - - update - - patch - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - list - - patch - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - - endpointslices/restricted - verbs: - - get - - list - - watch ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/rbac-user.yaml -# the mariadb-view ClusterRole allows viewing all k8s.mariadb.com resources -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: mariadb-operator-view - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: -- apiGroups: ["k8s.mariadb.com"] - resources: ["*"] - verbs: ["get", "list", "watch"] ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/rbac-user.yaml -# the mariadb-edit ClusterRole allows editing k8s.mariadb.com resources -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: mariadb-operator-edit - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" -rules: -- apiGroups: ["k8s.mariadb.com"] - resources: ["*"] - verbs: ["create", "update", "patch", "delete"] ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: mariadb-operator -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - events - - secrets - - serviceaccounts - - services - verbs: - - create - - list - - patch - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - delete - - deletecollection - - list - - patch - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - delete - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - list - - patch - - watch -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - batch - resources: - - cronjobs - verbs: - - create - - list - - patch - - watch -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - create - - list - - patch - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - - endpointslices/restricted - verbs: - - create - - get - - list - - patch - - watch -- apiGroups: - - k8s.mariadb.com - resources: - - backups - - connections - - databases - - grants - - mariadbs - - externalmariadbs - - maxscales - - physicalbackups - - restores - - sqljobs - - users - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - k8s.mariadb.com - resources: - - backups/finalizers - - connections/finalizers - - databases/finalizers - - grants/finalizers - - mariadbs/finalizers - - externalmariadbs/finalizers - - maxscales/finalizers - - physicalbackups/finalizers - - restores/finalizers - - sqljobs/finalizers - - users/finalizers - verbs: - - update -- apiGroups: - - k8s.mariadb.com - resources: - - backups/status - - connections/status - - databases/status - - grants/status - - mariadbs/status - - externalmariadbs/status - - maxscales/status - - physicalbackups/status - - restores/status - - sqljobs/status - - users/status - verbs: - - get - - patch - - update -- apiGroups: - - k8s.mariadb.com - resources: - - maxscale - verbs: - - create - - list - - patch - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - list - - patch - - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - list - - patch - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - rolebindings - - roles - verbs: - - create - - list - - patch - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - create - - delete - - get - - list - - patch - - watch ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/cert-controller/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mariadb-operator-cert-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: mariadb-operator-cert-controller -subjects: -- kind: ServiceAccount - name: mariadb-operator-cert-controller-cert-controller - namespace: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mariadb-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: mariadb-operator -subjects: -- kind: ServiceAccount - name: mariadb-operator - namespace: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mariadb-operator:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: mariadb-operator - namespace: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/cert-controller/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: mariadb-operator-cert-controller -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: mariadb-operator -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/cert-controller/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: mariadb-operator-cert-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: mariadb-operator-cert-controller -subjects: -- kind: ServiceAccount - name: mariadb-operator-cert-controller-cert-controller - namespace: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: mariadb-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: mariadb-operator -subjects: -- kind: ServiceAccount - name: mariadb-operator - namespace: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/cert-controller/servicemonitor.yaml -apiVersion: v1 -kind: Service -metadata: - name: mariadb-operator-cert-controller-metrics - labels: - - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-cert-controller - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm -spec: - ports: - - port: 8080 - protocol: TCP - name: metrics - selector: - - app.kubernetes.io/name: mariadb-operator-cert-controller - app.kubernetes.io/instance: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/metrics-servicemonitor.yaml -apiVersion: v1 -kind: Service -metadata: - name: mariadb-operator-metrics - labels: - - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm -spec: - ports: - - port: 8080 - protocol: TCP - name: metrics - selector: - - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/webhook/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: mariadb-operator-webhook - labels: - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/webhook/servicemonitor.yaml -apiVersion: v1 -kind: Service -metadata: - name: mariadb-operator-webhook-metrics - labels: - - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm -spec: - ports: - - port: 8080 - protocol: TCP - name: metrics - selector: - - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/cert-controller/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mariadb-operator-cert-controller - labels: - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-cert-controller - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: mariadb-operator-cert-controller - app.kubernetes.io/instance: mariadb-operator - template: - metadata: - labels: - app.kubernetes.io/name: mariadb-operator-cert-controller - app.kubernetes.io/instance: mariadb-operator - spec: - serviceAccountName: mariadb-operator-cert-controller-cert-controller - automountServiceAccountToken: true - containers: - - image: "docker-registry3.mariadb.com/mariadb-operator/mariadb-operator:25.10.2" - imagePullPolicy: IfNotPresent - name: cert-controller - args: - - cert-controller - - --ca-secret-name=mariadb-operator-webhook-ca - - --ca-secret-namespace=mariadb-operator - - --ca-lifetime=26280h - - --cert-secret-name=mariadb-operator-webhook-cert - - --cert-secret-namespace=mariadb-operator - - --cert-lifetime=2160h - - --renew-before-percentage=33 - - --service-name=mariadb-operator-webhook - - --service-namespace=mariadb-operator - - --requeue-duration=5m - - --metrics-addr=:8080 - - --health-addr=:8081 - - --log-level=INFO - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 8081 - protocol: TCP - name: health - env: - - name: CLUSTER_NAME - value: cluster.local - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mariadb-operator - labels: - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 3 - selector: - matchLabels: - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator - template: - metadata: - labels: - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator - spec: - serviceAccountName: mariadb-operator - automountServiceAccountToken: true - terminationGracePeriodSeconds: 10 - containers: - - image: "docker-registry3.mariadb.com/mariadb-operator/mariadb-operator:25.10.2" - imagePullPolicy: IfNotPresent - name: controller - args: - - --metrics-addr=:8080 - - --log-level=INFO - - --leader-elect - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - envFrom: - - configMapRef: - name: mariadb-operator-env - env: - - name: CLUSTER_NAME - value: cluster.local - - name: MARIADB_OPERATOR_NAME - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: MARIADB_OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MARIADB_OPERATOR_SA_PATH - value: /var/run/secrets/kubernetes.io/serviceaccount/token ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/webhook/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mariadb-operator-webhook - labels: - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - template: - metadata: - labels: - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - spec: - serviceAccountName: mariadb-operator-webhook - automountServiceAccountToken: true - hostNetwork: false - containers: - - image: "docker-registry3.mariadb.com/mariadb-operator/mariadb-operator:25.10.2" - imagePullPolicy: IfNotPresent - name: webhook - args: - - webhook - - --ca-cert-path=/tmp/k8s-webhook-server/certificate-authority/tls.crt - - --cert-dir=/tmp/k8s-webhook-server/serving-certs - - --dns-name=mariadb-operator-webhook.mariadb-operator.svc - - --port=9443 - - --metrics-addr=:8080 - - --health-addr=:8081 - - --log-level=INFO - ports: - - containerPort: 9443 - protocol: TCP - name: https - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 8081 - protocol: TCP - name: health - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/certificate-authority - name: ca - readOnly: true - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 20 - periodSeconds: 5 - volumes: - - name: ca - secret: - defaultMode: 420 - secretName: mariadb-operator-webhook-ca - - name: cert - secret: - defaultMode: 420 - secretName: mariadb-operator-webhook-cert ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/cert-controller/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: mariadb-operator-cert-controller - labels: - - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-cert-controller - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm - -spec: - selector: - matchLabels: - - app.kubernetes.io/name: mariadb-operator-cert-controller - app.kubernetes.io/instance: mariadb-operator - namespaceSelector: - matchNames: - - "mariadb-operator" - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 25s ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/operator/metrics-servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: mariadb-operator - labels: - - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm - -spec: - selector: - matchLabels: - - app.kubernetes.io/name: mariadb-operator - app.kubernetes.io/instance: mariadb-operator - namespaceSelector: - matchNames: - - "mariadb-operator" - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 25s ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/webhook/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: mariadb-operator-webhook - labels: - - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm - -spec: - selector: - matchLabels: - - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - namespaceSelector: - matchNames: - - "mariadb-operator" - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 25s ---- -# Source: mariadb-operator/charts/mariadb-operator/templates/webhook/config.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: mariadb-operator-webhook - labels: - helm.sh/chart: mariadb-operator-25.10.2 - app.kubernetes.io/name: mariadb-operator-webhook - app.kubernetes.io/instance: mariadb-operator - app.kubernetes.io/version: "25.10.2" - app.kubernetes.io/managed-by: Helm - annotations: - k8s.mariadb.com/webhook: "" -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-backup - failurePolicy: Fail - name: vbackup-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - backups - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-physicalbackup - failurePolicy: Fail - name: vphysicalbackup-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - physicalbackups - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-connection - failurePolicy: Fail - name: vconnection-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - connections - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-database - failurePolicy: Fail - name: vdatabase-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - databases - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-grant - failurePolicy: Fail - name: vgrant-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - grants - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-mariadb - failurePolicy: Fail - name: vmariadb-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - mariadbs - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-maxscale - failurePolicy: Fail - name: vmaxscale-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - maxscales - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-restore - failurePolicy: Fail - name: vrestore-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - restores - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-sqljob - failurePolicy: Fail - name: vsqljob-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - sqljobs - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: mariadb-operator-webhook - namespace: mariadb-operator - path: /validate-k8s-mariadb-com-v1alpha1-user - failurePolicy: Fail - name: vuser-v1alpha1.kb.io - rules: - - apiGroups: - - k8s.mariadb.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None diff --git a/clusters/cl01tl/manifests/matrix-synapse/matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/matrix-synapse.yaml deleted file mode 100644 index 4a14a5ec9..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/matrix-synapse.yaml +++ /dev/null @@ -1,1996 +0,0 @@ ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: matrix-synapse - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm -stringData: - config.yaml: | - ## Registration ## - - registration_shared_secret: "v6Ki4TFJuWXfXRJk480nMb7T" - - ## API Configuration ## - - ## Database configuration ## - - database: - name: "psycopg2" - args: - user: "app" - password: "@@POSTGRES_PASSWORD@@" - database: "app" - host: "matrix-synapse-postgresql-17-cluster-rw" - port: 5432 - sslmode: "prefer" - cp_min: 5 - cp_max: 10 - - - ## Redis configuration ## - - redis: - enabled: true - host: "redis-replication-matrix-synapse-master" - port: 6379 - password: "@@REDIS_PASSWORD@@" ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/configuration.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: matrix-synapse - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm -data: - log.yaml: | - version: 1 - formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' - filters: - context: - (): synapse.util.logcontext.LoggingContextFilter - request: "" - handlers: - console: - class: logging.StreamHandler - formatter: precise - filters: [context] - level: INFO - loggers: - synapse: - level: INFO - root: - level: INFO - handlers: [console] - homeserver.yaml: | - # NOTE: - # Secrets are stored in separate configs to better fit K8s concepts - - ## Server ## - - server_name: "alexlebens.dev" - public_baseurl: "https://matrix.alexlebens.dev" - pid_file: /homeserver.pid - web_client: False - soft_file_limit: 0 - log_config: "/synapse/config/log.yaml" - report_stats: false - - instance_map: - main: - host: matrix-synapse-replication - port: 9093 - - ## Ports ## - - listeners: - - port: 8008 - tls: false - bind_addresses: ["::"] - type: http - x_forwarded: true - - resources: - - names: - - client - - federation - compress: false - - - port: 9090 - tls: false - bind_addresses: ["::"] - type: http - - resources: - - names: [metrics] - compress: false - - - port: 9093 - tls: false - bind_addresses: ["::"] - type: http - - resources: - - names: [replication] - compress: false - - ## Files ## - - media_store_path: "/synapse/data/media" - uploads_path: "/synapse/data/uploads" - - ## Registration ## - - enable_registration: true - - ## Metrics ### - - enable_metrics: true - - ## Signing Keys ## - - signing_key_path: "/synapse/keys/signing.key" - - # The trusted servers to download signing keys from. - trusted_key_servers: - [] - - ## Workers ## - - ## Extra config ## - - enable_metrics: true - enable_registration_without_verification: true - password_config: - enabled: false - sso: - client_whitelist: - - https://chat.alexlebens.dev/ - update_profile_information: true ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/well-known-config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: matrix-synapse-wellknown-lighttpd - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm - component: well-known -data: - lighttpd.conf: | - server.port = 8080 - - server.modules = ( - "mod_rewrite", - "mod_status", - "mod_accesslog", - "mod_extforward", - "mod_setenv" - ) - include "conf.d/00-mime-types.conf" - server.username = "lighttpd" - server.groupname = "lighttpd" - server.document-root = "/var/www/localhost/htdocs" - server.pid-file = "/run/lighttpd.pid" - url.rewrite-once = ( - "^/\.well-known/matrix/client" => "/client.json", - "^/\.well-known/matrix/server" => "/server.json" - ) - status.status-url = "/server-status" - extforward.forwarder = ( "all" => "trust") - setenv.add-response-header = ( - "access-control-allow-headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization", - "access-control-allow-methods" => "GET, POST, PUT, DELETE, OPTIONS", - "access-control-allow-origin" => "*" - ) - setenv.set-response-header = ( - "content-type" => "application/json" - ) - server.json: |- - - {"m.server":"matrix.alexlebens.dev:443"} - client.json: |- - - {"m.homeserver":{"base_url":"https://matrix.alexlebens.dev"}} ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/pvc.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: matrix-synapse - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: matrix-synapse/charts/matrix-hookshot/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: matrix-hookshot - labels: - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/service: matrix-hookshot - helm.sh/chart: matrix-hookshot-4.4.0 - namespace: matrix-synapse -spec: - type: ClusterIP - ports: - - port: 9002 - targetPort: 9002 - protocol: TCP - name: appservice - - port: 9993 - targetPort: 9993 - protocol: TCP - name: homeserver - - port: 9001 - targetPort: 9001 - protocol: TCP - name: metrics - - port: 9000 - targetPort: 9000 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/name: matrix-synapse ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: matrix-synapse - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 8008 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/component: synapse - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: matrix-synapse-replication - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 9093 - targetPort: replication - protocol: TCP - name: replication - selector: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/component: synapse ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/well-known.yaml -apiVersion: v1 -kind: Service -metadata: - name: matrix-synapse-wellknown-lighttpd - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: well-known -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/component: well-known ---- -# Source: matrix-synapse/charts/cloudflared-hookshot/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: matrix-synapse-cloudflared-hookshot - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared-hookshot - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-hookshot-1.23.1 - namespace: matrix-synapse -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared-hookshot - app.kubernetes.io/instance: matrix-synapse - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/name: cloudflared-hookshot - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: matrix-synapse-cloudflared-hookshot-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: matrix-synapse/charts/cloudflared-synapse/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: matrix-synapse-cloudflared-synapse - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared-synapse - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-synapse-1.23.1 - namespace: matrix-synapse -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared-synapse - app.kubernetes.io/instance: matrix-synapse - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/name: cloudflared-synapse - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: matrix-synapse-cloudflared-synapse-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: matrix-synapse/charts/matrix-hookshot/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: matrix-hookshot - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: matrix-synapse - helm.sh/chart: matrix-hookshot-4.4.0 - namespace: matrix-synapse -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/name: matrix-synapse - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - image: halfshot/matrix-hookshot:7.2.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /data/config.yml - mountPropagation: None - name: config - readOnly: true - subPath: config.yml - - mountPath: /data/passkey.pem - mountPropagation: None - name: passkey - readOnly: true - subPath: passkey.pem - - mountPath: /data/registration.yml - mountPropagation: None - name: registration - readOnly: true - subPath: registration.yml - volumes: - - name: config - secret: - secretName: matrix-hookshot-config-secret - - name: passkey - secret: - secretName: matrix-hookshot-config-secret - - name: registration - secret: - secretName: matrix-hookshot-config-secret ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/deployment.yaml -# Server: alexlebens.dev -apiVersion: apps/v1 -kind: Deployment -metadata: - name: matrix-synapse - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: synapse -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/component: synapse - template: - metadata: - annotations: - checksum/config: e77b3b25301ed2f4b5eac2f16ed5d058374ed1ffcd7e9ca4d8eef44867647feb - checksum/secrets: f82dccf76485881a9f8814ed951122a4c79c655e8d5f558fc1159872b3aa9cfe - labels: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/component: synapse - spec: - serviceAccountName: default - - securityContext: - {} - initContainers: - - name: volume-permissions - command: - - sh - - -c - - | - chown 666:666 -R /synapse/data - image: "alpine:latest" - imagePullPolicy: Always - resources: - {} - securityContext: - runAsNonRoot: false - runAsUser: 0 - volumeMounts: - - name: media - mountPath: /synapse/data - containers: - - name: synapse - command: - - sh - - -c - - | - export POSTGRES_PASSWORD=$(echo "${POSTGRES_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ - export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ - cat /synapse/secrets/*.yaml | \ - sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ - -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ - > /synapse/config/conf.d/secrets.yaml - - exec python -B -m synapse.app.homeserver \ - -c /synapse/config/homeserver.yaml \ - -c /synapse/config/conf.d/ - env: - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: matrix-synapse-postgresql-17-cluster-app - key: password - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: matrix-synapse-redis-secret - key: password - image: "ghcr.io/element-hq/synapse:v1.143.0" - imagePullPolicy: IfNotPresent - securityContext: - {} - ports: - - name: http - containerPort: 8008 - protocol: TCP - - name: replication - containerPort: 9093 - protocol: TCP - - name: metrics - containerPort: 9090 - protocol: TCP - livenessProbe: - httpGet: - path: /health - port: http - readinessProbe: - httpGet: - path: /health - port: http - startupProbe: - failureThreshold: 12 - httpGet: - path: /health - port: http - volumeMounts: - - name: config - mountPath: /synapse/config - - name: tmpconf - mountPath: /synapse/config/conf.d - - name: secrets - mountPath: /synapse/secrets - - name: signingkey - mountPath: /synapse/keys - - name: media - mountPath: /synapse/data - - name: tmpdir - mountPath: /tmp - - mountPath: /synapse/config/conf.d/oidc.yaml - name: matrix-synapse-config-secret - readOnly: true - subPath: oidc.yaml - - mountPath: /synapse/config/conf.d/config.yaml - name: matrix-synapse-config-secret - readOnly: true - subPath: config.yaml - - mountPath: /synapse/config/conf.d/hookshot-registration.yaml - name: matrix-hookshot-config-secret - readOnly: true - subPath: hookshot-registration.yaml - - mountPath: /synapse/config/conf.d/double-puppet-registration.yaml - name: double-puppet-registration-secret - readOnly: true - subPath: double-puppet-registration.yaml - resources: - requests: - cpu: 10m - memory: 128Mi - volumes: - - name: config - configMap: - name: matrix-synapse - - name: secrets - secret: - secretName: matrix-synapse - - name: signingkey - secret: - secretName: "matrix-synapse-signingkey" - items: - - key: "signing.key" - path: signing.key - - name: tmpconf - emptyDir: {} - - name: tmpdir - emptyDir: {} - - name: media - persistentVolumeClaim: - claimName: matrix-synapse - - name: matrix-synapse-config-secret - secret: - secretName: matrix-synapse-config-secret - - name: matrix-hookshot-config-secret - secret: - secretName: matrix-hookshot-config-secret - - name: double-puppet-registration-secret - secret: - secretName: double-puppet-registration-secret ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/well-known.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: matrix-synapse-wellknown-lighttpd - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: well-known -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/component: well-known - template: - metadata: - annotations: - checksum/config: 12a2f127585ae5d777c577a32e69a1fffb3d4ec75253d8d1ef7f618cf852f322 - labels: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/component: well-known - spec: - - securityContext: - {} - containers: - - name: lighttpd - image: "ghcr.io/rtsp/docker-lighttpd:latest" - imagePullPolicy: Always - securityContext: - {} - ports: - - containerPort: 8080 - name: http - protocol: TCP - readinessProbe: - tcpSocket: - port: http - livenessProbe: - httpGet: - path: /server-status - port: http - volumeMounts: - - mountPath: /etc/lighttpd/lighttpd.conf - name: files - subPath: lighttpd.conf - - mountPath: /var/www/localhost/htdocs/client.json - name: files - subPath: client.json - - mountPath: /var/www/localhost/htdocs/server.json - name: files - subPath: server.json - - mountPath: /run - name: run - resources: - {} - volumes: - - name: files - configMap: - name: matrix-synapse-wellknown-lighttpd - - name: run - emptyDir: {} ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/signing-key-job.yaml -# Create secret if signing key job is enabled, or if we're running in ArgoCD and we don't have an existing secret ---- -# Source: matrix-synapse/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: matrix-synapse-postgresql-17-cluster - namespace: matrix-synapse - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: matrix-synapse-postgresql-17 - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "matrix-synapse-postgresql-17-external-backup" - serverName: "matrix-synapse-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "matrix-synapse-postgresql-17-garage-local-backup" - serverName: "matrix-synapse-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "matrix-synapse-postgresql-17-recovery" - serverName: matrix-synapse-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 200m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: matrix-synapse-postgresql-17-backup-1 - - externalClusters: - - name: matrix-synapse-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "matrix-synapse-postgresql-17-recovery" - serverName: matrix-synapse-postgresql-17-backup-1 ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-config-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-config-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: oidc.yaml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/config - metadataPolicy: None - property: oidc.yaml - - secretKey: config.yaml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/config - metadataPolicy: None - property: config.yaml ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-signingkey - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-signingkey - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: signing.key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/config - metadataPolicy: None - property: signing-key ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-hookshot-config-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-hookshot-config-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config.yml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/hookshot - metadataPolicy: None - property: config - - secretKey: registration.yml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/hookshot - metadataPolicy: None - property: registration - - secretKey: hookshot-registration.yaml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/hookshot - metadataPolicy: None - property: registration - - secretKey: passkey.pem - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/hookshot - metadataPolicy: None - property: passkey - -# --- -# apiVersion: external-secrets.io/v1 -# kind: ExternalSecret -# metadata: -# name: mautrix-discord-config-secret -# namespace: matrix-synapse - # labels: - # app.kubernetes.io/name: matrix-synapse - # app.kubernetes.io/instance: matrix-synapse -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: config.yaml -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/matrix-synapse/mautrix-discord -# metadataPolicy: None -# property: config -# - secretKey: mautrix-discord-registration.yaml -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/matrix-synapse/mautrix-discord -# metadataPolicy: None -# property: registration - -# --- -# apiVersion: external-secrets.io/v1 -# kind: ExternalSecret -# metadata: -# name: mautrix-whatsapp-config-secret -# namespace: matrix-synapse - # labels: - # app.kubernetes.io/name: matrix-synapse - # app.kubernetes.io/instance: matrix-synapse -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: config.yaml -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/matrix-synapse/mautrix-whatsapp -# metadataPolicy: None -# property: config -# - secretKey: mautrix-whatsapp-registration.yaml -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/matrix-synapse/mautrix-whatsapp -# metadataPolicy: None -# property: registration ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: double-puppet-registration-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: double-puppet-registration-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: double-puppet-registration.yaml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/double-puppet - metadataPolicy: None - property: registration ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-redis-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-redis-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/matrix-synapse/redis - metadataPolicy: None - property: password ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-cloudflared-synapse-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-cloudflared-synapse-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/matrix-synapse - metadataPolicy: None - property: token ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-cloudflared-hookshot-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-cloudflared-hookshot-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/matrix-hookshot - metadataPolicy: None - property: token ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-backup-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-backup-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/matrix-synapse/matrix-synapse" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key - -# --- -# apiVersion: external-secrets.io/v1 -# kind: ExternalSecret -# metadata: -# name: mautrix-discord-data-backup-secret -# namespace: matrix-synapse - # labels: - # app.kubernetes.io/name: matrix-synapse - # app.kubernetes.io/instance: matrix-synapse -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# target: -# template: -# mergePolicy: Merge -# engineVersion: v2 -# data: -# RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/matrix-synapse/mautrix-discord-data" -# data: -# - secretKey: BUCKET_ENDPOINT -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/volsync/restic/config -# metadataPolicy: None -# property: S3_BUCKET_ENDPOINT -# - secretKey: RESTIC_PASSWORD -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/volsync/restic/config -# metadataPolicy: None -# property: RESTIC_PASSWORD -# - secretKey: AWS_DEFAULT_REGION -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/volsync/restic/config -# metadataPolicy: None -# property: AWS_DEFAULT_REGION -# - secretKey: AWS_ACCESS_KEY_ID -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /digital-ocean/home-infra/volsync-backups -# metadataPolicy: None -# property: access_key -# - secretKey: AWS_SECRET_ACCESS_KEY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /digital-ocean/home-infra/volsync-backups -# metadataPolicy: None -# property: secret_key - -# --- -# apiVersion: external-secrets.io/v1 -# kind: ExternalSecret -# metadata: -# name: mautrix-whatsapp-data-backup-secret -# namespace: matrix-synapse - # labels: - # app.kubernetes.io/name: matrix-synapse - # app.kubernetes.io/instance: matrix-synapse -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# target: -# template: -# mergePolicy: Merge -# engineVersion: v2 -# data: -# RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/matrix-synapse/mautrix-whatsapp-data" -# data: -# - secretKey: BUCKET_ENDPOINT -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/volsync/restic/config -# metadataPolicy: None -# property: S3_BUCKET_ENDPOINT -# - secretKey: RESTIC_PASSWORD -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/volsync/restic/config -# metadataPolicy: None -# property: RESTIC_PASSWORD -# - secretKey: AWS_DEFAULT_REGION -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/volsync/restic/config -# metadataPolicy: None -# property: AWS_DEFAULT_REGION -# - secretKey: AWS_ACCESS_KEY_ID -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /digital-ocean/home-infra/volsync-backups -# metadataPolicy: None -# property: access_key -# - secretKey: AWS_SECRET_ACCESS_KEY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /digital-ocean/home-infra/volsync-backups -# metadataPolicy: None -# property: secret_key ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-postgresql-17-cluster-backup-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: matrix-synapse/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-postgresql-17-cluster-backup-secret-garage - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: matrix-synapse/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "matrix-synapse-postgresql-17-external-backup" - namespace: matrix-synapse - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: matrix-synapse-postgresql-17 - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: matrix-synapse-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: matrix-synapse-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: matrix-synapse/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "matrix-synapse-postgresql-17-garage-local-backup" - namespace: matrix-synapse - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: matrix-synapse-postgresql-17 - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: matrix-synapse-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: matrix-synapse-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: matrix-synapse-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: matrix-synapse/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "matrix-synapse-postgresql-17-recovery" - namespace: matrix-synapse - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: matrix-synapse-postgresql-17 - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: matrix-synapse-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: matrix-synapse-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: matrix-synapse/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: matrix-synapse-postgresql-17-alert-rules - namespace: matrix-synapse - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: matrix-synapse-postgresql-17 - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/matrix-synapse-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="matrix-synapse"} - cnpg_pg_replication_is_wal_receiver_up{namespace="matrix-synapse"}) < 1 - for: 5m - labels: - severity: critical - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="matrix-synapse"} - cnpg_pg_replication_is_wal_receiver_up{namespace="matrix-synapse"}) < 2 - for: 5m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="matrix-synapse",pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="matrix-synapse", persistentvolumeclaim=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="matrix-synapse",pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "matrix-synapse/matrix-synapse-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="matrix-synapse", pod=~"matrix-synapse-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: matrix-synapse - cnpg_cluster: matrix-synapse-postgresql-17-cluster ---- -# Source: matrix-synapse/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-matrix-synapse - namespace: matrix-synapse - labels: - app.kubernetes.io/name: redis-replication-matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - redisSecret: - name: matrix-synapse-redis-secret - key: password - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: matrix-synapse/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-hookshot - namespace: matrix-synapse - labels: - app.kubernetes.io/name: redis-replication-hookshot - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: matrix-synapse/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: matrix-synapse-backup-source - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-backup-source - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - sourcePVC: matrix-synapse - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: matrix-synapse-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot - -# --- -# apiVersion: volsync.backube/v1alpha1 -# kind: ReplicationSource -# metadata: -# name: mautrix-discord-data-backup-source -# namespace: matrix-synapse -# labels: -# app.kubernetes.io/name: mautrix-discord-data-backup-source -# app.kubernetes.io/instance: matrix-synapse -# app.kubernetes.io/part-of: matrix-synapse -# spec: -# sourcePVC: mautrix-discord-data -# trigger: -# schedule: 0 4 * * * -# restic: -# pruneIntervalDays: 7 -# repository: mautrix-discord-data-backup-secret -# retain: -# hourly: 1 -# daily: 3 -# weekly: 2 -# monthly: 2 -# yearly: 4 -# moverSecurityContext: -# runAsUser: 1337 -# runAsGroup: 1337 -# copyMethod: Snapshot -# storageClassName: ceph-block -# volumeSnapshotClassName: ceph-blockpool-snapshot - -# --- -# apiVersion: volsync.backube/v1alpha1 -# kind: ReplicationSource -# metadata: -# name: mautrix-whatsapp-data-backup-source -# namespace: matrix-synapse -# labels: -# app.kubernetes.io/name: mautrix-whatsapp-data-backup-source -# app.kubernetes.io/instance: matrix-synapse -# app.kubernetes.io/part-of: matrix-synapse -# spec: -# sourcePVC: mautrix-whatsapp-data -# trigger: -# schedule: 0 4 * * * -# restic: -# pruneIntervalDays: 7 -# repository: mautrix-whatsapp-data-backup-secret -# retain: -# hourly: 1 -# daily: 3 -# weekly: 2 -# monthly: 2 -# yearly: 4 -# moverSecurityContext: -# runAsUser: 1337 -# runAsGroup: 1337 -# copyMethod: Snapshot -# storageClassName: ceph-block -# volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: matrix-synapse/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "matrix-synapse-postgresql-17-daily-backup-scheduled-backup" - namespace: matrix-synapse - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: matrix-synapse-postgresql-17 - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: matrix-synapse-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "matrix-synapse-postgresql-17-external-backup" ---- -# Source: matrix-synapse/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "matrix-synapse-postgresql-17-live-backup-scheduled-backup" - namespace: matrix-synapse - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: matrix-synapse-postgresql-17 - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: matrix-synapse-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "matrix-synapse-postgresql-17-garage-local-backup" ---- -# Source: matrix-synapse/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: matrix-synapse - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - selector: - matchLabels: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - endpoints: - - targetPort: 9090 - interval: 3m - scrapeTimeout: 1m - path: /_synapse/metrics ---- -# Source: matrix-synapse/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: matrix-hookshot - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-hookshot - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - selector: - matchLabels: - app.kubernetes.io/name: matrix-hookshot - app.kubernetes.io/instance: matrix-synapse - endpoints: - - targetPort: 9001 - interval: 3m - scrapeTimeout: 1m - path: /metrics ---- -# Source: matrix-synapse/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-matrix-synapse - namespace: matrix-synapse - labels: - app.kubernetes.io/name: redis-replication-matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s ---- -# Source: matrix-synapse/charts/matrix-synapse/templates/tests/test-connection.yaml -apiVersion: v1 -kind: Pod -metadata: - name: "matrix-synapse-test-connection" - labels: - helm.sh/chart: matrix-synapse-3.12.16 - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/version: "1.143.0" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['matrix-synapse:8008/_matrix/client/versions'] - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/metrics-server/metrics-server.yaml b/clusters/cl01tl/manifests/metrics-server/metrics-server.yaml deleted file mode 100644 index b02412872..000000000 --- a/clusters/cl01tl/manifests/metrics-server/metrics-server.yaml +++ /dev/null @@ -1,285 +0,0 @@ ---- -# Source: metrics-server/charts/metrics-server/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: metrics-server - namespace: kube-system - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: metrics-server/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:metrics-server-aggregated-reader - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch ---- -# Source: metrics-server/charts/metrics-server/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:metrics-server - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - nodes/metrics - verbs: - - get - - apiGroups: - - "" - resources: - - pods - - nodes - - namespaces - - configmaps - verbs: - - get - - list - - watch ---- -# Source: metrics-server/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metrics-server:system:auth-delegator - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -# Source: metrics-server/charts/metrics-server/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:metrics-server - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:metrics-server -subjects: - - kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -# Source: metrics-server/charts/metrics-server/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: metrics-server-auth-reader - namespace: kube-system - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - kind: ServiceAccount - name: metrics-server - namespace: kube-system ---- -# Source: metrics-server/charts/metrics-server/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: metrics-server - namespace: kube-system - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: https - port: 443 - protocol: TCP - targetPort: https - appProtocol: https - selector: - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server ---- -# Source: metrics-server/charts/metrics-server/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metrics-server - namespace: kube-system - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 3 - selector: - matchLabels: - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - template: - metadata: - labels: - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - spec: - serviceAccountName: metrics-server - priorityClassName: "system-cluster-critical" - containers: - - name: metrics-server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - image: registry.k8s.io/metrics-server/metrics-server:v0.8.0 - imagePullPolicy: IfNotPresent - args: - - --secure-port=10250 - - --cert-dir=/tmp - - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - - --kubelet-use-node-status-port - - --metric-resolution=15s - - --kubelet-insecure-tls - - --authorization-always-allow-paths=/metrics - ports: - - name: https - protocol: TCP - containerPort: 10250 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /livez - port: https - scheme: HTTPS - initialDelaySeconds: 0 - periodSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /readyz - port: https - scheme: HTTPS - initialDelaySeconds: 20 - periodSeconds: 10 - volumeMounts: - - name: tmp - mountPath: /tmp - resources: - requests: - cpu: 100m - memory: 200Mi - volumes: - - name: tmp - emptyDir: {} ---- -# Source: metrics-server/charts/metrics-server/templates/apiservice.yaml -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1beta1.metrics.k8s.io - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm - annotations: -spec: - group: metrics.k8s.io - groupPriorityMinimum: 100 - insecureSkipTLSVerify: true - service: - name: metrics-server - namespace: kube-system - port: 443 - version: v1beta1 - versionPriority: 100 ---- -# Source: metrics-server/charts/metrics-server/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: metrics-server - namespace: kube-system - labels: - helm.sh/chart: metrics-server-3.13.0 - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - app.kubernetes.io/version: "0.8.0" - app.kubernetes.io/managed-by: Helm -spec: - jobLabel: app.kubernetes.io/instance - namespaceSelector: - matchNames: - - kube-system - selector: - matchLabels: - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: metrics-server - endpoints: - - port: https - path: /metrics - scheme: https - tlsConfig: - insecureSkipVerify: true - interval: 1m - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/n8n/n8n.yaml b/clusters/cl01tl/manifests/n8n/n8n.yaml deleted file mode 100644 index 6ac24113a..000000000 --- a/clusters/cl01tl/manifests/n8n/n8n.yaml +++ /dev/null @@ -1,1192 +0,0 @@ ---- -# Source: n8n/charts/n8n/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: n8n - labels: - app.kubernetes.io/instance: n8n - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: n8n - helm.sh/chart: n8n-4.4.0 - namespace: n8n -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: n8n/charts/n8n/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: n8n-worker - labels: - app.kubernetes.io/instance: n8n - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: n8n - app.kubernetes.io/service: n8n-worker - helm.sh/chart: n8n-4.4.0 - namespace: n8n -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 5678 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: worker - app.kubernetes.io/instance: n8n - app.kubernetes.io/name: n8n ---- -# Source: n8n/charts/n8n/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: n8n-main - labels: - app.kubernetes.io/instance: n8n - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: n8n - app.kubernetes.io/service: n8n-main - helm.sh/chart: n8n-4.4.0 - namespace: n8n -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 5678 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: n8n - app.kubernetes.io/name: n8n ---- -# Source: n8n/charts/n8n/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: n8n-webhook - labels: - app.kubernetes.io/instance: n8n - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: n8n - app.kubernetes.io/service: n8n-webhook - helm.sh/chart: n8n-4.4.0 - namespace: n8n -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 5678 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: webhook - app.kubernetes.io/instance: n8n - app.kubernetes.io/name: n8n ---- -# Source: n8n/charts/n8n/templates/common.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: n8n-webhook - labels: - app.kubernetes.io/controller: webhook - app.kubernetes.io/instance: n8n - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: n8n - helm.sh/chart: n8n-4.4.0 - namespace: n8n -spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/controller: webhook - app.kubernetes.io/name: n8n - app.kubernetes.io/instance: n8n - template: - metadata: - annotations: - - labels: - app.kubernetes.io/controller: webhook - app.kubernetes.io/instance: n8n - app.kubernetes.io/name: n8n - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - nodeSelector: - kubernetes.io/arch: amd64 - containers: - - args: - - webhook - command: - - n8n - env: - - name: GENERIC_TIMEZONE - value: US/Central - - name: DB_TYPE - value: postgresdb - - name: DB_POSTGRESDB_DATABASE - valueFrom: - secretKeyRef: - key: dbname - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_HOST - valueFrom: - secretKeyRef: - key: host - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_PORT - valueFrom: - secretKeyRef: - key: port - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_USER - valueFrom: - secretKeyRef: - key: user - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: n8n-postgresql-17-cluster-app - - name: N8N_METRICS - value: "true" - - name: QUEUE_HEALTH_CHECK_ACTIVE - value: "true" - - name: EXECUTIONS_MODE - value: queue - - name: QUEUE_BULL_REDIS_HOST - value: redis-replication-n8n-master.n8n - - name: N8N_ENCRYPTION_KEY - valueFrom: - secretKeyRef: - key: key - name: n8n-config-secret - - name: WEBHOOK_URL - value: https://n8n.alexlebens.net/ - - name: N8N_DIAGNOSTICS_ENABLED - value: "false" - - name: N8N_VERSION_NOTIFICATIONS_ENABLED - value: "false" - image: ghcr.io/n8n-io/n8n:1.123.1 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 5678 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - name: main - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz/readiness - port: 5678 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /home/node/.n8n - name: cache - volumes: - - emptyDir: {} - name: cache ---- -# Source: n8n/charts/n8n/templates/common.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: n8n-worker - labels: - app.kubernetes.io/controller: worker - app.kubernetes.io/instance: n8n - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: n8n - helm.sh/chart: n8n-4.4.0 - namespace: n8n -spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/controller: worker - app.kubernetes.io/name: n8n - app.kubernetes.io/instance: n8n - template: - metadata: - annotations: - - labels: - app.kubernetes.io/controller: worker - app.kubernetes.io/instance: n8n - app.kubernetes.io/name: n8n - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - nodeSelector: - kubernetes.io/arch: amd64 - containers: - - args: - - worker - command: - - n8n - env: - - name: GENERIC_TIMEZONE - value: US/Central - - name: DB_TYPE - value: postgresdb - - name: DB_POSTGRESDB_DATABASE - valueFrom: - secretKeyRef: - key: dbname - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_HOST - valueFrom: - secretKeyRef: - key: host - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_PORT - valueFrom: - secretKeyRef: - key: port - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_USER - valueFrom: - secretKeyRef: - key: user - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: n8n-postgresql-17-cluster-app - - name: N8N_METRICS - value: "true" - - name: N8N_RUNNERS_ENABLED - value: "true" - - name: N8N_BLOCK_ENV_ACCESS_IN_NODE - value: "true" - - name: N8N_GIT_NODE_DISABLE_BARE_REPOS - value: "true" - - name: QUEUE_HEALTH_CHECK_ACTIVE - value: "true" - - name: EXECUTIONS_MODE - value: queue - - name: QUEUE_BULL_REDIS_HOST - value: redis-replication-n8n-master.n8n - - name: N8N_ENCRYPTION_KEY - valueFrom: - secretKeyRef: - key: key - name: n8n-config-secret - - name: WEBHOOK_URL - value: https://n8n.alexlebens.net/ - image: ghcr.io/n8n-io/n8n:1.123.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /home/node/.n8n - name: cache - volumes: - - emptyDir: {} - name: cache ---- -# Source: n8n/charts/n8n/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: n8n-main - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: n8n - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: n8n - helm.sh/chart: n8n-4.4.0 - namespace: n8n -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: n8n - app.kubernetes.io/instance: n8n - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: n8n - app.kubernetes.io/name: n8n - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: GENERIC_TIMEZONE - value: US/Central - - name: DB_TYPE - value: postgresdb - - name: DB_POSTGRESDB_DATABASE - valueFrom: - secretKeyRef: - key: dbname - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_HOST - valueFrom: - secretKeyRef: - key: host - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_PORT - valueFrom: - secretKeyRef: - key: port - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_USER - valueFrom: - secretKeyRef: - key: user - name: n8n-postgresql-17-cluster-app - - name: DB_POSTGRESDB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: n8n-postgresql-17-cluster-app - - name: N8N_METRICS - value: "true" - - name: QUEUE_HEALTH_CHECK_ACTIVE - value: "true" - - name: EXECUTIONS_MODE - value: queue - - name: QUEUE_BULL_REDIS_HOST - value: redis-replication-n8n-master.n8n - - name: N8N_ENCRYPTION_KEY - valueFrom: - secretKeyRef: - key: key - name: n8n-config-secret - - name: WEBHOOK_URL - value: https://n8n.alexlebens.net/ - image: ghcr.io/n8n-io/n8n:1.123.1 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 5678 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - name: main - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz/readiness - port: 5678 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: n8n ---- -# Source: n8n/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: n8n-postgresql-17-cluster - namespace: n8n - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: n8n-postgresql-17 - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "n8n-postgresql-17-external-backup" - serverName: "n8n-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "n8n-postgresql-17-garage-local-backup" - serverName: "n8n-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "n8n-postgresql-17-recovery" - serverName: n8n-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: n8n-postgresql-17-backup-1 - - externalClusters: - - name: n8n-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "n8n-postgresql-17-recovery" - serverName: n8n-postgresql-17-backup-1 ---- -# Source: n8n/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: n8n-config-secret - namespace: n8n - labels: - app.kubernetes.io/name: n8n-config-secret - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/n8n/config - metadataPolicy: None - property: key ---- -# Source: n8n/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: n8n-postgresql-17-cluster-backup-secret - namespace: n8n - labels: - app.kubernetes.io/name: n8n-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: n8n/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: n8n-postgresql-17-cluster-backup-secret-garage - namespace: n8n - labels: - app.kubernetes.io/name: n8n-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: n8n/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-n8n - namespace: n8n - labels: - app.kubernetes.io/name: http-route-n8n - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - n8n.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - - path: - type: PathPrefix - value: /webhook-test/ - backendRefs: - - group: '' - kind: Service - name: n8n-main - port: 80 - weight: 100 - - matches: - - path: - type: PathPrefix - value: /webhook/ - - path: - type: PathPrefix - value: /webhook-waiting/ - - path: - type: PathPrefix - value: /form/ - backendRefs: - - group: '' - kind: Service - name: n8n-webhook - port: 80 - weight: 100 ---- -# Source: n8n/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "n8n-postgresql-17-external-backup" - namespace: n8n - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: n8n-postgresql-17 - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/n8n/n8n-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: n8n-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: n8n-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: n8n/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "n8n-postgresql-17-garage-local-backup" - namespace: n8n - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: n8n-postgresql-17 - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/n8n/n8n-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: n8n-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: n8n-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: n8n-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: n8n/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "n8n-postgresql-17-recovery" - namespace: n8n - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: n8n-postgresql-17 - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/n8n/n8n-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: n8n-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: n8n-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: n8n/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: n8n-postgresql-17-alert-rules - namespace: n8n - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: n8n-postgresql-17 - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/n8n-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="n8n"} - cnpg_pg_replication_is_wal_receiver_up{namespace="n8n"}) < 1 - for: 5m - labels: - severity: critical - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="n8n"} - cnpg_pg_replication_is_wal_receiver_up{namespace="n8n"}) < 2 - for: 5m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "n8n/n8n-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="n8n", pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="n8n", pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "n8n/n8n-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="n8n", pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="n8n", pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "n8n/n8n-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="n8n",pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "n8n/n8n-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="n8n", pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "n8n/n8n-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "n8n/n8n-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="n8n", persistentvolumeclaim=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "n8n/n8n-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="n8n",pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "n8n/n8n-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="n8n", pod=~"n8n-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: n8n - cnpg_cluster: n8n-postgresql-17-cluster ---- -# Source: n8n/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-n8n - namespace: n8n - labels: - app.kubernetes.io/name: redis-replication-n8n - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: n8n/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "n8n-postgresql-17-daily-backup-scheduled-backup" - namespace: n8n - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: n8n-postgresql-17 - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: n8n-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "n8n-postgresql-17-external-backup" ---- -# Source: n8n/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "n8n-postgresql-17-live-backup-scheduled-backup" - namespace: n8n - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: n8n-postgresql-17 - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: n8n-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "n8n-postgresql-17-garage-local-backup" ---- -# Source: n8n/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: n8n-main - namespace: n8n - labels: - app.kubernetes.io/name: n8n-main - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n -spec: - selector: - matchLabels: - app.kubernetes.io/name: n8n-main - app.kubernetes.io/instance: n8n - endpoints: - - port: http - interval: 3m - scrapeTimeout: 1m - path: /metrics ---- -# Source: n8n/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: n8n-worker - namespace: n8n - labels: - app.kubernetes.io/name: n8n-worker - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n -spec: - selector: - matchLabels: - app.kubernetes.io/name: n8n-worker - app.kubernetes.io/instance: n8n - endpoints: - - port: http - interval: 3m - scrapeTimeout: 1m - path: /metrics ---- -# Source: n8n/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: n8n-webhook - namespace: n8n - labels: - app.kubernetes.io/name: n8n-webhook - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n -spec: - selector: - matchLabels: - app.kubernetes.io/name: n8n-webhook - app.kubernetes.io/instance: n8n - endpoints: - - port: http - interval: 3m - scrapeTimeout: 1m - path: /metrics ---- -# Source: n8n/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-n8n - namespace: n8n - labels: - app.kubernetes.io/name: redis-replication-n8n - app.kubernetes.io/instance: n8n - app.kubernetes.io/part-of: n8n - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/nfs/nfs.yaml b/clusters/cl01tl/manifests/nfs/nfs.yaml deleted file mode 100644 index 215e35ee8..000000000 --- a/clusters/cl01tl/manifests/nfs/nfs.yaml +++ /dev/null @@ -1,211 +0,0 @@ ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs - name: nfs-nfs-subdir-external-provisioner ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/storageclass.yaml -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs - name: nfs-client - annotations: -provisioner: cluster.local/nfs-nfs-subdir-external-provisioner -allowVolumeExpansion: true -reclaimPolicy: Delete -volumeBindingMode: Immediate -parameters: - archiveOnDelete: "true" -mountOptions: - - hard - - vers=4 - - minorversion=1 ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/persistentvolume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: pv-nfs-nfs-subdir-external-provisioner - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs - nfs-subdir-external-provisioner: nfs-nfs-subdir-external-provisioner -spec: - capacity: - storage: 10Mi - volumeMode: Filesystem - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - storageClassName: "" - mountOptions: - - hard - - vers=4 - - minorversion=1 - nfs: - server: 10.232.1.64 - path: /volume2/Talos ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/persistentvolumeclaim.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: pvc-nfs-nfs-subdir-external-provisioner - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - storageClassName: "" - selector: - matchLabels: - nfs-subdir-external-provisioner: nfs-nfs-subdir-external-provisioner - resources: - requests: - storage: 10Mi ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs - name: nfs-nfs-subdir-external-provisioner-runner -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs - name: run-nfs-nfs-subdir-external-provisioner -subjects: - - kind: ServiceAccount - name: nfs-nfs-subdir-external-provisioner - namespace: nfs -roleRef: - kind: ClusterRole - name: nfs-nfs-subdir-external-provisioner-runner - apiGroup: rbac.authorization.k8s.io ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs - name: leader-locking-nfs-nfs-subdir-external-provisioner -rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs - name: leader-locking-nfs-nfs-subdir-external-provisioner -subjects: - - kind: ServiceAccount - name: nfs-nfs-subdir-external-provisioner - namespace: nfs -roleRef: - kind: Role - name: leader-locking-nfs-nfs-subdir-external-provisioner - apiGroup: rbac.authorization.k8s.io ---- -# Source: nfs-subdir-external-provisioner/charts/nfs-subdir-external-provisioner/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nfs-nfs-subdir-external-provisioner - labels: - chart: nfs-subdir-external-provisioner-4.0.18 - heritage: Helm - app: nfs-subdir-external-provisioner - release: nfs -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: nfs-subdir-external-provisioner - release: nfs - template: - metadata: - annotations: - labels: - app: nfs-subdir-external-provisioner - release: nfs - spec: - serviceAccountName: nfs-nfs-subdir-external-provisioner - securityContext: - {} - containers: - - name: nfs-subdir-external-provisioner - image: "registry.k8s.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2" - imagePullPolicy: IfNotPresent - securityContext: - {} - volumeMounts: - - name: nfs-subdir-external-provisioner-root - mountPath: /persistentvolumes - env: - - name: PROVISIONER_NAME - value: cluster.local/nfs-nfs-subdir-external-provisioner - - name: NFS_SERVER - value: 10.232.1.64 - - name: NFS_PATH - value: /volume2/Talos - volumes: - - name: nfs-subdir-external-provisioner-root - persistentVolumeClaim: - claimName: pvc-nfs-nfs-subdir-external-provisioner diff --git a/clusters/cl01tl/manifests/node-feature-discovery/node-feature-discovery.yaml b/clusters/cl01tl/manifests/node-feature-discovery/node-feature-discovery.yaml deleted file mode 100644 index 2ee055732..000000000 --- a/clusters/cl01tl/manifests/node-feature-discovery/node-feature-discovery.yaml +++ /dev/null @@ -1,1592 +0,0 @@ ---- -# Source: node-feature-discovery/charts/node-feature-discovery/crds/nfd-api-crds.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: nodefeatures.nfd.k8s-sigs.io -spec: - group: nfd.k8s-sigs.io - names: - kind: NodeFeature - listKind: NodeFeatureList - plural: nodefeatures - singular: nodefeature - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - NodeFeature resource holds the features discovered for one node in the - cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the NodeFeature, containing features discovered - for a node. - properties: - features: - description: Features is the full "raw" features data that has been - discovered. - properties: - attributes: - additionalProperties: - description: AttributeFeatureSet is a set of features having - string value. - properties: - elements: - additionalProperties: - type: string - description: Individual features of the feature set. - type: object - required: - - elements - type: object - description: Attributes contains all the attribute-type features - of the node. - type: object - flags: - additionalProperties: - description: FlagFeatureSet is a set of simple features only - containing names without values. - properties: - elements: - additionalProperties: - description: |- - Nil is a dummy empty struct for protobuf compatibility. - NOTE: protobuf definitions have been removed but this is kept for API compatibility. - type: object - description: Individual features of the feature set. - type: object - required: - - elements - type: object - description: Flags contains all the flag-type features of the - node. - type: object - instances: - additionalProperties: - description: InstanceFeatureSet is a set of features each of - which is an instance having multiple attributes. - properties: - elements: - description: Individual features of the feature set. - items: - description: InstanceFeature represents one instance of - a complex features, e.g. a device. - properties: - attributes: - additionalProperties: - type: string - description: Attributes of the instance feature. - type: object - required: - - attributes - type: object - type: array - required: - - elements - type: object - description: Instances contains all the instance-type features - of the node. - type: object - type: object - labels: - additionalProperties: - type: string - description: Labels is the set of node labels that are requested to - be created. - type: object - type: object - required: - - spec - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: nodefeaturegroups.nfd.k8s-sigs.io -spec: - group: nfd.k8s-sigs.io - names: - kind: NodeFeatureGroup - listKind: NodeFeatureGroupList - plural: nodefeaturegroups - shortNames: - - nfg - singular: nodefeaturegroup - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: NodeFeatureGroup resource holds Node pools by featureGroup - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the rules to be evaluated. - properties: - featureGroupRules: - description: List of rules to evaluate to determine nodes that belong - in this group. - items: - description: GroupRule defines a rule for nodegroup filtering. - properties: - matchAny: - description: MatchAny specifies a list of matchers one of which - must match. - items: - description: MatchAnyElem specifies one sub-matcher of MatchAny. - properties: - matchFeatures: - description: MatchFeatures specifies a set of matcher - terms all of which must match. - items: - description: |- - FeatureMatcherTerm defines requirements against one feature set. All - requirements (specified as MatchExpressions) are evaluated against each - element in the feature set. - properties: - feature: - description: Feature is the name of the feature - set to match against. - type: string - matchExpressions: - additionalProperties: - description: |- - MatchExpression specifies an expression to evaluate against a set of input - values. It contains an operator that is applied when matching the input and - an array of values that the operator evaluates the input against. - properties: - op: - description: Op is the operator to be applied. - enum: - - In - - NotIn - - InRegexp - - Exists - - DoesNotExist - - Gt - - Ge - - Lt - - Le - - GtLt - - GeLe - - IsTrue - - IsFalse - type: string - type: - description: |- - Type defines the value type for specific operators. - The currently supported type is 'version' for Gt,Ge,Lt,Le,GtLt,GeLe operators. - type: string - value: - description: |- - Value is the list of values that the operand evaluates the input - against. Value should be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly one element if the - operator is Gt or Lt and exactly two elements if the operator is GtLt. - In other cases Value should contain at least one element. - items: - type: string - type: array - required: - - op - type: object - description: |- - MatchExpressions is the set of per-element expressions evaluated. These - match against the value of the specified elements. - type: object - matchName: - description: |- - MatchName in an expression that is matched against the name of each - element in the feature set. - properties: - op: - description: Op is the operator to be applied. - enum: - - In - - NotIn - - InRegexp - - Exists - - DoesNotExist - - Gt - - Ge - - Lt - - Le - - GtLt - - GeLe - - IsTrue - - IsFalse - type: string - type: - description: |- - Type defines the value type for specific operators. - The currently supported type is 'version' for Gt,Ge,Lt,Le,GtLt,GeLe operators. - type: string - value: - description: |- - Value is the list of values that the operand evaluates the input - against. Value should be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly one element if the - operator is Gt or Lt and exactly two elements if the operator is GtLt. - In other cases Value should contain at least one element. - items: - type: string - type: array - required: - - op - type: object - required: - - feature - type: object - type: array - required: - - matchFeatures - type: object - type: array - matchFeatures: - description: MatchFeatures specifies a set of matcher terms - all of which must match. - items: - description: |- - FeatureMatcherTerm defines requirements against one feature set. All - requirements (specified as MatchExpressions) are evaluated against each - element in the feature set. - properties: - feature: - description: Feature is the name of the feature set to - match against. - type: string - matchExpressions: - additionalProperties: - description: |- - MatchExpression specifies an expression to evaluate against a set of input - values. It contains an operator that is applied when matching the input and - an array of values that the operator evaluates the input against. - properties: - op: - description: Op is the operator to be applied. - enum: - - In - - NotIn - - InRegexp - - Exists - - DoesNotExist - - Gt - - Ge - - Lt - - Le - - GtLt - - GeLe - - IsTrue - - IsFalse - type: string - type: - description: |- - Type defines the value type for specific operators. - The currently supported type is 'version' for Gt,Ge,Lt,Le,GtLt,GeLe operators. - type: string - value: - description: |- - Value is the list of values that the operand evaluates the input - against. Value should be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly one element if the - operator is Gt or Lt and exactly two elements if the operator is GtLt. - In other cases Value should contain at least one element. - items: - type: string - type: array - required: - - op - type: object - description: |- - MatchExpressions is the set of per-element expressions evaluated. These - match against the value of the specified elements. - type: object - matchName: - description: |- - MatchName in an expression that is matched against the name of each - element in the feature set. - properties: - op: - description: Op is the operator to be applied. - enum: - - In - - NotIn - - InRegexp - - Exists - - DoesNotExist - - Gt - - Ge - - Lt - - Le - - GtLt - - GeLe - - IsTrue - - IsFalse - type: string - type: - description: |- - Type defines the value type for specific operators. - The currently supported type is 'version' for Gt,Ge,Lt,Le,GtLt,GeLe operators. - type: string - value: - description: |- - Value is the list of values that the operand evaluates the input - against. Value should be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly one element if the - operator is Gt or Lt and exactly two elements if the operator is GtLt. - In other cases Value should contain at least one element. - items: - type: string - type: array - required: - - op - type: object - required: - - feature - type: object - type: array - name: - description: Name of the rule. - type: string - vars: - additionalProperties: - type: string - description: |- - Vars is the variables to store if the rule matches. Variables can be - referenced from other rules enabling more complex rule hierarchies. - type: object - varsTemplate: - description: |- - VarsTemplate specifies a template to expand for dynamically generating - multiple variables. Data (after template expansion) must be keys with an - optional value ([=]) separated by newlines. - type: string - required: - - name - type: object - type: array - required: - - featureGroupRules - type: object - status: - description: |- - Status of the NodeFeatureGroup after the most recent evaluation of the - specification. - properties: - nodes: - description: Nodes is a list of FeatureGroupNode in the cluster that - match the featureGroupRules - items: - properties: - name: - description: Name of the node. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.3 - name: nodefeaturerules.nfd.k8s-sigs.io -spec: - group: nfd.k8s-sigs.io - names: - kind: NodeFeatureRule - listKind: NodeFeatureRuleList - plural: nodefeaturerules - shortNames: - - nfr - singular: nodefeaturerule - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - NodeFeatureRule resource specifies a configuration for feature-based - customization of node objects, such as node labeling. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the rules to be evaluated. - properties: - rules: - description: Rules is a list of node customization rules. - items: - description: Rule defines a rule for node customization such as - labeling. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to create if the rule matches. - type: object - extendedResources: - additionalProperties: - type: string - description: ExtendedResources to create if the rule matches. - type: object - labels: - additionalProperties: - type: string - description: Labels to create if the rule matches. - type: object - labelsTemplate: - description: |- - LabelsTemplate specifies a template to expand for dynamically generating - multiple labels. Data (after template expansion) must be keys with an - optional value ([=]) separated by newlines. - type: string - matchAny: - description: MatchAny specifies a list of matchers one of which - must match. - items: - description: MatchAnyElem specifies one sub-matcher of MatchAny. - properties: - matchFeatures: - description: MatchFeatures specifies a set of matcher - terms all of which must match. - items: - description: |- - FeatureMatcherTerm defines requirements against one feature set. All - requirements (specified as MatchExpressions) are evaluated against each - element in the feature set. - properties: - feature: - description: Feature is the name of the feature - set to match against. - type: string - matchExpressions: - additionalProperties: - description: |- - MatchExpression specifies an expression to evaluate against a set of input - values. It contains an operator that is applied when matching the input and - an array of values that the operator evaluates the input against. - properties: - op: - description: Op is the operator to be applied. - enum: - - In - - NotIn - - InRegexp - - Exists - - DoesNotExist - - Gt - - Ge - - Lt - - Le - - GtLt - - GeLe - - IsTrue - - IsFalse - type: string - type: - description: |- - Type defines the value type for specific operators. - The currently supported type is 'version' for Gt,Ge,Lt,Le,GtLt,GeLe operators. - type: string - value: - description: |- - Value is the list of values that the operand evaluates the input - against. Value should be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly one element if the - operator is Gt or Lt and exactly two elements if the operator is GtLt. - In other cases Value should contain at least one element. - items: - type: string - type: array - required: - - op - type: object - description: |- - MatchExpressions is the set of per-element expressions evaluated. These - match against the value of the specified elements. - type: object - matchName: - description: |- - MatchName in an expression that is matched against the name of each - element in the feature set. - properties: - op: - description: Op is the operator to be applied. - enum: - - In - - NotIn - - InRegexp - - Exists - - DoesNotExist - - Gt - - Ge - - Lt - - Le - - GtLt - - GeLe - - IsTrue - - IsFalse - type: string - type: - description: |- - Type defines the value type for specific operators. - The currently supported type is 'version' for Gt,Ge,Lt,Le,GtLt,GeLe operators. - type: string - value: - description: |- - Value is the list of values that the operand evaluates the input - against. Value should be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly one element if the - operator is Gt or Lt and exactly two elements if the operator is GtLt. - In other cases Value should contain at least one element. - items: - type: string - type: array - required: - - op - type: object - required: - - feature - type: object - type: array - required: - - matchFeatures - type: object - type: array - matchFeatures: - description: MatchFeatures specifies a set of matcher terms - all of which must match. - items: - description: |- - FeatureMatcherTerm defines requirements against one feature set. All - requirements (specified as MatchExpressions) are evaluated against each - element in the feature set. - properties: - feature: - description: Feature is the name of the feature set to - match against. - type: string - matchExpressions: - additionalProperties: - description: |- - MatchExpression specifies an expression to evaluate against a set of input - values. It contains an operator that is applied when matching the input and - an array of values that the operator evaluates the input against. - properties: - op: - description: Op is the operator to be applied. - enum: - - In - - NotIn - - InRegexp - - Exists - - DoesNotExist - - Gt - - Ge - - Lt - - Le - - GtLt - - GeLe - - IsTrue - - IsFalse - type: string - type: - description: |- - Type defines the value type for specific operators. - The currently supported type is 'version' for Gt,Ge,Lt,Le,GtLt,GeLe operators. - type: string - value: - description: |- - Value is the list of values that the operand evaluates the input - against. Value should be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly one element if the - operator is Gt or Lt and exactly two elements if the operator is GtLt. - In other cases Value should contain at least one element. - items: - type: string - type: array - required: - - op - type: object - description: |- - MatchExpressions is the set of per-element expressions evaluated. These - match against the value of the specified elements. - type: object - matchName: - description: |- - MatchName in an expression that is matched against the name of each - element in the feature set. - properties: - op: - description: Op is the operator to be applied. - enum: - - In - - NotIn - - InRegexp - - Exists - - DoesNotExist - - Gt - - Ge - - Lt - - Le - - GtLt - - GeLe - - IsTrue - - IsFalse - type: string - type: - description: |- - Type defines the value type for specific operators. - The currently supported type is 'version' for Gt,Ge,Lt,Le,GtLt,GeLe operators. - type: string - value: - description: |- - Value is the list of values that the operand evaluates the input - against. Value should be empty if the operator is Exists, DoesNotExist, - IsTrue or IsFalse. Value should contain exactly one element if the - operator is Gt or Lt and exactly two elements if the operator is GtLt. - In other cases Value should contain at least one element. - items: - type: string - type: array - required: - - op - type: object - required: - - feature - type: object - type: array - name: - description: Name of the rule. - type: string - taints: - description: Taints to create if the rule matches. - items: - description: |- - The node this Taint is attached to has the "effect" on - any pod that does not tolerate the Taint. - properties: - effect: - description: |- - Required. The effect of the taint on pods - that do not tolerate the taint. - Valid effects are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Required. The taint key to be applied to - a node. - type: string - timeAdded: - description: |- - TimeAdded represents the time at which the taint was added. - It is only written for NoExecute taints. - format: date-time - type: string - value: - description: The taint value corresponding to the taint - key. - type: string - required: - - effect - - key - type: object - type: array - vars: - additionalProperties: - type: string - description: |- - Vars is the variables to store if the rule matches. Variables do not - directly inflict any changes in the node object. However, they can be - referenced from other rules enabling more complex rule hierarchies, - without exposing intermediary output values as labels. - type: object - varsTemplate: - description: |- - VarsTemplate specifies a template to expand for dynamically generating - multiple variables. Data (after template expansion) must be keys with an - optional value ([=]) separated by newlines. - type: string - required: - - name - type: object - type: array - required: - - rules - type: object - required: - - spec - type: object - served: true - storage: true - ---- -# Source: node-feature-discovery/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: node-feature-discovery - labels: - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/part-of: node-feature-discovery - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: node-feature-discovery - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: node-feature-discovery-gc - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: node-feature-discovery-worker - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/nfd-master-conf.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: node-feature-discovery-master-conf - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm -data: - nfd-master.conf: |- - null ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/nfd-worker-conf.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: node-feature-discovery-worker-conf - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm -data: - nfd-worker.conf: |- - sources: - cpu: - cpuid: - attributeWhitelist: - - AVX512BW - - AVX512CD - - AVX512DQ - - AVX512F - - AVX512VL - custom: - - labels: - intel.feature.node.kubernetes.io/gpu: "true" - matchOn: - - pciId: - class: - - "0300" - vendor: - - "8086" - name: intel-gpu - kernel: - configOpts: - - NO_HZ - - X86 - - DMI - pci: - deviceClassWhitelist: - - "0200" - - "01" - - "08" - - "0300" - - "0302" - deviceLabelFields: - - vendor - - device - - class - usb: - deviceClassWhitelist: - - "02" - - "03" - - 0e - - ef - - fe - - ff - deviceLabelFields: - - vendor - - device - - class ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - watch - - list -- apiGroups: - - "" - resources: - - nodes - - nodes/status - verbs: - - get - - patch - - update - - list -- apiGroups: - - nfd.k8s-sigs.io - resources: - - nodefeatures - - nodefeaturerules - - nodefeaturegroups - verbs: - - get - - list - - watch -- apiGroups: - - nfd.k8s-sigs.io - resources: - - nodefeaturegroups/status - verbs: - - patch - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - "nfd-master.nfd.kubernetes.io" - verbs: - - get - - update ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: node-feature-discovery-gc - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get -- apiGroups: - - topology.node.k8s.io - resources: - - noderesourcetopologies - verbs: - - delete - - list -- apiGroups: - - nfd.k8s-sigs.io - resources: - - nodefeatures - verbs: - - delete - - list ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: node-feature-discovery -subjects: -- kind: ServiceAccount - name: node-feature-discovery - namespace: node-feature-discovery ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: node-feature-discovery-gc - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: node-feature-discovery-gc -subjects: -- kind: ServiceAccount - name: node-feature-discovery-gc - namespace: node-feature-discovery ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: node-feature-discovery-worker - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - nfd.k8s-sigs.io - resources: - - nodefeatures - verbs: - - create - - get - - update - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: node-feature-discovery-worker - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: node-feature-discovery-worker -subjects: -- kind: ServiceAccount - name: node-feature-discovery-worker - namespace: node-feature-discovery ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/worker.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: node-feature-discovery-worker - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm - role: worker -spec: - revisionHistoryLimit: - selector: - matchLabels: - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - role: worker - template: - metadata: - labels: - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - role: worker - annotations: - checksum/config: 0ff3ad6ed18d5d7f9cd6e7d703e20338b50f37fe59fddf7cf6a5a57525292ed8 - spec: - dnsPolicy: ClusterFirstWithHostNet - imagePullSecrets: - serviceAccountName: node-feature-discovery-worker - securityContext: - {} - hostNetwork: false - containers: - - name: worker - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: "registry.k8s.io/nfd/node-feature-discovery:v0.18.3" - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: http - initialDelaySeconds: 10 - readinessProbe: - httpGet: - path: /healthz - port: http - initialDelaySeconds: 5 - failureThreshold: 10 - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - resources: - limits: - memory: 512Mi - requests: - cpu: 20m - memory: 60Mi - command: - - "nfd-worker" - args: - # Go over featureGate and add the feature-gate flag - - "-feature-gates=NodeFeatureGroupAPI=true" - - "-port=8080" - ports: - - containerPort: 8080 - name: http - volumeMounts: - - name: host-boot - mountPath: "/host-boot" - readOnly: true - - name: host-os-release - mountPath: "/host-etc/os-release" - readOnly: true - - name: host-sys - mountPath: "/host-sys" - readOnly: true - - name: host-usr-lib - mountPath: "/host-usr/lib" - readOnly: true - - name: host-lib - mountPath: "/host-lib" - readOnly: true - - name: host-proc-swaps - mountPath: "/host-proc/swaps" - readOnly: true - - name: features-d - mountPath: "/etc/kubernetes/node-feature-discovery/features.d/" - readOnly: true - - name: nfd-worker-conf - mountPath: "/etc/kubernetes/node-feature-discovery" - readOnly: true - volumes: - - name: host-boot - hostPath: - path: "/boot" - - name: host-os-release - hostPath: - path: "/etc/os-release" - - name: host-sys - hostPath: - path: "/sys" - - name: host-usr-lib - hostPath: - path: "/usr/lib" - - name: host-lib - hostPath: - path: "/lib" - - name: host-proc-swaps - hostPath: - path: "/proc/swaps" - - name: features-d - hostPath: - path: "/etc/kubernetes/node-feature-discovery/features.d/" - - name: nfd-worker-conf - configMap: - name: node-feature-discovery-worker-conf - items: - - key: nfd-worker.conf - path: nfd-worker.conf - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/master.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: node-feature-discovery-master - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm - role: master -spec: - replicas: 2 - revisionHistoryLimit: - selector: - matchLabels: - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - role: master - template: - metadata: - labels: - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - role: master - annotations: - checksum/config: b0be1066d37d3a4f8bb03f39cdd2b6a637625f710dfec507062ad559ec43a4dc - spec: - dnsPolicy: ClusterFirstWithHostNet - imagePullSecrets: - serviceAccountName: node-feature-discovery - enableServiceLinks: false - securityContext: - {} - hostNetwork: false - containers: - - name: master - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: "registry.k8s.io/nfd/node-feature-discovery:v0.18.3" - imagePullPolicy: IfNotPresent - startupProbe: - httpGet: - path: /healthz - port: http - failureThreshold: 30 - livenessProbe: - httpGet: - path: /healthz - port: http - readinessProbe: - httpGet: - path: /healthz - port: http - failureThreshold: 10 - ports: - - containerPort: 8080 - name: http - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - command: - - "nfd-master" - resources: - limits: - memory: 4Gi - requests: - cpu: 20m - memory: 60Mi - args: - - "-enable-leader-election" - # Go over featureGates and add the feature-gate flag - - "-feature-gates=NodeFeatureGroupAPI=true" - - "-port=8080" - volumeMounts: - - name: nfd-master-conf - mountPath: "/etc/kubernetes/node-feature-discovery" - readOnly: true - volumes: - - name: nfd-master-conf - configMap: - name: node-feature-discovery-master-conf - items: - - key: nfd-master.conf - path: nfd-master.conf - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: In - values: - - "" - weight: 1 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/nfd-gc.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: node-feature-discovery-gc - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm - role: gc -spec: - replicas: 1 - revisionHistoryLimit: - selector: - matchLabels: - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - role: gc - template: - metadata: - labels: - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - role: gc - spec: - serviceAccountName: node-feature-discovery-gc - dnsPolicy: ClusterFirstWithHostNet - imagePullSecrets: - securityContext: - {} - hostNetwork: false - containers: - - name: gc - image: "registry.k8s.io/nfd/node-feature-discovery:v0.18.3" - imagePullPolicy: "IfNotPresent" - livenessProbe: - httpGet: - path: /healthz - port: http - initialDelaySeconds: 10 - readinessProbe: - httpGet: - path: /healthz - port: http - initialDelaySeconds: 5 - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - command: - - "nfd-gc" - args: - - "-gc-interval=1h" - resources: - limits: - memory: 1Gi - requests: - cpu: 20m - memory: 60Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: [ "ALL" ] - readOnlyRootFilesystem: true - runAsNonRoot: true - ports: - - name: http - containerPort: 8080 ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/prometheus.yaml -# Prometheus Monitor Service (Metrics) -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: node-feature-discovery - labels: - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery -spec: - podMetricsEndpoints: - - honorLabels: true - interval: 10s - path: /metrics - port: http - scheme: http - namespaceSelector: - matchNames: - - node-feature-discovery - selector: - matchExpressions: - - {key: app.kubernetes.io/instance, operator: In, values: ["node-feature-discovery"]} - - {key: app.kubernetes.io/name, operator: In, values: ["node-feature-discovery"]} ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/post-delete-job.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: node-feature-discovery-prune - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/post-delete-job.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: node-feature-discovery-prune - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -rules: -- apiGroups: - - "" - resources: - - nodes - - nodes/status - verbs: - - get - - patch - - update - - list ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/post-delete-job.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: node-feature-discovery-prune - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: node-feature-discovery-prune -subjects: -- kind: ServiceAccount - name: node-feature-discovery-prune - namespace: node-feature-discovery ---- -# Source: node-feature-discovery/charts/node-feature-discovery/templates/post-delete-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: node-feature-discovery-prune - namespace: node-feature-discovery - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - template: - metadata: - labels: - helm.sh/chart: node-feature-discovery-0.18.3 - app.kubernetes.io/name: node-feature-discovery - app.kubernetes.io/instance: node-feature-discovery - app.kubernetes.io/version: "v0.18.3" - app.kubernetes.io/managed-by: Helm - role: prune - spec: - serviceAccountName: node-feature-discovery-prune - imagePullSecrets: - containers: - - name: nfd-master - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: "registry.k8s.io/nfd/node-feature-discovery:v0.18.3" - imagePullPolicy: IfNotPresent - command: - - "nfd-master" - args: - - "-prune" - restartPolicy: Never - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: In - values: - - "" - weight: 1 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - resources: - limits: - memory: 4Gi - requests: - cpu: 20m - memory: 60Mi diff --git a/clusters/cl01tl/manifests/ntfy/ntfy.yaml b/clusters/cl01tl/manifests/ntfy/ntfy.yaml deleted file mode 100644 index 8e6d9ca95..000000000 --- a/clusters/cl01tl/manifests/ntfy/ntfy.yaml +++ /dev/null @@ -1,195 +0,0 @@ ---- -# Source: ntfy/charts/ntfy/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: ntfy - labels: - app.kubernetes.io/instance: ntfy - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ntfy - helm.sh/chart: ntfy-4.4.0 - namespace: ntfy -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: ntfy/charts/ntfy/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: ntfy - labels: - app.kubernetes.io/instance: ntfy - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ntfy - app.kubernetes.io/service: ntfy - helm.sh/chart: ntfy-4.4.0 - namespace: ntfy -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - - port: 9090 - targetPort: 9090 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: ntfy - app.kubernetes.io/name: ntfy ---- -# Source: ntfy/charts/ntfy/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ntfy - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: ntfy - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ntfy - helm.sh/chart: ntfy-4.4.0 - namespace: ntfy -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: ntfy - app.kubernetes.io/instance: ntfy - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: ntfy - app.kubernetes.io/name: ntfy - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - serve - env: - - name: TZ - value: US/Central - - name: NTFY_BASE_URL - value: https://ntfy.alexlebens.net - - name: NTFY_LISTEN_HTTP - value: :80 - - name: NTFY_CACHE_FILE - value: /var/cache/ntfy/cache.db - - name: NTFY_CACHE_DURATION - value: 36h - - name: NTFY_CACHE_STARTUP_QUERIES - value: | - pragma journal_mode = WAL; - pragma synchronous = normal; - pragma temp_store = memory; - pragma busy_timeout = 15000; - vacuum; - - name: NTFY_BEHIND_PROXY - value: "true" - - name: NTFY_ATTACHMENT_CACHE_DIR - value: /var/cache/ntfy/attachments - - name: NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT - value: 4G - - name: NTFY_ATTACHMENT_FILE_SIZE_LIMIT - value: 15M - - name: NTFY_ATTACHMENT_EXPIRY_DURATION - value: 36h - - name: NTFY_ENABLE_SIGNUP - value: "false" - - name: NTFY_ENABLE_LOGIN - value: "true" - - name: NTFY_ENABLE_RESERVATIONS - value: "false" - - name: NTFY_AUTH_FILE - value: /var/cache/ntfy/user.db - - name: NTFY_AUTH_DEFAULT_ACCESS - value: deny-all - - name: NTFY_METRICS_LISTEN_HTTP - value: :9090 - - name: NTFY_LOG_LEVEL - value: info - image: binwiederhier/ntfy:v2.15.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /var/cache/ntfy - name: cache - volumes: - - name: cache - persistentVolumeClaim: - claimName: ntfy ---- -# Source: ntfy/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-ntfy - namespace: ntfy - labels: - app.kubernetes.io/name: http-route-ntfy - app.kubernetes.io/instance: ntfy - app.kubernetes.io/part-of: ntfy -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - ntfy.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: ntfy - port: 80 - weight: 100 ---- -# Source: ntfy/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: ntfy - namespace: ntfy - labels: - app.kubernetes.io/name: ntfy - app.kubernetes.io/instance: ntfy - app.kubernetes.io/part-of: ntfy -spec: - selector: - matchLabels: - app.kubernetes.io/name: ntfy - app.kubernetes.io/instance: ntfy - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/ollama/ollama.yaml b/clusters/cl01tl/manifests/ollama/ollama.yaml deleted file mode 100644 index 17e2137af..000000000 --- a/clusters/cl01tl/manifests/ollama/ollama.yaml +++ /dev/null @@ -1,1260 +0,0 @@ ---- -# Source: ollama/charts/ollama/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: ollama-server-1 - labels: - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - helm.sh/chart: ollama-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: ollama -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "40Gi" - storageClassName: "ceph-block" ---- -# Source: ollama/charts/ollama/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: ollama-server-2 - labels: - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - helm.sh/chart: ollama-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: ollama -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "40Gi" - storageClassName: "ceph-block" ---- -# Source: ollama/charts/ollama/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: ollama-server-3 - labels: - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - helm.sh/chart: ollama-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: ollama -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "40Gi" - storageClassName: "ceph-block" ---- -# Source: ollama/charts/ollama/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: ollama-web-data - labels: - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - helm.sh/chart: ollama-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: ollama -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: ollama/charts/ollama/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: ollama-server-1 - labels: - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - app.kubernetes.io/service: ollama-server-1 - helm.sh/chart: ollama-4.4.0 - namespace: ollama -spec: - type: ClusterIP - ports: - - port: 11434 - targetPort: 11434 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: server-1 - app.kubernetes.io/instance: ollama - app.kubernetes.io/name: ollama ---- -# Source: ollama/charts/ollama/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: ollama-server-2 - labels: - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - app.kubernetes.io/service: ollama-server-2 - helm.sh/chart: ollama-4.4.0 - namespace: ollama -spec: - type: ClusterIP - ports: - - port: 11434 - targetPort: 11434 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: server-2 - app.kubernetes.io/instance: ollama - app.kubernetes.io/name: ollama ---- -# Source: ollama/charts/ollama/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: ollama-server-3 - labels: - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - app.kubernetes.io/service: ollama-server-3 - helm.sh/chart: ollama-4.4.0 - namespace: ollama -spec: - type: ClusterIP - ports: - - port: 11434 - targetPort: 11434 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: server-3 - app.kubernetes.io/instance: ollama - app.kubernetes.io/name: ollama ---- -# Source: ollama/charts/ollama/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: ollama-web - labels: - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - app.kubernetes.io/service: ollama-web - helm.sh/chart: ollama-4.4.0 - namespace: ollama -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8080 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: web - app.kubernetes.io/instance: ollama - app.kubernetes.io/name: ollama ---- -# Source: ollama/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: ollama-pd05wd - namespace: ollama - labels: - app.kubernetes.io/name: ollama-pd05wd - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - annotations: - tailscale.com/tailnet-fqdn: ollama-pd05wd.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: ollama/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: stable-diffusion-pd05wd - namespace: ollama - labels: - app.kubernetes.io/name: stable-diffusion-pd05wd - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - annotations: - tailscale.com/tailnet-fqdn: stable-diffusion-pd05wd.boreal-beaufort.ts.net -spec: - externalName: placeholder - type: ExternalName ---- -# Source: ollama/charts/ollama/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ollama-server-1 - labels: - app.kubernetes.io/controller: server-1 - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - helm.sh/chart: ollama-4.4.0 - namespace: ollama -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: server-1 - app.kubernetes.io/name: ollama - app.kubernetes.io/instance: ollama - template: - metadata: - labels: - app.kubernetes.io/controller: server-1 - app.kubernetes.io/instance: ollama - app.kubernetes.io/name: ollama - ollama-type: server - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: ollama-type - operator: In - values: - - server - topologyKey: kubernetes.io/hostname - containers: - - env: - - name: OLLAMA_KEEP_ALIVE - value: 24h - - name: OLLAMA_HOST - value: 0.0.0.0 - image: ollama/ollama:0.13.1 - imagePullPolicy: IfNotPresent - name: main - resources: - limits: - gpu.intel.com/i915: 1 - requests: - cpu: 100m - gpu.intel.com/i915: 1 - memory: 1Gi - volumeMounts: - - mountPath: /root/.ollama - name: server-1 - volumes: - - name: server-1 - persistentVolumeClaim: - claimName: ollama-server-1 ---- -# Source: ollama/charts/ollama/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ollama-server-2 - labels: - app.kubernetes.io/controller: server-2 - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - helm.sh/chart: ollama-4.4.0 - namespace: ollama -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: server-2 - app.kubernetes.io/name: ollama - app.kubernetes.io/instance: ollama - template: - metadata: - labels: - app.kubernetes.io/controller: server-2 - app.kubernetes.io/instance: ollama - app.kubernetes.io/name: ollama - ollama-type: server - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: ollama-type - operator: In - values: - - server - topologyKey: kubernetes.io/hostname - containers: - - env: - - name: OLLAMA_KEEP_ALIVE - value: 24h - - name: OLLAMA_HOST - value: 0.0.0.0 - image: ollama/ollama:0.13.1 - imagePullPolicy: IfNotPresent - name: main - resources: - limits: - gpu.intel.com/i915: 1 - requests: - cpu: 100m - gpu.intel.com/i915: 1 - memory: 1Gi - volumeMounts: - - mountPath: /root/.ollama - name: server-2 - volumes: - - name: server-2 - persistentVolumeClaim: - claimName: ollama-server-2 ---- -# Source: ollama/charts/ollama/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ollama-server-3 - labels: - app.kubernetes.io/controller: server-3 - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - helm.sh/chart: ollama-4.4.0 - namespace: ollama -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: server-3 - app.kubernetes.io/name: ollama - app.kubernetes.io/instance: ollama - template: - metadata: - labels: - app.kubernetes.io/controller: server-3 - app.kubernetes.io/instance: ollama - app.kubernetes.io/name: ollama - ollama-type: server - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: ollama-type - operator: In - values: - - server - topologyKey: kubernetes.io/hostname - containers: - - env: - - name: OLLAMA_KEEP_ALIVE - value: 24h - - name: OLLAMA_HOST - value: 0.0.0.0 - image: ollama/ollama:0.13.1 - imagePullPolicy: IfNotPresent - name: main - resources: - limits: - gpu.intel.com/i915: 1 - requests: - cpu: 100m - gpu.intel.com/i915: 1 - memory: 1Gi - volumeMounts: - - mountPath: /root/.ollama - name: server-3 - volumes: - - name: server-3 - persistentVolumeClaim: - claimName: ollama-server-3 ---- -# Source: ollama/charts/ollama/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ollama-web - labels: - app.kubernetes.io/controller: web - app.kubernetes.io/instance: ollama - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ollama - helm.sh/chart: ollama-4.4.0 - namespace: ollama -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: web - app.kubernetes.io/name: ollama - app.kubernetes.io/instance: ollama - template: - metadata: - labels: - app.kubernetes.io/controller: web - app.kubernetes.io/instance: ollama - app.kubernetes.io/name: ollama - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: ENV - value: prod - - name: WEBUI_AUTH - value: "true" - - name: WEBUI_NAME - value: Ollama - - name: WEBUI_URL - value: http://ollama.alexlebens.net - - name: ENABLE_LOGIN_FORM - value: "false" - - name: DEFAULT_USER_ROLE - value: admin - - name: WEBUI_SECRET_KEY - valueFrom: - secretKeyRef: - key: key - name: ollama-key-secret - - name: DATABASE_URL - valueFrom: - secretKeyRef: - key: uri - name: ollama-web-postgresql-17-cluster-app - - name: OLLAMA_BASE_URL - value: http://ollama-server-1.ollama:11434 - - name: ENABLE_OAUTH_SIGNUP - value: "true" - - name: OAUTH_USERNAME_CLAIM - value: preferred_username - - name: OAUTH_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: secret - name: ollama-oidc-secret - - name: OAUTH_CLIENT_ID - valueFrom: - secretKeyRef: - key: client - name: ollama-oidc-secret - - name: OAUTH_PROVIDER_NAME - value: Authentik - - name: OPENID_PROVIDER_URL - value: https://authentik.alexlebens.net/application/o/ollama/.well-known/openid-configuration - image: ghcr.io/open-webui/open-webui:0.6.41 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 1Gi - volumeMounts: - - mountPath: /app/backend/data - name: web-data - volumes: - - name: web-data - persistentVolumeClaim: - claimName: ollama-web-data ---- -# Source: ollama/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: ollama-web-postgresql-17-cluster - namespace: ollama - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: ollama-web-postgresql-17 - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "ollama-web-postgresql-17-external-backup" - serverName: "ollama-web-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "ollama-web-postgresql-17-garage-local-backup" - serverName: "ollama-web-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "ollama-web-postgresql-17-recovery" - serverName: ollama-web-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: ollama-web-postgresql-17-backup-1 - - externalClusters: - - name: ollama-web-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "ollama-web-postgresql-17-recovery" - serverName: ollama-web-postgresql-17-backup-1 ---- -# Source: ollama/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ollama-key-secret - namespace: ollama - labels: - app.kubernetes.io/name: ollama-key-secret - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/ollama/key - metadataPolicy: None - property: key ---- -# Source: ollama/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ollama-oidc-secret - namespace: ollama - labels: - app.kubernetes.io/name: ollama-oidc-secret - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: client - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/ollama - metadataPolicy: None - property: client - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/ollama - metadataPolicy: None - property: secret ---- -# Source: ollama/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ollama-web-data-backup-secret - namespace: ollama - labels: - app.kubernetes.io/name: ollama-web-data-backup-secret - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/ollama/ollama-web" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: ollama/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ollama-web-postgresql-17-cluster-backup-secret - namespace: ollama - labels: - app.kubernetes.io/name: ollama-web-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: ollama/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ollama-web-postgresql-17-cluster-backup-secret-garage - namespace: ollama - labels: - app.kubernetes.io/name: ollama-web-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: ollama/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-ollama - namespace: ollama - labels: - app.kubernetes.io/name: http-route-ollama - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - ollama.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: ollama-web - port: 80 - weight: 100 ---- -# Source: ollama/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "ollama-web-postgresql-17-external-backup" - namespace: ollama - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: ollama-web-postgresql-17 - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/ollama/ollama-web-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: ollama-web-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: ollama-web-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: ollama/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "ollama-web-postgresql-17-garage-local-backup" - namespace: ollama - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: ollama-web-postgresql-17 - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/ollama/ollama-web-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: ollama-web-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: ollama-web-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: ollama-web-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: ollama/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "ollama-web-postgresql-17-recovery" - namespace: ollama - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: ollama-web-postgresql-17 - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/ollama/ollama-web-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: ollama-web-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: ollama-web-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: ollama/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: ollama-web-postgresql-17-alert-rules - namespace: ollama - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: ollama-web-postgresql-17 - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/ollama-web-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="ollama"} - cnpg_pg_replication_is_wal_receiver_up{namespace="ollama"}) < 1 - for: 5m - labels: - severity: critical - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="ollama"} - cnpg_pg_replication_is_wal_receiver_up{namespace="ollama"}) < 2 - for: 5m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "ollama/ollama-web-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="ollama", pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="ollama", pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "ollama/ollama-web-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="ollama", pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="ollama", pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "ollama/ollama-web-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="ollama",pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "ollama/ollama-web-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="ollama", pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "ollama/ollama-web-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "ollama/ollama-web-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="ollama", persistentvolumeclaim=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "ollama/ollama-web-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="ollama",pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "ollama/ollama-web-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="ollama", pod=~"ollama-web-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: ollama - cnpg_cluster: ollama-web-postgresql-17-cluster ---- -# Source: ollama/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: ollama-web-data-backup-source - namespace: ollama - labels: - app.kubernetes.io/name: ollama-web-data-backup-source - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama -spec: - sourcePVC: ollama-web-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: ollama-web-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1337 - runAsGroup: 1337 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: ollama/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "ollama-web-postgresql-17-daily-backup-scheduled-backup" - namespace: ollama - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: ollama-web-postgresql-17 - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: ollama-web-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "ollama-web-postgresql-17-external-backup" ---- -# Source: ollama/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "ollama-web-postgresql-17-live-backup-scheduled-backup" - namespace: ollama - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: ollama-web-postgresql-17 - app.kubernetes.io/instance: ollama - app.kubernetes.io/part-of: ollama - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: ollama-web-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "ollama-web-postgresql-17-garage-local-backup" diff --git a/clusters/cl01tl/manifests/omni-tools/omni-tools.yaml b/clusters/cl01tl/manifests/omni-tools/omni-tools.yaml deleted file mode 100644 index 03b280a74..000000000 --- a/clusters/cl01tl/manifests/omni-tools/omni-tools.yaml +++ /dev/null @@ -1,100 +0,0 @@ ---- -# Source: omni-tools/charts/omni-tools/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: omni-tools - labels: - app.kubernetes.io/instance: omni-tools - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: omni-tools - app.kubernetes.io/service: omni-tools - helm.sh/chart: omni-tools-4.4.0 - namespace: omni-tools -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: omni-tools - app.kubernetes.io/name: omni-tools ---- -# Source: omni-tools/charts/omni-tools/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: omni-tools - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: omni-tools - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: omni-tools - helm.sh/chart: omni-tools-4.4.0 - namespace: omni-tools -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: omni-tools - app.kubernetes.io/instance: omni-tools - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: omni-tools - app.kubernetes.io/name: omni-tools - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - image: iib0011/omni-tools:0.6.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 50m - memory: 512Mi ---- -# Source: omni-tools/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-omni-tools - namespace: omni-tools - labels: - app.kubernetes.io/name: http-route-omni-tools - app.kubernetes.io/instance: omni-tools - app.kubernetes.io/part-of: omni-tools -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - omni-tools.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: omni-tools - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/outline/outline.yaml b/clusters/cl01tl/manifests/outline/outline.yaml deleted file mode 100644 index cea7ce408..000000000 --- a/clusters/cl01tl/manifests/outline/outline.yaml +++ /dev/null @@ -1,988 +0,0 @@ ---- -# Source: outline/charts/outline/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: outline - labels: - app.kubernetes.io/instance: outline - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: outline - app.kubernetes.io/service: outline - helm.sh/chart: outline-4.4.0 - namespace: outline -spec: - type: ClusterIP - ports: - - port: 3000 - targetPort: 3000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: outline - app.kubernetes.io/name: outline ---- -# Source: outline/charts/cloudflared-outline/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: outline-cloudflared-outline - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: outline - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared-outline - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-outline-1.23.1 - namespace: outline -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared-outline - app.kubernetes.io/instance: outline - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: outline - app.kubernetes.io/name: cloudflared-outline - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: outline-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: outline/charts/outline/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: outline - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: outline - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: outline - helm.sh/chart: outline-4.4.0 - namespace: outline -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: outline - app.kubernetes.io/instance: outline - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: outline - app.kubernetes.io/name: outline - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: NODE_ENV - value: production - - name: URL - value: https://wiki.alexlebens.dev - - name: PORT - value: "3000" - - name: SECRET_KEY - valueFrom: - secretKeyRef: - key: secret-key - name: outline-key-secret - - name: UTILS_SECRET - valueFrom: - secretKeyRef: - key: utils-key - name: outline-key-secret - - name: POSTGRES_USERNAME - valueFrom: - secretKeyRef: - key: username - name: outline-postgresql-17-cluster-app - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: outline-postgresql-17-cluster-app - - name: POSTGRES_DATABASE_NAME - valueFrom: - secretKeyRef: - key: dbname - name: outline-postgresql-17-cluster-app - - name: POSTGRES_DATABASE_HOST - valueFrom: - secretKeyRef: - key: host - name: outline-postgresql-17-cluster-app - - name: POSTGRES_DATABASE_PORT - valueFrom: - secretKeyRef: - key: port - name: outline-postgresql-17-cluster-app - - name: DATABASE_URL - value: postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_DATABASE_HOST):$(POSTGRES_DATABASE_PORT)/$(POSTGRES_DATABASE_NAME) - - name: DATABASE_URL_TEST - value: postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_DATABASE_HOST):$(POSTGRES_DATABASE_PORT)/$(POSTGRES_DATABASE_NAME)-test - - name: DATABASE_CONNECTION_POOL_MIN - value: "2" - - name: DATABASE_CONNECTION_POOL_MAX - value: "20" - - name: PGSSLMODE - value: disable - - name: REDIS_URL - value: redis://redis-replication-outline-master.outline:6379 - - name: FILE_STORAGE - value: s3 - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: ceph-bucket-outline - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: ceph-bucket-outline - - name: AWS_REGION - value: us-east-1 - - name: AWS_S3_UPLOAD_BUCKET_NAME - valueFrom: - configMapKeyRef: - key: BUCKET_NAME - name: ceph-bucket-outline - - name: AWS_S3_UPLOAD_BUCKET_URL - value: https://objects.alexlebens.dev - - name: AWS_S3_FORCE_PATH_STYLE - value: "true" - - name: AWS_S3_ACL - value: private - - name: FILE_STORAGE_UPLOAD_MAX_SIZE - value: "26214400" - - name: FORCE_HTTPS - value: "false" - - name: ENABLE_UPDATES - value: "false" - - name: WEB_CONCURRENCY - value: "1" - - name: FILE_STORAGE_IMPORT_MAX_SIZE - value: "5.12e+06" - - name: LOG_LEVEL - value: info - - name: DEFAULT_LANGUAGE - value: en_US - - name: RATE_LIMITER_ENABLED - value: "false" - - name: DEVELOPMENT_UNSAFE_INLINE_CSP - value: "false" - - name: OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - key: client - name: outline-oidc-secret - - name: OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: secret - name: outline-oidc-secret - - name: OIDC_AUTH_URI - value: https://auth.alexlebens.dev/application/o/authorize/ - - name: OIDC_TOKEN_URI - value: https://auth.alexlebens.dev/application/o/token/ - - name: OIDC_USERINFO_URI - value: https://auth.alexlebens.dev/application/o/userinfo/ - - name: OIDC_USERNAME_CLAIM - value: email - - name: OIDC_DISPLAY_NAME - value: Authentik - - name: OIDC_SCOPES - value: openid profile email - image: outlinewiki/outline:1.1.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 512Mi ---- -# Source: outline/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: outline-postgresql-17-cluster - namespace: outline - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: outline-postgresql-17 - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "outline-postgresql-17-external-backup" - serverName: "outline-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "outline-postgresql-17-garage-local-backup" - serverName: "outline-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "outline-postgresql-17-recovery" - serverName: outline-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: outline-postgresql-17-backup-1 - - externalClusters: - - name: outline-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "outline-postgresql-17-recovery" - serverName: outline-postgresql-17-backup-1 ---- -# Source: outline/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: outline-key-secret - namespace: outline - labels: - app.kubernetes.io/name: outline-key-secret - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: secret-key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/outline/key - metadataPolicy: None - property: secret-key - - secretKey: utils-key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/outline/key - metadataPolicy: None - property: utils-key ---- -# Source: outline/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: outline-oidc-secret - namespace: outline - labels: - app.kubernetes.io/name: outline-oidc-secret - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: client - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/outline - metadataPolicy: None - property: client - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/outline - metadataPolicy: None - property: secret ---- -# Source: outline/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: outline-cloudflared-secret - namespace: outline - labels: - app.kubernetes.io/name: outline-cloudflared-secret - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/outline - metadataPolicy: None - property: token ---- -# Source: outline/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: outline-postgresql-17-cluster-backup-secret - namespace: outline - labels: - app.kubernetes.io/name: outline-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: outline/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: outline-postgresql-17-cluster-backup-secret-garage - namespace: outline - labels: - app.kubernetes.io/name: outline-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: outline/templates/object-bucket-claim.yaml -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - name: ceph-bucket-outline - labels: - app.kubernetes.io/name: ceph-bucket-outline - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline -spec: - generateBucketName: bucket-outline - storageClassName: ceph-bucket - additionalConfig: - bucketPolicy: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor", - "Effect": "Allow", - "Action": [ - "s3:GetObjectAcl", - "s3:DeleteObject", - "s3:PutObject", - "s3:GetObject", - "s3:PutObjectAcl" - ], - "Resource": "arn:aws:s3:::bucket-outline-630c57e0-d475-4d78-926c-c1c082291d73/*" - } - ] - } ---- -# Source: outline/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "outline-postgresql-17-external-backup" - namespace: outline - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: outline-postgresql-17 - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/outline/outline-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: outline-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: outline-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: outline/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "outline-postgresql-17-garage-local-backup" - namespace: outline - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: outline-postgresql-17 - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/outline/outline-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: outline-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: outline-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: outline-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: outline/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "outline-postgresql-17-recovery" - namespace: outline - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: outline-postgresql-17 - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/outline/outline-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: outline-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: outline-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: outline/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: outline-postgresql-17-alert-rules - namespace: outline - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: outline-postgresql-17 - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/outline-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="outline"} - cnpg_pg_replication_is_wal_receiver_up{namespace="outline"}) < 1 - for: 5m - labels: - severity: critical - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="outline"} - cnpg_pg_replication_is_wal_receiver_up{namespace="outline"}) < 2 - for: 5m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "outline/outline-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="outline", pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="outline", pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "outline/outline-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="outline", pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="outline", pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "outline/outline-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="outline",pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "outline/outline-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="outline", pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "outline/outline-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "outline/outline-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="outline", persistentvolumeclaim=~"outline-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "outline/outline-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="outline",pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "outline/outline-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="outline", pod=~"outline-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: outline - cnpg_cluster: outline-postgresql-17-cluster ---- -# Source: outline/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-outline - namespace: outline - labels: - app.kubernetes.io/name: redis-replication-outline - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: outline/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "outline-postgresql-17-daily-backup-scheduled-backup" - namespace: outline - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: outline-postgresql-17 - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: outline-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "outline-postgresql-17-external-backup" ---- -# Source: outline/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "outline-postgresql-17-live-backup-scheduled-backup" - namespace: outline - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: outline-postgresql-17 - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: outline-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "outline-postgresql-17-garage-local-backup" ---- -# Source: outline/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-outline - namespace: outline - labels: - app.kubernetes.io/name: redis-replication-outline - app.kubernetes.io/instance: outline - app.kubernetes.io/part-of: outline - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/overseerr/overseerr.yaml b/clusters/cl01tl/manifests/overseerr/overseerr.yaml deleted file mode 100644 index 3e45d4702..000000000 --- a/clusters/cl01tl/manifests/overseerr/overseerr.yaml +++ /dev/null @@ -1,215 +0,0 @@ ---- -# Source: overseerr/charts/app-template/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: overseerr-main - labels: - app.kubernetes.io/instance: overseerr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: overseerr - helm.sh/chart: app-template-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: overseerr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: overseerr/charts/app-template/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: overseerr - labels: - app.kubernetes.io/instance: overseerr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: overseerr - app.kubernetes.io/service: overseerr - helm.sh/chart: app-template-4.4.0 - namespace: overseerr -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 5055 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: overseerr - app.kubernetes.io/name: overseerr ---- -# Source: overseerr/charts/app-template/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: overseerr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: overseerr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: overseerr - helm.sh/chart: app-template-4.4.0 - namespace: overseerr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: overseerr - app.kubernetes.io/instance: overseerr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: overseerr - app.kubernetes.io/name: overseerr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - image: ghcr.io/sct/overseerr:1.34.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 512Mi - volumeMounts: - - mountPath: /app/config - name: main - volumes: - - name: main - persistentVolumeClaim: - claimName: overseerr-main ---- -# Source: overseerr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: overseerr-main-backup-secret - namespace: overseerr - labels: - app.kubernetes.io/name: overseerr-main-backup-secret - app.kubernetes.io/instance: overseerr - app.kubernetes.io/part-of: overseerr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/overseerr/overseerr-main" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: overseerr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-overseerr - namespace: overseerr - labels: - app.kubernetes.io/name: http-route-overseerr - app.kubernetes.io/instance: overseerr - app.kubernetes.io/part-of: overseerr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - overseerr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: overseerr - port: 80 - weight: 100 ---- -# Source: overseerr/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: overseerr-main-backup-source - namespace: overseerr - labels: - app.kubernetes.io/name: overseerr-main-backup-source - app.kubernetes.io/instance: overseerr - app.kubernetes.io/part-of: overseerr -spec: - sourcePVC: overseerr-main - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: overseerr-main-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/manifests/pgadmin/pgadmin.yaml b/clusters/cl01tl/manifests/pgadmin/pgadmin.yaml deleted file mode 100644 index 8773d96fc..000000000 --- a/clusters/cl01tl/manifests/pgadmin/pgadmin.yaml +++ /dev/null @@ -1,309 +0,0 @@ ---- -# Source: pgadmin4/charts/pgadmin4/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: pgadmin4-data - labels: - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: pgadmin - helm.sh/chart: pgadmin4-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: pgadmin -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: pgadmin4/charts/pgadmin4/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: pgadmin - labels: - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: pgadmin - app.kubernetes.io/service: pgadmin - helm.sh/chart: pgadmin4-4.4.0 - namespace: pgadmin -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/name: pgadmin ---- -# Source: pgadmin4/charts/pgadmin4/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pgadmin - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: pgadmin - helm.sh/chart: pgadmin4-4.4.0 - namespace: pgadmin -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: pgadmin - app.kubernetes.io/instance: pgadmin - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/name: pgadmin - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - initContainers: - - command: - - /bin/sh - - -ec - - | - /bin/chown -R 5050:5050 /var/lib/pgadmin - image: busybox:1.37.0 - imagePullPolicy: IfNotPresent - name: init-chmod-data - resources: - requests: - cpu: 10m - memory: 128Mi - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /var/lib/pgadmin - name: data - containers: - - env: - - name: PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION - value: "False" - - name: PGADMIN_DEFAULT_EMAIL - value: alexanderlebens@gmail.com - - name: PGADMIN_DEFAULT_PASSWORD - valueFrom: - secretKeyRef: - key: pgadmin-password - name: pgadmin-password-secret - envFrom: - - secretRef: - name: pgadmin-env-secret - image: dpage/pgadmin4:9.10 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - securityContext: - runAsGroup: 5050 - runAsUser: 5050 - volumeMounts: - - mountPath: /var/lib/pgadmin - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: pgadmin4-data ---- -# Source: pgadmin4/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: pgadmin-password-secret - namespace: pgadmin - labels: - app.kubernetes.io/name: pgadmin-password-secret - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/part-of: pgadmin -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: pgadmin-password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/pgadmin/auth - metadataPolicy: None - property: pgadmin-password ---- -# Source: pgadmin4/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: pgadmin-env-secret - namespace: pgadmin - labels: - app.kubernetes.io/name: pgadmin-env-secret - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/part-of: pgadmin -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: PGADMIN_CONFIG_AUTHENTICATION_SOURCES - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/pgadmin/env - metadataPolicy: None - property: PGADMIN_CONFIG_AUTHENTICATION_SOURCES - - secretKey: PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/pgadmin/env - metadataPolicy: None - property: PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER - - secretKey: PGADMIN_CONFIG_OAUTH2_CONFIG - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/pgadmin/env - metadataPolicy: None - property: PGADMIN_CONFIG_OAUTH2_CONFIG ---- -# Source: pgadmin4/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: pgadmin-data-backup-secret - namespace: pgadmin - labels: - app.kubernetes.io/name: pgadmin-data-backup-secret - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/part-of: pgadmin -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/pgadmin/pgadmin-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: pgadmin4/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-pgadmin - namespace: pgadmin - labels: - app.kubernetes.io/name: http-route-pgadmin - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/part-of: pgadmin -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - pgadmin.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: pgadmin - port: 80 - weight: 100 ---- -# Source: pgadmin4/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: pgadmin-data-backup-source - namespace: pgadmin - labels: - app.kubernetes.io/name: pgadmin-data-backup-source - app.kubernetes.io/instance: pgadmin - app.kubernetes.io/part-of: pgadmin -spec: - sourcePVC: pgadmin-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: pgadmin-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 5050 - runAsGroup: 5050 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/manifests/photoview/photoview.yaml b/clusters/cl01tl/manifests/photoview/photoview.yaml deleted file mode 100644 index 618120ad7..000000000 --- a/clusters/cl01tl/manifests/photoview/photoview.yaml +++ /dev/null @@ -1,773 +0,0 @@ ---- -# Source: photoview/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: photoview-nfs-storage - namespace: photoview - labels: - app.kubernetes.io/name: photoview-nfs-storage - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Pictures - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: photoview/charts/photoview/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: photoview-cache - labels: - app.kubernetes.io/instance: photoview - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: photoview - helm.sh/chart: photoview-4.4.0 - namespace: photoview -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: photoview/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: photoview-nfs-storage - namespace: photoview - labels: - app.kubernetes.io/name: photoview-nfs-storage - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview -spec: - volumeName: photoview-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: photoview/charts/photoview/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: photoview - labels: - app.kubernetes.io/instance: photoview - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: photoview - app.kubernetes.io/service: photoview - helm.sh/chart: photoview-4.4.0 - namespace: photoview -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: photoview - app.kubernetes.io/name: photoview ---- -# Source: photoview/charts/photoview/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: photoview - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: photoview - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: photoview - helm.sh/chart: photoview-4.4.0 - namespace: photoview -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: photoview - app.kubernetes.io/instance: photoview - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: photoview - app.kubernetes.io/name: photoview - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - initContainers: - - command: - - /bin/sh - - -ec - - | - /bin/chown -R 999:999 /app/cache - image: busybox:1.37.0 - imagePullPolicy: IfNotPresent - name: init-chmod-data - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /app/cache - name: cache - containers: - - env: - - name: PHOTOVIEW_DATABASE_DRIVER - value: postgres - - name: PHOTOVIEW_POSTGRES_URL - valueFrom: - secretKeyRef: - key: uri - name: photoview-postgresql-17-cluster-app - - name: PHOTOVIEW_MEDIA_CACHE - value: /app/cache - image: photoview/photoview:2.4.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 512Mi - volumeMounts: - - mountPath: /app/cache - name: cache - - mountPath: /photos - name: media - readOnly: true - volumes: - - name: cache - persistentVolumeClaim: - claimName: photoview-cache - - name: media - persistentVolumeClaim: - claimName: photoview-nfs-storage ---- -# Source: photoview/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: photoview-postgresql-17-cluster - namespace: photoview - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: photoview-postgresql-17 - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "photoview-postgresql-17-external-backup" - serverName: "photoview-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "photoview-postgresql-17-garage-local-backup" - serverName: "photoview-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "photoview-postgresql-17-recovery" - serverName: photoview-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: photoview-postgresql-17-backup-1 - - externalClusters: - - name: photoview-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "photoview-postgresql-17-recovery" - serverName: photoview-postgresql-17-backup-1 ---- -# Source: photoview/templates/external-secrets.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: photoview-postgresql-17-cluster-backup-secret - namespace: photoview - labels: - app.kubernetes.io/name: photoview-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: photoview/templates/external-secrets.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: photoview-postgresql-17-cluster-backup-secret-garage - namespace: photoview - labels: - app.kubernetes.io/name: photoview-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: photoview/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-photoview - namespace: photoview - labels: - app.kubernetes.io/name: http-route-photoview - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - photoview.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: photoview - port: 80 - weight: 100 ---- -# Source: photoview/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "photoview-postgresql-17-external-backup" - namespace: photoview - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: photoview-postgresql-17 - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/photoview/photoview-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: photoview-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: photoview-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: photoview/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "photoview-postgresql-17-garage-local-backup" - namespace: photoview - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: photoview-postgresql-17 - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/photoview/photoview-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: photoview-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: photoview-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: photoview-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: photoview/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "photoview-postgresql-17-recovery" - namespace: photoview - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: photoview-postgresql-17 - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/photoview/photoview-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: photoview-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: photoview-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: photoview/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: photoview-postgresql-17-alert-rules - namespace: photoview - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: photoview-postgresql-17 - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/photoview-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="photoview"} - cnpg_pg_replication_is_wal_receiver_up{namespace="photoview"}) < 1 - for: 5m - labels: - severity: critical - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="photoview"} - cnpg_pg_replication_is_wal_receiver_up{namespace="photoview"}) < 2 - for: 5m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "photoview/photoview-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="photoview", pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="photoview", pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "photoview/photoview-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="photoview", pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="photoview", pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "photoview/photoview-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="photoview",pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "photoview/photoview-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="photoview", pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "photoview/photoview-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "photoview/photoview-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="photoview", persistentvolumeclaim=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "photoview/photoview-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="photoview",pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "photoview/photoview-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="photoview", pod=~"photoview-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: photoview - cnpg_cluster: photoview-postgresql-17-cluster ---- -# Source: photoview/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "photoview-postgresql-17-daily-backup-scheduled-backup" - namespace: photoview - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: photoview-postgresql-17 - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: photoview-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "photoview-postgresql-17-external-backup" ---- -# Source: photoview/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "photoview-postgresql-17-live-backup-scheduled-backup" - namespace: photoview - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: photoview-postgresql-17 - app.kubernetes.io/instance: photoview - app.kubernetes.io/part-of: photoview - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: photoview-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "photoview-postgresql-17-garage-local-backup" diff --git a/clusters/cl01tl/manifests/plex/plex.yaml b/clusters/cl01tl/manifests/plex/plex.yaml deleted file mode 100644 index a05f2bcc7..000000000 --- a/clusters/cl01tl/manifests/plex/plex.yaml +++ /dev/null @@ -1,190 +0,0 @@ ---- -# Source: plex/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: plex-nfs-storage - namespace: plex - labels: - app.kubernetes.io/name: plex-nfs-storage - app.kubernetes.io/instance: plex - app.kubernetes.io/part-of: plex -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: plex/charts/plex/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: plex-config - labels: - app.kubernetes.io/instance: plex - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: plex - helm.sh/chart: plex-4.4.0 - namespace: plex -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "100Gi" - storageClassName: "ceph-block" ---- -# Source: plex/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: plex-nfs-storage - namespace: plex - labels: - app.kubernetes.io/name: plex-nfs-storage - app.kubernetes.io/instance: plex - app.kubernetes.io/part-of: plex -spec: - volumeName: plex-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: plex/charts/plex/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: plex - labels: - app.kubernetes.io/instance: plex - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: plex - app.kubernetes.io/service: plex - helm.sh/chart: plex-4.4.0 - namespace: plex -spec: - type: LoadBalancer - ports: - - port: 32400 - targetPort: 32400 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: plex - app.kubernetes.io/name: plex ---- -# Source: plex/charts/plex/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: plex - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: plex - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: plex - helm.sh/chart: plex-4.4.0 - namespace: plex -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: plex - app.kubernetes.io/instance: plex - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: plex - app.kubernetes.io/name: plex - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: VERSION - value: docker - - name: PLEX_CLAIM - value: claim-XmGK2o9x54PbCzQaqj-J - image: ghcr.io/linuxserver/plex:1.42.2@sha256:ab81c7313fb5dc4d1f9562e5bbd5e5877a8a3c5ca6b9f9fff3437b5096a2b123 - imagePullPolicy: IfNotPresent - name: main - resources: - limits: - gpu.intel.com/i915: 1 - requests: - cpu: 10m - gpu.intel.com/i915: 1 - memory: 512Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - readOnly: true - - mountPath: /transcode - name: transcode - volumes: - - name: config - persistentVolumeClaim: - claimName: plex-config - - name: media - persistentVolumeClaim: - claimName: plex-nfs-storage - - emptyDir: {} - name: transcode ---- -# Source: plex/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-plex - namespace: plex - labels: - app.kubernetes.io/name: http-route-plex - app.kubernetes.io/instance: plex - app.kubernetes.io/part-of: plex -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - plex.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: plex - port: 32400 - weight: 100 diff --git a/clusters/cl01tl/manifests/postiz/postiz.yaml b/clusters/cl01tl/manifests/postiz/postiz.yaml deleted file mode 100644 index f7306a0d0..000000000 --- a/clusters/cl01tl/manifests/postiz/postiz.yaml +++ /dev/null @@ -1,1180 +0,0 @@ ---- -# Source: postiz/charts/postiz/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: postiz-config - labels: - app.kubernetes.io/instance: postiz - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postiz - helm.sh/chart: postiz-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: postiz -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "2Gi" - storageClassName: "ceph-block" ---- -# Source: postiz/charts/postiz/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: postiz-uploads - labels: - app.kubernetes.io/instance: postiz - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postiz - helm.sh/chart: postiz-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: postiz -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: postiz/charts/postiz/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: postiz - labels: - app.kubernetes.io/instance: postiz - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postiz - app.kubernetes.io/service: postiz - helm.sh/chart: postiz-4.4.0 - namespace: postiz -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 5000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: postiz - app.kubernetes.io/name: postiz ---- -# Source: postiz/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: postiz-cloudflared-postiz - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: postiz - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared-postiz - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: postiz -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared-postiz - app.kubernetes.io/instance: postiz - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: postiz - app.kubernetes.io/name: cloudflared-postiz - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: postiz-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: postiz/charts/postiz/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: postiz - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: postiz - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postiz - helm.sh/chart: postiz-4.4.0 - namespace: postiz -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: postiz - app.kubernetes.io/instance: postiz - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: postiz - app.kubernetes.io/name: postiz - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: MAIN_URL - value: https://postiz.alexlebens.dev - - name: FRONTEND_URL - value: https://postiz.alexlebens.dev - - name: NEXT_PUBLIC_BACKEND_URL - value: https://postiz.alexlebens.dev/api - - name: JWT_SECRET - valueFrom: - secretKeyRef: - key: JWT_SECRET - name: postiz-config-secret - - name: DATABASE_URL - valueFrom: - secretKeyRef: - key: uri - name: postiz-postgresql-17-cluster-app - - name: REDIS_URL - valueFrom: - secretKeyRef: - key: REDIS_URL - name: postiz-redis-config - - name: BACKEND_INTERNAL_URL - value: http://localhost:3000 - - name: IS_GENERAL - value: "true" - - name: STORAGE_PROVIDER - value: local - - name: UPLOAD_DIRECTORY - value: /uploads - - name: NEXT_PUBLIC_UPLOAD_DIRECTORY - value: /uploads - - name: NEXT_PUBLIC_POSTIZ_OAUTH_DISPLAY_NAME - value: Authentik - - name: NEXT_PUBLIC_POSTIZ_OAUTH_LOGO_URL - value: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png - - name: POSTIZ_GENERIC_OAUTH - value: "true" - - name: POSTIZ_OAUTH_URL - value: https://auth.alexlebens.dev - - name: POSTIZ_OAUTH_AUTH_URL - value: https://auth.alexlebens.dev/application/o/authorize/ - - name: POSTIZ_OAUTH_TOKEN_URL - value: https://auth.alexlebens.dev/application/o/token/ - - name: POSTIZ_OAUTH_USERINFO_URL - value: https://auth.alexlebens.dev/application/o/userinfo/ - - name: POSTIZ_OAUTH_CLIENT_ID - valueFrom: - secretKeyRef: - key: client - name: postiz-oidc-secret - - name: POSTIZ_OAUTH_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: secret - name: postiz-oidc-secret - - name: POSTIZ_OAUTH_SCOPE - value: openid profile email - image: ghcr.io/gitroomhq/postiz-app:v2.9.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /uploads - name: uploads - volumes: - - name: config - persistentVolumeClaim: - claimName: postiz-config - - name: uploads - persistentVolumeClaim: - claimName: postiz-uploads ---- -# Source: postiz/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: postiz-postgresql-17-cluster - namespace: postiz - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: postiz-postgresql-17 - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "postiz-postgresql-17-external-backup" - serverName: "postiz-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "postiz-postgresql-17-garage-local-backup" - serverName: "postiz-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "postiz-postgresql-17-recovery" - serverName: postiz-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: postiz-postgresql-17-backup-1 - - externalClusters: - - name: postiz-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "postiz-postgresql-17-recovery" - serverName: postiz-postgresql-17-backup-1 ---- -# Source: postiz/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-config-secret - namespace: postiz - labels: - app.kubernetes.io/name: postiz-config-secret - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: JWT_SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/postiz/config - metadataPolicy: None - property: JWT_SECRET ---- -# Source: postiz/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-redis-config - namespace: postiz - labels: - app.kubernetes.io/name: postiz-redis-config - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: REDIS_URL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/postiz/redis - metadataPolicy: None - property: REDIS_URL - - secretKey: user - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/postiz/redis - metadataPolicy: None - property: user - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/postiz/redis - metadataPolicy: None - property: password ---- -# Source: postiz/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-oidc-secret - namespace: postiz - labels: - app.kubernetes.io/name: postiz-oidc-secret - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: client - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/postiz - metadataPolicy: None - property: client - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/postiz - metadataPolicy: None - property: secret ---- -# Source: postiz/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-config-backup-secret - namespace: postiz - labels: - app.kubernetes.io/name: postiz-config-backup-secret - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/postiz/postiz-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: postiz/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-uploads-backup-secret - namespace: postiz - labels: - app.kubernetes.io/name: postiz-uploads-backup-secret - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/postiz/postiz-uploads" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: postiz/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-cloudflared-secret - namespace: postiz - labels: - app.kubernetes.io/name: postiz-cloudflared-secret - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/postiz - metadataPolicy: None - property: token ---- -# Source: postiz/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-postgresql-17-cluster-backup-secret - namespace: postiz - labels: - app.kubernetes.io/name: postiz-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: postiz/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-postgresql-17-cluster-backup-secret-garage - namespace: postiz - labels: - app.kubernetes.io/name: postiz-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: postiz/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-postiz - namespace: postiz - labels: - app.kubernetes.io/name: http-route-postiz - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - postiz.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: postiz - port: 80 - weight: 100 ---- -# Source: postiz/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "postiz-postgresql-17-external-backup" - namespace: postiz - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: postiz-postgresql-17 - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/postiz/postiz-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: postiz-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: postiz-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: postiz/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "postiz-postgresql-17-garage-local-backup" - namespace: postiz - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: postiz-postgresql-17 - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/postiz/postiz-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: postiz-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: postiz-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: postiz-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: postiz/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "postiz-postgresql-17-recovery" - namespace: postiz - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: postiz-postgresql-17 - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/postiz/postiz-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: postiz-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: postiz-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: postiz/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: postiz-postgresql-17-alert-rules - namespace: postiz - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: postiz-postgresql-17 - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/postiz-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="postiz"} - cnpg_pg_replication_is_wal_receiver_up{namespace="postiz"}) < 1 - for: 5m - labels: - severity: critical - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="postiz"} - cnpg_pg_replication_is_wal_receiver_up{namespace="postiz"}) < 2 - for: 5m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "postiz/postiz-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="postiz", pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="postiz", pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "postiz/postiz-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="postiz", pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="postiz", pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "postiz/postiz-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="postiz",pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "postiz/postiz-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="postiz", pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "postiz/postiz-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "postiz/postiz-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="postiz", persistentvolumeclaim=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "postiz/postiz-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="postiz",pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "postiz/postiz-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="postiz", pod=~"postiz-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: postiz - cnpg_cluster: postiz-postgresql-17-cluster ---- -# Source: postiz/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-postiz - namespace: postiz - labels: - app.kubernetes.io/name: redis-replication-postiz - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - redisSecret: - name: postiz-redis-config - key: password - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: postiz/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: postiz-config-backup-source - namespace: postiz - labels: - app.kubernetes.io/name: postiz-config-backup-source - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - sourcePVC: postiz-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: postiz-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: postiz/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: postiz-uploads-backup-source - namespace: postiz - labels: - app.kubernetes.io/name: postiz-uploads-backup-source - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - sourcePVC: postiz-uploads - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: postiz-uploads-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: postiz/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "postiz-postgresql-17-daily-backup-scheduled-backup" - namespace: postiz - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: postiz-postgresql-17 - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: postiz-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "postiz-postgresql-17-external-backup" ---- -# Source: postiz/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "postiz-postgresql-17-live-backup-scheduled-backup" - namespace: postiz - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: postiz-postgresql-17 - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: postiz-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "postiz-postgresql-17-garage-local-backup" ---- -# Source: postiz/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-postiz - namespace: postiz - labels: - app.kubernetes.io/name: redis-replication-postiz - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/prometheus-operator-crds/prometheus-operator-crds.yaml b/clusters/cl01tl/manifests/prometheus-operator-crds/prometheus-operator-crds.yaml deleted file mode 100644 index ebc4f5023..000000000 --- a/clusters/cl01tl/manifests/prometheus-operator-crds/prometheus-operator-crds.yaml +++ /dev/null @@ -1,73876 +0,0 @@ ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-alertmanagerconfigs.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: alertmanagerconfigs.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: AlertmanagerConfig - listKind: AlertmanagerConfigList - plural: alertmanagerconfigs - shortNames: - - amcfg - singular: alertmanagerconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - AlertmanagerConfig configures the Prometheus Alertmanager, - specifying how alerts should be grouped, inhibited and notified to external systems. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec defines the specification of AlertmanagerConfigSpec - properties: - inhibitRules: - description: |- - inhibitRules defines the list of inhibition rules. The rules will only apply to alerts matching - the resource's namespace. - items: - description: |- - InhibitRule defines an inhibition rule that allows to mute alerts when other - alerts are already firing. - See https://prometheus.io/docs/alerting/latest/configuration/#inhibit_rule - properties: - equal: - description: |- - equal defines labels that must have an equal value in the source and target alert - for the inhibition to take effect. This ensures related alerts are properly grouped. - items: - type: string - type: array - sourceMatch: - description: |- - sourceMatch defines matchers for which one or more alerts have to exist for the inhibition - to take effect. The operator enforces that the alert matches the resource's namespace. - These are the "trigger" alerts that cause other alerts to be inhibited. - items: - description: Matcher defines how to match on alert's labels. - properties: - matchType: - description: |- - matchType defines the match operation available with AlertManager >= v0.22.0. - Takes precedence over Regex (deprecated) if non-empty. - Valid values: "=" (equality), "!=" (inequality), "=~" (regex match), "!~" (regex non-match). - enum: - - '!=' - - = - - =~ - - '!~' - type: string - name: - description: |- - name defines the label to match. - This specifies which alert label should be evaluated. - minLength: 1 - type: string - regex: - description: |- - regex defines whether to match on equality (false) or regular-expression (true). - Deprecated: for AlertManager >= v0.22.0, `matchType` should be used instead. - type: boolean - value: - description: |- - value defines the label value to match. - This is the expected value for the specified label. - type: string - required: - - name - type: object - type: array - targetMatch: - description: |- - targetMatch defines matchers that have to be fulfilled in the alerts to be muted. - The operator enforces that the alert matches the resource's namespace. - When these conditions are met, matching alerts will be inhibited (silenced). - items: - description: Matcher defines how to match on alert's labels. - properties: - matchType: - description: |- - matchType defines the match operation available with AlertManager >= v0.22.0. - Takes precedence over Regex (deprecated) if non-empty. - Valid values: "=" (equality), "!=" (inequality), "=~" (regex match), "!~" (regex non-match). - enum: - - '!=' - - = - - =~ - - '!~' - type: string - name: - description: |- - name defines the label to match. - This specifies which alert label should be evaluated. - minLength: 1 - type: string - regex: - description: |- - regex defines whether to match on equality (false) or regular-expression (true). - Deprecated: for AlertManager >= v0.22.0, `matchType` should be used instead. - type: boolean - value: - description: |- - value defines the label value to match. - This is the expected value for the specified label. - type: string - required: - - name - type: object - type: array - type: object - type: array - muteTimeIntervals: - description: muteTimeIntervals defines the list of MuteTimeInterval - specifying when the routes should be muted. - items: - description: MuteTimeInterval specifies the periods in time when - notifications will be muted - properties: - name: - description: name of the time interval - type: string - timeIntervals: - description: timeIntervals defines a list of TimeInterval - items: - description: TimeInterval describes intervals of time - properties: - daysOfMonth: - description: daysOfMonth defines a list of DayOfMonthRange - items: - description: DayOfMonthRange is an inclusive range of - days of the month beginning at 1 - properties: - end: - description: end of the inclusive range - maximum: 31 - minimum: -31 - type: integer - start: - description: start of the inclusive range - maximum: 31 - minimum: -31 - type: integer - type: object - type: array - months: - description: months defines a list of MonthRange - items: - description: |- - MonthRange is an inclusive range of months of the year beginning in January - Months can be specified by name (e.g 'January') by numerical month (e.g '1') or as an inclusive range (e.g 'January:March', '1:3', '1:March') - pattern: ^((?i)january|february|march|april|may|june|july|august|september|october|november|december|1[0-2]|[1-9])(?:((:((?i)january|february|march|april|may|june|july|august|september|october|november|december|1[0-2]|[1-9]))$)|$) - type: string - type: array - times: - description: times defines a list of TimeRange - items: - description: TimeRange defines a start and end time - in 24hr format - properties: - endTime: - description: endTime defines the end time in 24hr - format. - pattern: ^((([01][0-9])|(2[0-3])):[0-5][0-9])$|(^24:00$) - type: string - startTime: - description: startTime defines the start time in - 24hr format. - pattern: ^((([01][0-9])|(2[0-3])):[0-5][0-9])$|(^24:00$) - type: string - type: object - type: array - weekdays: - description: weekdays defines a list of WeekdayRange - items: - description: |- - WeekdayRange is an inclusive range of days of the week beginning on Sunday - Days can be specified by name (e.g 'Sunday') or as an inclusive range (e.g 'Monday:Friday') - pattern: ^((?i)sun|mon|tues|wednes|thurs|fri|satur)day(?:((:(sun|mon|tues|wednes|thurs|fri|satur)day)$)|$) - type: string - type: array - years: - description: years defines a list of YearRange - items: - description: YearRange is an inclusive range of years - pattern: ^2\d{3}(?::2\d{3}|$) - type: string - type: array - type: object - type: array - required: - - name - type: object - type: array - receivers: - description: receivers defines the list of receivers. - items: - description: Receiver defines one or more notification integrations. - properties: - discordConfigs: - description: discordConfigs defines the list of Slack configurations. - items: - description: |- - DiscordConfig configures notifications via Discord. - See https://prometheus.io/docs/alerting/latest/configuration/#discord_config - properties: - apiURL: - description: |- - apiURL defines the secret's key that contains the Discord webhook URL. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - avatarURL: - description: avatarURL defines the avatar url of the message - sender. - pattern: ^https?://.+$ - type: string - content: - description: content defines the template of the content's - body. - minLength: 1 - type: string - httpConfig: - description: httpConfig defines the HTTP client configuration. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - message: - description: message defines the template of the message's - body. - type: string - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - title: - description: title defines the template of the message's - title. - type: string - username: - description: username defines the username of the message - sender. - minLength: 1 - type: string - required: - - apiURL - type: object - type: array - emailConfigs: - description: emailConfigs defines the list of Email configurations. - items: - description: EmailConfig configures notifications via Email. - properties: - authIdentity: - description: |- - authIdentity defines the identity to use for SMTP authentication. - This is typically used with PLAIN authentication mechanism. - type: string - authPassword: - description: |- - authPassword defines the secret's key that contains the password to use for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - authSecret: - description: |- - authSecret defines the secret's key that contains the CRAM-MD5 secret. - This is used for CRAM-MD5 authentication mechanism. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - authUsername: - description: |- - authUsername defines the username to use for SMTP authentication. - This is used for SMTP AUTH when the server requires authentication. - type: string - from: - description: |- - from defines the sender address for email notifications. - This appears as the "From" field in the email header. - type: string - headers: - description: |- - headers defines additional email header key/value pairs. - These override any headers previously set by the notification implementation. - items: - description: KeyValue defines a (key, value) tuple. - properties: - key: - description: |- - key defines the key of the tuple. - This is the identifier or name part of the key-value pair. - minLength: 1 - type: string - value: - description: |- - value defines the value of the tuple. - This is the data or content associated with the key. - type: string - required: - - key - - value - type: object - type: array - hello: - description: |- - hello defines the hostname to identify to the SMTP server. - This is used in the SMTP HELO/EHLO command during the connection handshake. - type: string - html: - description: |- - html defines the HTML body of the email notification. - This allows for rich formatting in the email content. - type: string - requireTLS: - description: |- - requireTLS defines the SMTP TLS requirement. - Note that Go does not support unencrypted connections to remote SMTP endpoints. - type: boolean - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - smarthost: - description: |- - smarthost defines the SMTP host and port through which emails are sent. - Format should be "hostname:port", e.g. "smtp.example.com:587". - type: string - text: - description: |- - text defines the plain text body of the email notification. - This provides a fallback for email clients that don't support HTML. - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for SMTP connections. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - to: - description: |- - to defines the email address to send notifications to. - This is the recipient address for alert notifications. - type: string - type: object - type: array - msteamsConfigs: - description: |- - msteamsConfigs defines the list of MSTeams configurations. - It requires Alertmanager >= 0.26.0. - items: - description: |- - MSTeamsConfig configures notifications via Microsoft Teams. - It requires Alertmanager >= 0.26.0. - properties: - httpConfig: - description: httpConfig defines the HTTP client configuration - for Teams webhook requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - summary: - description: |- - summary defines the message summary template for Teams notifications. - This provides a brief overview that appears in Teams notification previews. - It requires Alertmanager >= 0.27.0. - type: string - text: - description: |- - text defines the message body template for Teams notifications. - This contains the detailed content of the Teams message. - type: string - title: - description: |- - title defines the message title template for Teams notifications. - This appears as the main heading of the Teams message card. - type: string - webhookUrl: - description: |- - webhookUrl defines the MSTeams webhook URL for sending notifications. - This is the incoming webhook URL configured in your Teams channel. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - webhookUrl - type: object - type: array - msteamsv2Configs: - description: |- - msteamsv2Configs defines the list of MSTeamsV2 configurations. - It requires Alertmanager >= 0.28.0. - items: - description: |- - MSTeamsV2Config configures notifications via Microsoft Teams using the new message format with adaptive cards as required by flows. - See https://prometheus.io/docs/alerting/latest/configuration/#msteamsv2_config - It requires Alertmanager >= 0.28.0. - properties: - httpConfig: - description: httpConfig defines the HTTP client configuration - for Teams webhook requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - text: - description: |- - text defines the message body template for adaptive card notifications. - This contains the detailed content displayed in the Teams adaptive card format. - minLength: 1 - type: string - title: - description: |- - title defines the message title template for adaptive card notifications. - This appears as the main heading in the Teams adaptive card. - minLength: 1 - type: string - webhookURL: - description: |- - webhookURL defines the MSTeams incoming webhook URL for adaptive card notifications. - This webhook must support the newer adaptive cards format required by Teams flows. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: array - name: - description: name defines the name of the receiver. Must be - unique across all items from the list. - minLength: 1 - type: string - opsgenieConfigs: - description: opsgenieConfigs defines the list of OpsGenie configurations. - items: - description: |- - OpsGenieConfig configures notifications via OpsGenie. - See https://prometheus.io/docs/alerting/latest/configuration/#opsgenie_config - properties: - actions: - description: |- - actions defines a comma separated list of actions that will be available for the alert. - These appear as action buttons in the OpsGenie interface. - type: string - apiKey: - description: |- - apiKey defines the secret's key that contains the OpsGenie API key. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - apiURL: - description: |- - apiURL defines the URL to send OpsGenie API requests to. - When not specified, defaults to the standard OpsGenie API endpoint. - type: string - description: - description: |- - description defines the detailed description of the incident. - This provides additional context beyond the message field. - type: string - details: - description: |- - details defines a set of arbitrary key/value pairs that provide further detail about the incident. - These appear as additional fields in the OpsGenie alert. - items: - description: KeyValue defines a (key, value) tuple. - properties: - key: - description: |- - key defines the key of the tuple. - This is the identifier or name part of the key-value pair. - minLength: 1 - type: string - value: - description: |- - value defines the value of the tuple. - This is the data or content associated with the key. - type: string - required: - - key - - value - type: object - type: array - entity: - description: |- - entity defines an optional field that can be used to specify which domain alert is related to. - This helps group related alerts together in OpsGenie. - type: string - httpConfig: - description: httpConfig defines the HTTP client configuration - for OpsGenie API requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - message: - description: |- - message defines the alert text limited to 130 characters. - This appears as the main alert title in OpsGenie. - type: string - note: - description: |- - note defines an additional alert note. - This provides supplementary information about the alert. - type: string - priority: - description: |- - priority defines the priority level of alert. - Possible values are P1, P2, P3, P4, and P5, where P1 is highest priority. - type: string - responders: - description: |- - responders defines the list of responders responsible for notifications. - These determine who gets notified when the alert is created. - items: - description: |- - OpsGenieConfigResponder defines a responder to an incident. - One of `id`, `name` or `username` has to be defined. - properties: - id: - description: |- - id defines the unique identifier of the responder. - This corresponds to the responder's ID within OpsGenie. - type: string - name: - description: |- - name defines the display name of the responder. - This is used when the responder is identified by name rather than ID. - type: string - type: - description: |- - type defines the type of responder. - Valid values include "user", "team", "schedule", and "escalation". - This determines how OpsGenie interprets the other identifier fields. - enum: - - team - - teams - - user - - escalation - - schedule - minLength: 1 - type: string - username: - description: |- - username defines the username of the responder. - This is typically used for user-type responders when identifying by username. - type: string - required: - - type - type: object - type: array - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - source: - description: |- - source defines the backlink to the sender of the notification. - This helps identify where the alert originated from. - type: string - tags: - description: |- - tags defines a comma separated list of tags attached to the notifications. - These help categorize and filter alerts within OpsGenie. - type: string - updateAlerts: - description: |- - updateAlerts defines Whether to update message and description of the alert in OpsGenie if it already exists - By default, the alert is never updated in OpsGenie, the new message only appears in activity log. - type: boolean - type: object - type: array - pagerdutyConfigs: - description: pagerdutyConfigs defines the List of PagerDuty - configurations. - items: - description: |- - PagerDutyConfig configures notifications via PagerDuty. - See https://prometheus.io/docs/alerting/latest/configuration/#pagerduty_config - properties: - class: - description: class defines the class/type of the event. - type: string - client: - description: client defines the client identification. - type: string - clientURL: - description: clientURL defines the backlink to the sender - of notification. - type: string - component: - description: component defines the part or component of - the affected system that is broken. - type: string - description: - description: description of the incident. - type: string - details: - description: details defines the arbitrary key/value pairs - that provide further detail about the incident. - items: - description: KeyValue defines a (key, value) tuple. - properties: - key: - description: |- - key defines the key of the tuple. - This is the identifier or name part of the key-value pair. - minLength: 1 - type: string - value: - description: |- - value defines the value of the tuple. - This is the data or content associated with the key. - type: string - required: - - key - - value - type: object - type: array - group: - description: group defines a cluster or grouping of sources. - type: string - httpConfig: - description: httpConfig defines the HTTP client configuration. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - pagerDutyImageConfigs: - description: pagerDutyImageConfigs defines a list of image - details to attach that provide further detail about - an incident. - items: - description: PagerDutyImageConfig attaches images to - an incident - properties: - alt: - description: alt is the optional alternative text - for the image. - type: string - href: - description: href defines the optional URL; makes - the image a clickable link. - type: string - src: - description: src of the image being attached to - the incident - type: string - type: object - type: array - pagerDutyLinkConfigs: - description: pagerDutyLinkConfigs defines a list of link - details to attach that provide further detail about - an incident. - items: - description: PagerDutyLinkConfig attaches text links - to an incident - properties: - alt: - description: alt defines the text that describes - the purpose of the link, and can be used as the - link's text. - type: string - href: - description: href defines the URL of the link to - be attached - type: string - type: object - type: array - routingKey: - description: |- - routingKey defines the secret's key that contains the PagerDuty integration key (when using - Events API v2). Either this field or `serviceKey` needs to be defined. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - serviceKey: - description: |- - serviceKey defines the secret's key that contains the PagerDuty service key (when using - integration type "Prometheus"). Either this field or `routingKey` needs to - be defined. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - severity: - description: severity of the incident. - type: string - source: - description: source defines the unique location of the - affected system. - type: string - url: - description: url defines the URL to send requests to. - type: string - type: object - type: array - pushoverConfigs: - description: pushoverConfigs defines the list of Pushover configurations. - items: - description: |- - PushoverConfig configures notifications via Pushover. - See https://prometheus.io/docs/alerting/latest/configuration/#pushover_config - properties: - device: - description: |- - device defines the name of a specific device to send the notification to. - If not specified, the notification is sent to all user's devices. - type: string - expire: - description: |- - expire defines how long your notification will continue to be retried for, - unless the user acknowledges the notification. Only applies to priority 2 notifications. - pattern: ^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$ - type: string - html: - description: |- - html defines whether notification message is HTML or plain text. - When true, the message can include HTML formatting tags. - type: boolean - httpConfig: - description: httpConfig defines the HTTP client configuration - for Pushover API requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - message: - description: |- - message defines the notification message content. - This is the main body text of the Pushover notification. - type: string - monospace: - description: |- - monospace optional HTML/monospace formatting for the message, see https://pushover.net/api#html - html and monospace formatting are mutually exclusive. - type: boolean - priority: - description: |- - priority defines the notification priority level. - See https://pushover.net/api#priority for valid values and behavior. - type: string - retry: - description: |- - retry defines how often the Pushover servers will send the same notification to the user. - Must be at least 30 seconds. Only applies to priority 2 notifications. - pattern: ^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$ - type: string - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - sound: - description: |- - sound defines the name of one of the sounds supported by device clients. - This overrides the user's default sound choice for this notification. - type: string - title: - description: |- - title defines the notification title displayed in the Pushover message. - This appears as the bold header text in the notification. - type: string - token: - description: |- - token defines the secret's key that contains the registered application's API token. - See https://pushover.net/apps for application registration. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - Either `token` or `tokenFile` is required. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tokenFile: - description: |- - tokenFile defines the token file that contains the registered application's API token. - See https://pushover.net/apps for application registration. - Either `token` or `tokenFile` is required. - It requires Alertmanager >= v0.26.0. - type: string - ttl: - description: |- - ttl defines the time to live for the alert notification. - This determines how long the notification remains active before expiring. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - url: - description: |- - url defines a supplementary URL shown alongside the message. - This creates a clickable link within the Pushover notification. - type: string - urlTitle: - description: |- - urlTitle defines a title for the supplementary URL. - If not specified, the raw URL is shown instead. - type: string - userKey: - description: |- - userKey defines the secret's key that contains the recipient user's user key. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - Either `userKey` or `userKeyFile` is required. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - userKeyFile: - description: |- - userKeyFile defines the user key file that contains the recipient user's user key. - Either `userKey` or `userKeyFile` is required. - It requires Alertmanager >= v0.26.0. - type: string - type: object - type: array - rocketchatConfigs: - description: |- - rocketchatConfigs defines the list of RocketChat configurations. - It requires Alertmanager >= 0.28.0. - items: - description: |- - RocketChatConfig configures notifications via RocketChat. - It requires Alertmanager >= 0.28.0. - properties: - actions: - description: |- - actions defines interactive actions to include in the message. - These appear as buttons that users can click to trigger responses. - items: - description: RocketChatActionConfig defines actions - for RocketChat messages. - properties: - msg: - description: |- - msg defines the message to send when the button is clicked. - This allows the button to post a predefined message to the channel. - minLength: 1 - type: string - text: - description: |- - text defines the button text displayed to users. - This is the label that appears on the interactive button. - minLength: 1 - type: string - url: - description: |- - url defines the URL the button links to when clicked. - This creates a clickable button that opens the specified URL. - pattern: ^https?://.+$ - type: string - type: object - minItems: 1 - type: array - apiURL: - description: |- - apiURL defines the API URL for RocketChat. - Defaults to https://open.rocket.chat/ if not specified. - pattern: ^https?://.+$ - type: string - channel: - description: |- - channel defines the channel to send alerts to. - This can be a channel name (e.g., "#alerts") or a direct message recipient. - minLength: 1 - type: string - color: - description: |- - color defines the message color displayed in RocketChat. - This appears as a colored bar alongside the message. - minLength: 1 - type: string - emoji: - description: |- - emoji defines the emoji to be displayed as an avatar. - If provided, this emoji will be used instead of the default avatar or iconURL. - minLength: 1 - type: string - fields: - description: |- - fields defines additional fields for the message attachment. - These appear as structured key-value pairs within the message. - items: - description: RocketChatFieldConfig defines additional - fields for RocketChat messages. - properties: - short: - description: |- - short defines whether this field should be a short field. - When true, the field may be displayed inline with other short fields to save space. - type: boolean - title: - description: |- - title defines the title of this field. - This appears as bold text labeling the field content. - minLength: 1 - type: string - value: - description: |- - value defines the value of this field, displayed underneath the title. - This contains the actual data or content for the field. - minLength: 1 - type: string - type: object - minItems: 1 - type: array - httpConfig: - description: httpConfig defines the HTTP client configuration - for RocketChat API requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - iconURL: - description: |- - iconURL defines the icon URL for the message avatar. - This displays a custom image as the message sender's avatar. - pattern: ^https?://.+$ - type: string - imageURL: - description: |- - imageURL defines the image URL to display within the message. - This embeds an image directly in the message attachment. - pattern: ^https?://.+$ - type: string - linkNames: - description: |- - linkNames defines whether to enable automatic linking of usernames and channels. - When true, @username and #channel references become clickable links. - type: boolean - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - shortFields: - description: |- - shortFields defines whether to use short fields in the message layout. - When true, fields may be displayed side by side to save space. - type: boolean - text: - description: |- - text defines the message text to send. - This is optional because attachments can be used instead of or alongside text. - minLength: 1 - type: string - thumbURL: - description: |- - thumbURL defines the thumbnail URL for the message. - This displays a small thumbnail image alongside the message content. - pattern: ^https?://.+$ - type: string - title: - description: |- - title defines the message title displayed prominently in the message. - This appears as bold text at the top of the message attachment. - minLength: 1 - type: string - titleLink: - description: |- - titleLink defines the URL that the title will link to when clicked. - This makes the message title clickable in the RocketChat interface. - minLength: 1 - type: string - token: - description: |- - token defines the sender token for RocketChat authentication. - This is the personal access token or bot token used to authenticate API requests. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tokenID: - description: |- - tokenID defines the sender token ID for RocketChat authentication. - This is the user ID associated with the token used for API requests. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - token - - tokenID - type: object - type: array - slackConfigs: - description: slackConfigs defines the list of Slack configurations. - items: - description: |- - SlackConfig configures notifications via Slack. - See https://prometheus.io/docs/alerting/latest/configuration/#slack_config - properties: - actions: - description: actions defines a list of Slack actions that - are sent with each notification. - items: - description: |- - SlackAction configures a single Slack action that is sent with each - notification. - See https://api.slack.com/docs/message-attachments#action_fields and - https://api.slack.com/docs/message-buttons for more information. - properties: - confirm: - description: |- - confirm defines an optional confirmation dialog that appears before the action is executed. - When set, users must confirm their intent before the action proceeds. - properties: - dismissText: - description: |- - dismissText defines the label for the cancel button in the dialog. - When not specified, defaults to "Cancel". This button cancels the action. - type: string - okText: - description: |- - okText defines the label for the confirmation button in the dialog. - When not specified, defaults to "Okay". This button proceeds with the action. - type: string - text: - description: |- - text defines the main message displayed in the confirmation dialog. - This should be a clear question or statement asking the user to confirm their action. - minLength: 1 - type: string - title: - description: |- - title defines the title text displayed at the top of the confirmation dialog. - When not specified, a default title will be used. - type: string - required: - - text - type: object - name: - description: |- - name defines a unique identifier for the action within the message. - This value is sent back to your application when the action is triggered. - type: string - style: - description: |- - style defines the visual appearance of the action element. - Valid values include "default", "primary" (green), and "danger" (red). - type: string - text: - description: |- - text defines the user-visible label displayed on the action element. - For buttons, this is the button text. For select menus, this is the placeholder text. - minLength: 1 - type: string - type: - description: |- - type defines the type of interactive component. - Common values include "button" for clickable buttons and "select" for dropdown menus. - minLength: 1 - type: string - url: - description: |- - url defines the URL to open when the action is triggered. - Only applicable for button-type actions. When set, clicking the button opens this URL. - type: string - value: - description: |- - value defines the payload sent when the action is triggered. - This data is included in the callback sent to your application. - type: string - required: - - text - - type - type: object - type: array - apiURL: - description: |- - apiURL defines the secret's key that contains the Slack webhook URL. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - callbackId: - description: callbackId defines an identifier for the - message used in interactive components. - type: string - channel: - description: channel defines the channel or user to send - notifications to. - type: string - color: - description: |- - color defines the color of the left border of the Slack message attachment. - Can be a hex color code (e.g., "#ff0000") or a predefined color name. - type: string - fallback: - description: fallback defines a plain-text summary of - the attachment for clients that don't support attachments. - type: string - fields: - description: fields defines a list of Slack fields that - are sent with each notification. - items: - description: |- - SlackField configures a single Slack field that is sent with each notification. - Each field must contain a title, value, and optionally, a boolean value to indicate if the field - is short enough to be displayed next to other fields designated as short. - See https://api.slack.com/docs/message-attachments#fields for more information. - properties: - short: - description: |- - short determines whether this field can be displayed alongside other short fields. - When true, Slack may display this field side by side with other short fields. - When false or not specified, the field takes the full width of the message. - type: boolean - title: - description: |- - title defines the label or header text displayed for this field. - This appears as bold text above the field value in the Slack message. - minLength: 1 - type: string - value: - description: |- - value defines the content or data displayed for this field. - This appears below the title and can contain plain text or Slack markdown. - minLength: 1 - type: string - required: - - title - - value - type: object - type: array - footer: - description: footer defines small text displayed at the - bottom of the message attachment. - type: string - httpConfig: - description: httpConfig defines the HTTP client configuration. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - iconEmoji: - description: iconEmoji defines the emoji to use as the - bot's avatar (e.g., ":ghost:"). - type: string - iconURL: - description: iconURL defines the URL to an image to use - as the bot's avatar. - type: string - imageURL: - description: imageURL defines the URL to an image file - that will be displayed inside the message attachment. - type: string - linkNames: - description: |- - linkNames enables automatic linking of channel names and usernames in the message. - When true, @channel and @username will be converted to clickable links. - type: boolean - mrkdwnIn: - description: |- - mrkdwnIn defines which fields should be parsed as Slack markdown. - Valid values include "pretext", "text", and "fields". - items: - type: string - type: array - pretext: - description: pretext defines optional text that appears - above the message attachment block. - type: string - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - shortFields: - description: |- - shortFields determines whether fields are displayed in a compact format. - When true, fields are shown side by side when possible. - type: boolean - text: - description: text defines the main text content of the - Slack message attachment. - type: string - thumbURL: - description: |- - thumbURL defines the URL to an image file that will be displayed as a thumbnail - on the right side of the message attachment. - type: string - title: - description: title defines the title text displayed in - the Slack message attachment. - type: string - titleLink: - description: titleLink defines the URL that the title - will link to when clicked. - type: string - username: - description: username defines the slack bot user name. - type: string - type: object - type: array - snsConfigs: - description: snsConfigs defines the list of SNS configurations - items: - description: |- - SNSConfig configures notifications via AWS SNS. - See https://prometheus.io/docs/alerting/latest/configuration/#sns_configs - properties: - apiURL: - description: |- - apiURL defines the SNS API URL, e.g. https://sns.us-east-2.amazonaws.com. - If not specified, the SNS API URL from the SNS SDK will be used. - type: string - attributes: - additionalProperties: - type: string - description: |- - attributes defines SNS message attributes as key-value pairs. - These provide additional metadata that can be used for message filtering and routing. - type: object - httpConfig: - description: httpConfig defines the HTTP client configuration - for SNS API requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - message: - description: |- - message defines the message content of the SNS notification. - This is the actual notification text that will be sent to subscribers. - type: string - phoneNumber: - description: |- - phoneNumber defines the phone number if message is delivered via SMS in E.164 format. - If you don't specify this value, you must specify a value for the TopicARN or TargetARN. - type: string - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - sigv4: - description: |- - sigv4 configures AWS's Signature Verification 4 signing process to sign requests. - This includes AWS credentials and region configuration for authentication. - properties: - accessKey: - description: |- - accessKey defines the AWS API key. If not specified, the environment variable - `AWS_ACCESS_KEY_ID` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - profile: - description: profile defines the named AWS profile - used to authenticate. - type: string - region: - description: region defines the AWS region. If blank, - the region from the default credentials chain used. - type: string - roleArn: - description: roleArn defines the named AWS profile - used to authenticate. - type: string - secretKey: - description: |- - secretKey defines the AWS API secret. If not specified, the environment - variable `AWS_SECRET_ACCESS_KEY` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useFIPSSTSEndpoint: - description: |- - useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint. - It requires Prometheus >= v2.54.0. - type: boolean - type: object - subject: - description: |- - subject defines the subject line when the message is delivered to email endpoints. - This field is only used when sending to email subscribers of an SNS topic. - type: string - targetARN: - description: |- - targetARN defines the mobile platform endpoint ARN if message is delivered via mobile notifications. - If you don't specify this value, you must specify a value for the TopicARN or PhoneNumber. - type: string - topicARN: - description: |- - topicARN defines the SNS topic ARN, e.g. arn:aws:sns:us-east-2:698519295917:My-Topic. - If you don't specify this value, you must specify a value for the PhoneNumber or TargetARN. - type: string - type: object - type: array - telegramConfigs: - description: telegramConfigs defines the list of Telegram configurations. - items: - description: |- - TelegramConfig configures notifications via Telegram. - See https://prometheus.io/docs/alerting/latest/configuration/#telegram_config - properties: - apiURL: - description: |- - apiURL defines the Telegram API URL, e.g. https://api.telegram.org. - If not specified, the default Telegram API URL will be used. - type: string - botToken: - description: |- - botToken defines the Telegram bot token. It is mutually exclusive with `botTokenFile`. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - Either `botToken` or `botTokenFile` is required. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - botTokenFile: - description: |- - botTokenFile defines the file to read the Telegram bot token from. - It is mutually exclusive with `botToken`. - Either `botToken` or `botTokenFile` is required. - It requires Alertmanager >= v0.26.0. - type: string - chatID: - description: |- - chatID defines the Telegram chat ID where messages will be sent. - This can be a user ID, group ID, or channel ID (with @ prefix for public channels). - format: int64 - type: integer - disableNotifications: - description: |- - disableNotifications controls whether Telegram notifications are sent silently. - When true, users will receive the message without notification sounds. - type: boolean - httpConfig: - description: httpConfig defines the HTTP client configuration - for Telegram API requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - message: - description: |- - message defines the message template for the Telegram notification. - This is the content that will be sent to the specified chat. - type: string - messageThreadID: - description: |- - messageThreadID defines the Telegram Group Topic ID for threaded messages. - This allows sending messages to specific topics within Telegram groups. - It requires Alertmanager >= 0.26.0. - format: int64 - type: integer - parseMode: - description: |- - parseMode defines the parse mode for telegram message formatting. - Valid values are "MarkdownV2", "Markdown", and "HTML". - This determines how text formatting is interpreted in the message. - enum: - - MarkdownV2 - - Markdown - - HTML - type: string - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - required: - - chatID - type: object - type: array - victoropsConfigs: - description: victoropsConfigs defines the list of VictorOps - configurations. - items: - description: |- - VictorOpsConfig configures notifications via VictorOps. - See https://prometheus.io/docs/alerting/latest/configuration/#victorops_config - properties: - apiKey: - description: |- - apiKey defines the secret's key that contains the API key to use when talking to the VictorOps API. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - apiUrl: - description: |- - apiUrl defines the VictorOps API URL. - When not specified, defaults to the standard VictorOps API endpoint. - type: string - customFields: - description: |- - customFields defines additional custom fields for notification. - These provide extra metadata that will be included with the VictorOps incident. - items: - description: KeyValue defines a (key, value) tuple. - properties: - key: - description: |- - key defines the key of the tuple. - This is the identifier or name part of the key-value pair. - minLength: 1 - type: string - value: - description: |- - value defines the value of the tuple. - This is the data or content associated with the key. - type: string - required: - - key - - value - type: object - type: array - entityDisplayName: - description: |- - entityDisplayName contains a summary of the alerted problem. - This appears as the main title or identifier for the incident. - type: string - httpConfig: - description: httpConfig defines the HTTP client's configuration - for VictorOps API requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - messageType: - description: |- - messageType describes the behavior of the alert. - Valid values are "CRITICAL", "WARNING", and "INFO". - type: string - monitoringTool: - description: |- - monitoringTool defines the monitoring tool the state message is from. - This helps identify the source system that generated the alert. - type: string - routingKey: - description: |- - routingKey defines a key used to map the alert to a team. - This determines which VictorOps team will receive the alert notification. - type: string - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - stateMessage: - description: |- - stateMessage contains a long explanation of the alerted problem. - This provides detailed context about the incident. - type: string - type: object - type: array - webexConfigs: - description: webexConfigs defines the list of Webex configurations. - items: - description: |- - WebexConfig configures notification via Cisco Webex - See https://prometheus.io/docs/alerting/latest/configuration/#webex_config - properties: - apiURL: - description: apiURL defines the Webex Teams API URL i.e. - https://webexapis.com/v1/messages - pattern: ^https?://.+$ - type: string - httpConfig: - description: httpConfig defines the HTTP client's configuration. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - message: - description: message defines the message template - type: string - roomID: - description: roomID defines the ID of the Webex Teams - room where to send the messages. - minLength: 1 - type: string - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - required: - - roomID - type: object - type: array - webhookConfigs: - description: webhookConfigs defines the List of webhook configurations. - items: - description: |- - WebhookConfig configures notifications via a generic receiver supporting the webhook payload. - See https://prometheus.io/docs/alerting/latest/configuration/#webhook_config - properties: - httpConfig: - description: httpConfig defines the HTTP client configuration - for webhook requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - maxAlerts: - description: |- - maxAlerts defines the maximum number of alerts to be sent per webhook message. - When 0, all alerts are included in the webhook payload. - format: int32 - minimum: 0 - type: integer - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - timeout: - description: |- - timeout defines the maximum time to wait for a webhook request to complete, - before failing the request and allowing it to be retried. - It requires Alertmanager >= v0.28.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - url: - description: |- - url defines the URL to send HTTP POST requests to. - urlSecret takes precedence over url. One of urlSecret and url should be defined. - type: string - urlSecret: - description: |- - urlSecret defines the secret's key that contains the webhook URL to send HTTP requests to. - urlSecret takes precedence over url. One of urlSecret and url should be defined. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: array - wechatConfigs: - description: wechatConfigs defines the list of WeChat configurations. - items: - description: |- - WeChatConfig configures notifications via WeChat. - See https://prometheus.io/docs/alerting/latest/configuration/#wechat_config - properties: - agentID: - description: |- - agentID defines the application agent ID within WeChat Work. - This identifies which WeChat Work application will send the notifications. - type: string - apiSecret: - description: |- - apiSecret defines the secret's key that contains the WeChat API key. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - apiURL: - description: |- - apiURL defines the WeChat API URL. - When not specified, defaults to the standard WeChat Work API endpoint. - type: string - corpID: - description: |- - corpID defines the corp id for authentication. - This is the unique identifier for your WeChat Work organization. - type: string - httpConfig: - description: httpConfig defines the HTTP client configuration - for WeChat API requests. - properties: - authorization: - description: |- - authorization defines the authorization header configuration for the client. - This is mutually exclusive with BasicAuth and is only available starting from Alertmanager v0.22+. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials - for authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the basic authentication credentials for the client. - This is mutually exclusive with Authorization. If both are defined, BasicAuth takes precedence. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret's key that contains the bearer token to be used by the client - for authentication. - The secret needs to be in the same namespace as the AlertmanagerConfig - object and accessible by the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects specifies whether the client should follow HTTP 3xx redirects. - When true, the client will automatically follow redirect responses. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 client credentials used to fetch a token for the targets. - This enables OAuth2 authentication flow for HTTP requests. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key - of a Secret. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes - used for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret - containing data to use for the targets. - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how - to disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret - containing the client key file for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify - the hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch - the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyURL: - description: |- - proxyURL defines an optional proxy URL for HTTP requests. - If defined, this field takes precedence over `proxyUrl`. - type: string - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: |- - tlsConfig defines the TLS configuration for the client. - This includes settings for certificates, CA validation, and TLS protocol options. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - type: object - message: - description: |- - message defines the API request data as defined by the WeChat API. - This contains the actual notification content to be sent. - type: string - messageType: - description: |- - messageType defines the type of message to send. - Valid values include "text", "markdown", and other WeChat Work supported message types. - type: string - sendResolved: - description: sendResolved defines whether or not to notify - about resolved alerts. - type: boolean - toParty: - description: |- - toParty defines the target department(s) to receive the notification. - Can be a single department ID or multiple department IDs separated by '|'. - type: string - toTag: - description: |- - toTag defines the target tag(s) to receive the notification. - Can be a single tag ID or multiple tag IDs separated by '|'. - type: string - toUser: - description: |- - toUser defines the target user(s) to receive the notification. - Can be a single user ID or multiple user IDs separated by '|'. - type: string - type: object - type: array - required: - - name - type: object - type: array - route: - description: |- - route defines the Alertmanager route definition for alerts matching the resource's - namespace. If present, it will be added to the generated Alertmanager - configuration as a first-level route. - properties: - activeTimeIntervals: - description: activeTimeIntervals is a list of MuteTimeInterval - names when this route should be active. - items: - type: string - type: array - continue: - description: |- - continue defines the boolean indicating whether an alert should continue matching subsequent - sibling nodes. It will always be overridden to true for the first-level - route by the Prometheus operator. - type: boolean - groupBy: - description: |- - groupBy defines the list of labels to group by. - Labels must not be repeated (unique list). - Special label "..." (aggregate by all possible labels), if provided, must be the only element in the list. - items: - type: string - type: array - groupInterval: - description: |- - groupInterval defines how long to wait before sending an updated notification. - Must match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$` - Example: "5m" - type: string - groupWait: - description: |- - groupWait defines how long to wait before sending the initial notification. - Must match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$` - Example: "30s" - type: string - matchers: - description: |- - matchers defines the list of matchers that the alert's labels should match. For the first - level route, the operator removes any existing equality and regexp - matcher on the `namespace` label and adds a `namespace: ` matcher. - items: - description: Matcher defines how to match on alert's labels. - properties: - matchType: - description: |- - matchType defines the match operation available with AlertManager >= v0.22.0. - Takes precedence over Regex (deprecated) if non-empty. - Valid values: "=" (equality), "!=" (inequality), "=~" (regex match), "!~" (regex non-match). - enum: - - '!=' - - = - - =~ - - '!~' - type: string - name: - description: |- - name defines the label to match. - This specifies which alert label should be evaluated. - minLength: 1 - type: string - regex: - description: |- - regex defines whether to match on equality (false) or regular-expression (true). - Deprecated: for AlertManager >= v0.22.0, `matchType` should be used instead. - type: boolean - value: - description: |- - value defines the label value to match. - This is the expected value for the specified label. - type: string - required: - - name - type: object - type: array - muteTimeIntervals: - description: muteTimeIntervals is a list of MuteTimeInterval names - that will mute this route when matched, - items: - type: string - type: array - receiver: - description: |- - receiver defines the name of the receiver for this route. If not empty, it should be listed in - the `receivers` field. - type: string - repeatInterval: - description: |- - repeatInterval defines how long to wait before repeating the last notification. - Must match the regular expression`^(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?$` - Example: "4h" - type: string - routes: - description: routes defines the child routes. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: object - required: - - spec - type: object - served: true - storage: true ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-alertmanagers.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: alertmanagers.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: Alertmanager - listKind: AlertmanagerList - plural: alertmanagers - shortNames: - - am - singular: alertmanager - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The version of Alertmanager - jsonPath: .spec.version - name: Version - type: string - - description: The number of desired replicas - jsonPath: .spec.replicas - name: Replicas - type: integer - - description: The number of ready replicas - jsonPath: .status.availableReplicas - name: Ready - type: integer - - jsonPath: .status.conditions[?(@.type == 'Reconciled')].status - name: Reconciled - type: string - - jsonPath: .status.conditions[?(@.type == 'Available')].status - name: Available - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Whether the resource reconciliation is paused or not - jsonPath: .status.paused - name: Paused - priority: 1 - type: boolean - name: v1 - schema: - openAPIV3Schema: - description: |- - The `Alertmanager` custom resource definition (CRD) defines a desired [Alertmanager](https://prometheus.io/docs/alerting) setup to run in a Kubernetes cluster. It allows to specify many options such as the number of replicas, persistent storage and many more. - - For each `Alertmanager` resource, the Operator deploys a `StatefulSet` in the same namespace. When there are two or more configured replicas, the Operator runs the Alertmanager instances in high-availability mode. - - The resource defines via label and namespace selectors which `AlertmanagerConfig` objects should be associated to the deployed Alertmanager instances. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec defines the specification of the desired behavior of the Alertmanager cluster. More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - additionalArgs: - description: |- - additionalArgs allows setting additional arguments for the 'Alertmanager' container. - It is intended for e.g. activating hidden flags which are not supported by - the dedicated configuration options yet. The arguments are passed as-is to the - Alertmanager container which may cause issues if they are invalid or not supported - by the given Alertmanager version. - items: - description: Argument as part of the AdditionalArgs list. - properties: - name: - description: name of the argument, e.g. "scrape.discovery-reload-interval". - minLength: 1 - type: string - value: - description: value defines the argument value, e.g. 30s. Can - be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile) - type: string - required: - - name - type: object - type: array - additionalPeers: - description: additionalPeers allows injecting a set of additional - Alertmanagers to peer with to form a highly available cluster. - items: - type: string - type: array - affinity: - description: affinity defines the pod's scheduling constraints. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - alertmanagerConfigMatcherStrategy: - description: |- - alertmanagerConfigMatcherStrategy defines how AlertmanagerConfig objects - process incoming alerts. - properties: - type: - default: OnNamespace - description: |- - type defines the strategy used by - AlertmanagerConfig objects to match alerts in the routes and inhibition - rules. - - The default value is `OnNamespace`. - enum: - - OnNamespace - - OnNamespaceExceptForAlertmanagerNamespace - - None - type: string - type: object - alertmanagerConfigNamespaceSelector: - description: |- - alertmanagerConfigNamespaceSelector defines the namespaces to be selected for AlertmanagerConfig discovery. If nil, only - check own namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - alertmanagerConfigSelector: - description: alertmanagerConfigSelector defines the selector to be - used for to merge and configure Alertmanager with. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - alertmanagerConfiguration: - description: |- - alertmanagerConfiguration defines the configuration of Alertmanager. - - If defined, it takes precedence over the `configSecret` field. - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - properties: - global: - description: global defines the global parameters of the Alertmanager - configuration. - properties: - httpConfig: - description: httpConfig defines the default HTTP configuration. - properties: - authorization: - description: |- - authorization configures the Authorization header credentials used by - the client. - - Cannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret - in the namespace that contains the credentials for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the Basic Authentication credentials used by the - client. - - Cannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines a key of a Secret containing the bearer token - used by the client for authentication. The secret needs to be in the - same namespace as the custom resource and readable by the Prometheus - Operator. - - Cannot be set at the same time as `authorization`, `basicAuth` or `oauth2`. - - Deprecated: use `authorization` instead. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects defines whether the client should follow HTTP 3xx - redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 settings used by the client. - - It requires Prometheus >= 2.27.0. - - Cannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of - a Secret. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server - to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used - for the token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate - to present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap - containing data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to - select from. Must be a valid secret - key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to - disable target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the - hostname for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the - token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a - Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to - use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration used - by the client. - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - type: object - jira: - description: jira defines the default configuration for Jira. - properties: - apiURL: - description: |- - apiURL defines the default Jira API URL. - - It requires Alertmanager >= v0.28.0. - pattern: ^(http|https)://.+$ - type: string - type: object - opsGenieApiKey: - description: opsGenieApiKey defines the default OpsGenie API - Key. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - opsGenieApiUrl: - description: opsGenieApiUrl defines the default OpsGenie API - URL. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - pagerdutyUrl: - description: pagerdutyUrl defines the default Pagerduty URL. - pattern: ^(http|https)://.+$ - type: string - resolveTimeout: - description: |- - resolveTimeout defines the default value used by alertmanager if the alert does - not include EndsAt, after this time passes it can declare the alert as resolved if it has not been updated. - This has no impact on alerts from Prometheus, as they always include EndsAt. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - rocketChat: - description: rocketChat defines the default configuration - for Rocket Chat. - properties: - apiURL: - description: |- - apiURL defines the default Rocket Chat API URL. - - It requires Alertmanager >= v0.28.0. - pattern: ^(http|https)://.+$ - type: string - token: - description: |- - token defines the default Rocket Chat token. - - It requires Alertmanager >= v0.28.0. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tokenID: - description: |- - tokenID defines the default Rocket Chat Token ID. - - It requires Alertmanager >= v0.28.0. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - slackApiUrl: - description: slackApiUrl defines the default Slack API URL. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - smtp: - description: smtp defines global SMTP parameters. - properties: - authIdentity: - description: authIdentity represents SMTP Auth using PLAIN - type: string - authPassword: - description: authPassword represents SMTP Auth using LOGIN - and PLAIN. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - authSecret: - description: authSecret represents SMTP Auth using CRAM-MD5. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - authUsername: - description: authUsername represents SMTP Auth using CRAM-MD5, - LOGIN and PLAIN. If empty, Alertmanager doesn't authenticate - to the SMTP server. - type: string - from: - description: from defines the default SMTP From header - field. - type: string - hello: - description: hello defines the default hostname to identify - to the SMTP server. - type: string - requireTLS: - description: |- - requireTLS defines the default SMTP TLS requirement. - Note that Go does not support unencrypted connections to remote SMTP endpoints. - type: boolean - smartHost: - description: smartHost defines the default SMTP smarthost - used for sending emails. - properties: - host: - description: host defines the host's address, it can - be a DNS name or a literal IP address. - minLength: 1 - type: string - port: - description: port defines the host's port, it can - be a literal port number or a port name. - minLength: 1 - type: string - required: - - host - - port - type: object - tlsConfig: - description: tlsConfig defines the default TLS configuration - for SMTP receivers - properties: - ca: - description: ca defines the Certificate authority - used when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - type: object - telegram: - description: telegram defines the default Telegram config - properties: - apiURL: - description: |- - apiURL defines he default Telegram API URL. - - It requires Alertmanager >= v0.24.0. - pattern: ^(http|https)://.+$ - type: string - type: object - victorops: - description: victorops defines the default configuration for - VictorOps. - properties: - apiKey: - description: apiKey defines the default VictorOps API - Key. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - apiURL: - description: apiURL defines the default VictorOps API - URL. - pattern: ^(http|https)://.+$ - type: string - type: object - webex: - description: webex defines the default configuration for Jira. - properties: - apiURL: - description: |- - apiURL defines the is the default Webex API URL. - - It requires Alertmanager >= v0.25.0. - pattern: ^(http|https)://.+$ - type: string - type: object - wechat: - description: wechat defines the default WeChat Config - properties: - apiCorpID: - description: apiCorpID defines the default WeChat API - Corporate ID. - minLength: 1 - type: string - apiSecret: - description: apiSecret defines the default WeChat API - Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - apiURL: - description: |- - apiURL defines he default WeChat API URL. - The default value is "https://qyapi.weixin.qq.com/cgi-bin/" - pattern: ^(http|https)://.+$ - type: string - type: object - type: object - name: - description: |- - name defines the name of the AlertmanagerConfig custom resource which is used to generate the Alertmanager configuration. - It must be defined in the same namespace as the Alertmanager object. - The operator will not enforce a `namespace` label for routes and inhibition rules. - minLength: 1 - type: string - templates: - description: templates defines the custom notification templates. - items: - description: SecretOrConfigMap allows to specify data as a Secret - or ConfigMap. Fields are mutually exclusive. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: array - type: object - automountServiceAccountToken: - description: |- - automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod. - If the service account has `automountServiceAccountToken: true`, set the field to `false` to opt out of automounting API credentials. - type: boolean - baseImage: - description: |- - baseImage that is used to deploy pods, without tag. - Deprecated: use 'image' instead. - type: string - clusterAdvertiseAddress: - description: |- - clusterAdvertiseAddress defines the explicit address to advertise in cluster. - Needs to be provided for non RFC1918 [1] (public) addresses. - [1] RFC1918: https://tools.ietf.org/html/rfc1918 - type: string - clusterGossipInterval: - description: clusterGossipInterval defines the interval between gossip - attempts. - pattern: ^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - clusterLabel: - description: |- - clusterLabel defines the identifier that uniquely identifies the Alertmanager cluster. - You should only set it when the Alertmanager cluster includes Alertmanager instances which are external to this Alertmanager resource. In practice, the addresses of the external instances are provided via the `.spec.additionalPeers` field. - type: string - clusterPeerTimeout: - description: clusterPeerTimeout defines the timeout for cluster peering. - pattern: ^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - clusterPushpullInterval: - description: clusterPushpullInterval defines the interval between - pushpull attempts. - pattern: ^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - clusterTLS: - description: |- - clusterTLS defines the mutual TLS configuration for the Alertmanager cluster's gossip protocol. - - It requires Alertmanager >= 0.24.0. - properties: - client: - description: client defines the client-side configuration for - mutual TLS. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - server: - description: server defines the server-side configuration for - mutual TLS. - properties: - cert: - description: |- - cert defines the Secret or ConfigMap containing the TLS certificate for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `certFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: |- - certFile defines the path to the TLS certificate file in the container for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `cert`. - type: string - cipherSuites: - description: |- - cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. - - If not defined, the Go default cipher suites are used. - Available cipher suites are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#pkg-constants - items: - type: string - type: array - client_ca: - description: |- - client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate - authentication to the server. - - It is mutually exclusive with `clientCAFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientAuthType: - description: |- - clientAuthType defines the server policy for client TLS authentication. - - For more detail on clientAuth options: - https://golang.org/pkg/crypto/tls/#ClientAuthType - type: string - clientCAFile: - description: |- - clientCAFile defines the path to the CA certificate file for client certificate authentication to - the server. - - It is mutually exclusive with `client_ca`. - type: string - curvePreferences: - description: |- - curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference - order. - - Available curves are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#CurveID - items: - type: string - type: array - keyFile: - description: |- - keyFile defines the path to the TLS private key file in the container for the web server. - - If defined, either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keySecret`. - type: string - keySecret: - description: |- - keySecret defines the secret containing the TLS private key for the web server. - - Either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keyFile`. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: maxVersion defines the Maximum TLS version that - is acceptable. - type: string - minVersion: - description: minVersion defines the minimum TLS version that - is acceptable. - type: string - preferServerCipherSuites: - description: |- - preferServerCipherSuites defines whether the server selects the client's most preferred cipher - suite, or the server's most preferred cipher suite. - - If true then the server's preference, as expressed in - the order of elements in cipherSuites, is used. - type: boolean - type: object - required: - - client - - server - type: object - configMaps: - description: |- - configMaps defines a list of ConfigMaps in the same namespace as the Alertmanager - object, which shall be mounted into the Alertmanager Pods. - Each ConfigMap is added to the StatefulSet definition as a volume named `configmap-`. - The ConfigMaps are mounted into `/etc/alertmanager/configmaps/` in the 'alertmanager' container. - items: - type: string - type: array - configSecret: - description: |- - configSecret defines the name of a Kubernetes Secret in the same namespace as the - Alertmanager object, which contains the configuration for this Alertmanager - instance. If empty, it defaults to `alertmanager-`. - - The Alertmanager configuration should be available under the - `alertmanager.yaml` key. Additional keys from the original secret are - copied to the generated secret and mounted into the - `/etc/alertmanager/config` directory in the `alertmanager` container. - - If either the secret or the `alertmanager.yaml` key is missing, the - operator provisions a minimal Alertmanager configuration with one empty - receiver (effectively dropping alert notifications). - type: string - containers: - description: |- - containers allows injecting additional containers. This is meant to - allow adding an authentication proxy to an Alertmanager pod. - Containers described here modify an operator generated container if they - share the same name and modifications are done via a strategic merge - patch. The current container names are: `alertmanager` and - `config-reloader`. Overriding containers is entirely outside the scope - of what the maintainers will support and by doing so, you accept that - this behaviour may break at any time without notice. - items: - description: A single application container that you want to run - within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of a set - of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource resize - policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a container - exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check on container - exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be - used by the container. - items: - description: volumeDevice describes a mapping of a raw block - device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container - that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - dnsConfig: - description: dnsConfig defines the DNS configuration for the pods. - properties: - nameservers: - description: |- - nameservers defines the list of DNS name server IP addresses. - This will be appended to the base nameservers generated from DNSPolicy. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - options: - description: |- - options defines the list of DNS resolver options. - This will be merged with the base options generated from DNSPolicy. - Resolution options given in Options - will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver options - of a pod. - properties: - name: - description: name is required and must be unique. - minLength: 1 - type: string - value: - description: value is optional. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - searches: - description: |- - searches defines the list of DNS search domains for host-name lookup. - This will be appended to the base search paths generated from DNSPolicy. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - type: object - dnsPolicy: - description: dnsPolicy defines the DNS policy for the pods. - enum: - - ClusterFirstWithHostNet - - ClusterFirst - - Default - - None - type: string - enableFeatures: - description: |- - enableFeatures defines the Alertmanager's feature flags. By default, no features are enabled. - Enabling features which are disabled by default is entirely outside the - scope of what the maintainers will support and by doing so, you accept - that this behaviour may break at any time without notice. - - It requires Alertmanager >= 0.27.0. - items: - type: string - type: array - enableServiceLinks: - description: enableServiceLinks defines whether information about - services should be injected into pod's environment variables - type: boolean - externalUrl: - description: |- - externalUrl defines the URL used to access the Alertmanager web service. This is - necessary to generate correct URLs. This is necessary if Alertmanager is not - served from root of a DNS name. - type: string - forceEnableClusterMode: - description: |- - forceEnableClusterMode ensures Alertmanager does not deactivate the cluster mode when running with a single replica. - Use case is e.g. spanning an Alertmanager cluster across Kubernetes clusters with a single replica in each. - type: boolean - hostAliases: - description: hostAliases Pods configuration - items: - description: |- - HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the - pod's hosts file. - properties: - hostnames: - description: hostnames defines hostnames for the above IP address. - items: - type: string - type: array - ip: - description: ip defines the IP address of the host file entry. - type: string - required: - - hostnames - - ip - type: object - type: array - x-kubernetes-list-map-keys: - - ip - x-kubernetes-list-type: map - hostUsers: - description: |- - hostUsers supports the user space in Kubernetes. - - More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/ - - The feature requires at least Kubernetes 1.28 with the `UserNamespacesSupport` feature gate enabled. - Starting Kubernetes 1.33, the feature is enabled by default. - type: boolean - image: - description: |- - image if specified has precedence over baseImage, tag and sha - combinations. Specifying the version is still necessary to ensure the - Prometheus Operator knows what version of Alertmanager is being - configured. - type: string - imagePullPolicy: - description: |- - imagePullPolicy for the 'alertmanager', 'init-config-reloader' and 'config-reloader' containers. - See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details. - enum: - - "" - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: |- - imagePullSecrets An optional list of references to secrets in the same namespace - to use for pulling prometheus and alertmanager images from registries - see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - initContainers: - description: |- - initContainers allows adding initContainers to the pod definition. Those can be used to e.g. - fetch secrets for injection into the Alertmanager configuration from external sources. Any - errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - InitContainers described here modify an operator - generated init containers if they share the same name and modifications are - done via a strategic merge patch. The current init container name is: - `init-config-reloader`. Overriding init containers is entirely outside the - scope of what the maintainers will support and by doing so, you accept that - this behaviour may break at any time without notice. - items: - description: A single application container that you want to run - within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of a set - of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource resize - policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a container - exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check on container - exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be - used by the container. - items: - description: volumeDevice describes a mapping of a raw block - device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container - that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - limits: - description: limits defines the limits command line flags when starting - Alertmanager. - properties: - maxPerSilenceBytes: - description: |- - maxPerSilenceBytes defines the maximum size of an individual silence as stored on disk. This corresponds to the Alertmanager's - `--silences.max-per-silence-bytes` flag. - It requires Alertmanager >= v0.28.0. - pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ - type: string - maxSilences: - description: |- - maxSilences defines the maximum number active and pending silences. This corresponds to the - Alertmanager's `--silences.max-silences` flag. - It requires Alertmanager >= v0.28.0. - format: int32 - minimum: 0 - type: integer - type: object - listenLocal: - description: |- - listenLocal defines the Alertmanager server listen on loopback, so that it - does not bind against the Pod IP. Note this is only for the Alertmanager - UI, not the gossip communication. - type: boolean - logFormat: - description: logFormat for Alertmanager to be configured with. - enum: - - "" - - logfmt - - json - type: string - logLevel: - description: logLevel for Alertmanager to be configured with. - enum: - - "" - - debug - - info - - warn - - error - type: string - minReadySeconds: - description: |- - minReadySeconds defines the minimum number of seconds for which a newly created pod should be ready - without any of its container crashing for it to be considered available. - - If unset, pods will be considered available as soon as they are ready. - format: int32 - minimum: 0 - type: integer - nodeSelector: - additionalProperties: - type: string - description: nodeSelector defines which Nodes the Pods are scheduled - on. - type: object - paused: - description: |- - paused if set to true all actions on the underlying managed objects are not - going to be performed, except for delete actions. - type: boolean - persistentVolumeClaimRetentionPolicy: - description: |- - persistentVolumeClaimRetentionPolicy controls if and how PVCs are deleted during the lifecycle of a StatefulSet. - The default behavior is all PVCs are retained. - This is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26. - It requires enabling the StatefulSetAutoDeletePVC feature gate. - properties: - whenDeleted: - description: |- - WhenDeleted specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is deleted. The default policy - of `Retain` causes PVCs to not be affected by StatefulSet deletion. The - `Delete` policy causes those PVCs to be deleted. - type: string - whenScaled: - description: |- - WhenScaled specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is scaled down. The default - policy of `Retain` causes PVCs to not be affected by a scaledown. The - `Delete` policy causes the associated PVCs for any excess pods above - the replica count to be deleted. - type: string - type: object - podMetadata: - description: |- - podMetadata defines labels and annotations which are propagated to the Alertmanager pods. - - The following items are reserved and cannot be overridden: - * "alertmanager" label, set to the name of the Alertmanager instance. - * "app.kubernetes.io/instance" label, set to the name of the Alertmanager instance. - * "app.kubernetes.io/managed-by" label, set to "prometheus-operator". - * "app.kubernetes.io/name" label, set to "alertmanager". - * "app.kubernetes.io/version" label, set to the Alertmanager version. - * "kubectl.kubernetes.io/default-container" annotation, set to "alertmanager". - properties: - annotations: - additionalProperties: - type: string - description: |- - annotations defines an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - labels: - additionalProperties: - type: string - description: |- - labels define the map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - name: - description: |- - name must be unique within a namespace. Is required when creating resources, although - some resources may allow a client to request the generation of an appropriate name - automatically. Name is primarily intended for creation idempotence and configuration - definition. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - type: string - type: object - portName: - default: web - description: |- - portName defines the port's name for the pods and governing service. - Defaults to `web`. - type: string - priorityClassName: - description: priorityClassName assigned to the Pods - type: string - replicas: - description: |- - replicas defines the expected size of the alertmanager cluster. The controller will - eventually make the size of the running cluster equal to the expected - size. - format: int32 - type: integer - resources: - description: resources defines the resource requests and limits of - the Pods. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - retention: - default: 120h - description: |- - retention defines the time duration Alertmanager shall retain data for. Default is '120h', - and must match the regular expression `[0-9]+(ms|s|m|h)` (milliseconds seconds minutes hours). - pattern: ^(0|(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - routePrefix: - description: |- - routePrefix Alertmanager registers HTTP handlers for. This is useful, - if using ExternalURL and a proxy is rewriting HTTP routes of a request, - and the actual ExternalURL is still true, but the server serves requests - under a different route prefix. For example for use with `kubectl proxy`. - type: string - secrets: - description: |- - secrets is a list of Secrets in the same namespace as the Alertmanager - object, which shall be mounted into the Alertmanager Pods. - Each Secret is added to the StatefulSet definition as a volume named `secret-`. - The Secrets are mounted into `/etc/alertmanager/secrets/` in the 'alertmanager' container. - items: - type: string - type: array - securityContext: - description: |- - securityContext holds pod-level security attributes and common container settings. - This defaults to the default PodSecurityContext. - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccountName: - description: |- - serviceAccountName is the name of the ServiceAccount to use to run the - Prometheus Pods. - type: string - serviceName: - description: |- - serviceName defines the service name used by the underlying StatefulSet(s) as the governing service. - If defined, the Service must be created before the Alertmanager resource in the same namespace and it must define a selector that matches the pod labels. - If empty, the operator will create and manage a headless service named `alertmanager-operated` for Alertmanager resources. - When deploying multiple Alertmanager resources in the same namespace, it is recommended to specify a different value for each. - See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details. - minLength: 1 - type: string - sha: - description: |- - sha of Alertmanager container image to be deployed. Defaults to the value of `version`. - Similar to a tag, but the SHA explicitly deploys an immutable container image. - Version and Tag are ignored if SHA is set. - Deprecated: use 'image' instead. The image digest can be specified as part of the image URL. - type: string - storage: - description: |- - storage defines the definition of how storage will be used by the Alertmanager - instances. - properties: - disableMountSubPath: - description: 'disableMountSubPath deprecated: subPath usage will - be removed in a future release.' - type: boolean - emptyDir: - description: |- - emptyDir to be used by the StatefulSet. - If specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral to be used by the StatefulSet. - This is a beta field in k8s 1.21 and GA in 1.15. - For lower versions, starting with k8s 1.19, it requires enabling the GenericEphemeralVolume feature gate. - More info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - volumeClaimTemplate: - description: |- - volumeClaimTemplate defines the PVC spec to be used by the Prometheus StatefulSets. - The easiest way to use a volume that cannot be automatically provisioned - is to use a label selector alongside manually created PersistentVolumes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: metadata defines EmbeddedMetadata contains metadata - relevant to an EmbeddedResource. - properties: - annotations: - additionalProperties: - type: string - description: |- - annotations defines an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - labels: - additionalProperties: - type: string - description: |- - labels define the map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - name: - description: |- - name must be unique within a namespace. Is required when creating resources, although - some resources may allow a client to request the generation of an appropriate name - automatically. Name is primarily intended for creation idempotence and configuration - definition. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - type: string - type: object - spec: - description: |- - spec defines the specification of the characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: 'status is deprecated: this field is never set.' - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status - of resource being resized for the given PVC.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nClaimResourceStatus can be in any - of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with - a terminal error.\n\t- NodeResizePending:\n\t\tState - set when resize controller has finished resizing the - volume but further resizing of\n\t\tvolume is needed - on the node.\n\t- NodeResizeInProgress:\n\t\tState set - when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this - field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, - it means that no resize operation is in progress for - the given PVC.\n\nA controller that receives PVC update - with previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources - allocated to a PVC including its capacity.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nCapacity reported here may be larger - than the actual capacity when a volume expansion operation\nis - requested.\nFor storage quota, the larger value from - allocatedResources and PVC.spec.resources is used.\nIf - allocatedResources is not set, PVC.spec.resources alone - is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and - if the actual volume capacity\nis equal or lower than - the requested capacity.\n\nA controller that receives - PVC update with previously unknown resourceName\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources - of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'Resizing'. - items: - description: PersistentVolumeClaimCondition contains - details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed - the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the - condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "Resizing" that means the underlying - persistent volume is being resized. - type: string - status: - description: |- - Status is the status of the condition. - Can be True, False, Unknown. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required - type: string - type: - description: |- - Type is the type of the condition. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible - indicates that the request has been rejected as - invalid by the CSI driver. To\n\t resolve the error, - a valid VolumeAttributesClass needs to be specified.\nNote: - New statuses can be added in the future. Consumers - should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: object - tag: - description: |- - tag of Alertmanager container image to be deployed. Defaults to the value of `version`. - Version is ignored if Tag is set. - Deprecated: use 'image' instead. The image tag can be specified as part of the image URL. - type: string - terminationGracePeriodSeconds: - description: |- - terminationGracePeriodSeconds defines the Optional duration in seconds the pod needs to terminate gracefully. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down) which may lead to data corruption. - - Defaults to 120 seconds. - format: int64 - minimum: 0 - type: integer - tolerations: - description: tolerations defines the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: topologySpreadConstraints defines the Pod's topology - spread constraints. - items: - description: TopologySpreadConstraint specifies how to spread matching - pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - version: - description: version the cluster should be on. - type: string - volumeMounts: - description: |- - volumeMounts allows configuration of additional VolumeMounts on the output StatefulSet definition. - VolumeMounts specified will be appended to other VolumeMounts in the alertmanager container, - that are generated as a result of StorageSpec objects. - items: - description: VolumeMount describes a mounting of a Volume within - a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: |- - volumes allows configuration of additional volumes on the output StatefulSet definition. - Volumes specified will be appended to other volumes that are generated as a result of - StorageSpec objects. - items: - description: Volume represents a named volume in a pod that may - be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: None, - Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk in the - blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the blob - storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed data - disk (only in managed availability set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that contains - Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted root, - rather than the full Ceph tree, default is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should populate - this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap or its - keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents ephemeral - storage that is handled by certain external CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about the pod - that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the pod: - only annotations, labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative path - name of the file to be created. Must not be absolute - or contain the ''..'' path. Must be utf-8 encoded. - The first item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that is - attached to a kubelet's host machine and then exposed to the - pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to use for - this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds extra - command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. This - is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that details - Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support iSCSI - Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support iSCSI - Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI target - and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon Controller - persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources secrets, - configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume root - to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the configMap - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the downwardAPI - data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name, namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will be - addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret data - to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether the - Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information about - the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an already - created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool associated - with the protection domain. - type: string - system: - description: system is the name of the storage system as - configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy Based - Management (SPBM) profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy Based - Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies vSphere - volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - web: - description: web defines the web command line flags when starting - Alertmanager. - properties: - getConcurrency: - description: |- - getConcurrency defines the maximum number of GET requests processed concurrently. This corresponds to the - Alertmanager's `--web.get-concurrency` flag. - format: int32 - type: integer - httpConfig: - description: httpConfig defines HTTP parameters for web server. - properties: - headers: - description: headers defines a list of headers that can be - added to HTTP responses. - properties: - contentSecurityPolicy: - description: |- - contentSecurityPolicy defines the Content-Security-Policy header to HTTP responses. - Unset if blank. - type: string - strictTransportSecurity: - description: |- - strictTransportSecurity defines the Strict-Transport-Security header to HTTP responses. - Unset if blank. - Please make sure that you use this with care as this header might force - browsers to load Prometheus and the other applications hosted on the same - domain and subdomains over HTTPS. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - type: string - xContentTypeOptions: - description: |- - xContentTypeOptions defines the X-Content-Type-Options header to HTTP responses. - Unset if blank. Accepted value is nosniff. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options - enum: - - "" - - NoSniff - type: string - xFrameOptions: - description: |- - xFrameOptions defines the X-Frame-Options header to HTTP responses. - Unset if blank. Accepted values are deny and sameorigin. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options - enum: - - "" - - Deny - - SameOrigin - type: string - xXSSProtection: - description: |- - xXSSProtection defines the X-XSS-Protection header to all responses. - Unset if blank. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection - type: string - type: object - http2: - description: |- - http2 enable HTTP/2 support. Note that HTTP/2 is only supported with TLS. - When TLSConfig is not configured, HTTP/2 will be disabled. - Whenever the value of the field changes, a rolling update will be triggered. - type: boolean - type: object - timeout: - description: |- - timeout for HTTP requests. This corresponds to the Alertmanager's - `--web.timeout` flag. - format: int32 - type: integer - tlsConfig: - description: tlsConfig defines the TLS parameters for HTTPS. - properties: - cert: - description: |- - cert defines the Secret or ConfigMap containing the TLS certificate for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `certFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: |- - certFile defines the path to the TLS certificate file in the container for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `cert`. - type: string - cipherSuites: - description: |- - cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. - - If not defined, the Go default cipher suites are used. - Available cipher suites are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#pkg-constants - items: - type: string - type: array - client_ca: - description: |- - client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate - authentication to the server. - - It is mutually exclusive with `clientCAFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientAuthType: - description: |- - clientAuthType defines the server policy for client TLS authentication. - - For more detail on clientAuth options: - https://golang.org/pkg/crypto/tls/#ClientAuthType - type: string - clientCAFile: - description: |- - clientCAFile defines the path to the CA certificate file for client certificate authentication to - the server. - - It is mutually exclusive with `client_ca`. - type: string - curvePreferences: - description: |- - curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference - order. - - Available curves are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#CurveID - items: - type: string - type: array - keyFile: - description: |- - keyFile defines the path to the TLS private key file in the container for the web server. - - If defined, either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keySecret`. - type: string - keySecret: - description: |- - keySecret defines the secret containing the TLS private key for the web server. - - Either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keyFile`. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: maxVersion defines the Maximum TLS version that - is acceptable. - type: string - minVersion: - description: minVersion defines the minimum TLS version that - is acceptable. - type: string - preferServerCipherSuites: - description: |- - preferServerCipherSuites defines whether the server selects the client's most preferred cipher - suite, or the server's most preferred cipher suite. - - If true then the server's preference, as expressed in - the order of elements in cipherSuites, is used. - type: boolean - type: object - type: object - type: object - status: - description: |- - status defines the most recent observed status of the Alertmanager cluster. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - availableReplicas: - description: |- - availableReplicas defines the total number of available pods (ready for at least minReadySeconds) - targeted by this Alertmanager cluster. - format: int32 - type: integer - conditions: - description: conditions defines the current state of the Alertmanager - object. - items: - description: |- - Condition represents the state of the resources associated with the - Prometheus, Alertmanager or ThanosRuler resource. - properties: - lastTransitionTime: - description: lastTransitionTime is the time of the last update - to the current status property. - format: date-time - type: string - message: - description: message defines human-readable message indicating - details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the - instance. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: type of the condition being reported. - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - paused: - description: |- - paused defines whether any actions on the underlying managed objects are - being performed. Only delete actions will be performed. - type: boolean - replicas: - description: |- - replicas defines the total number of non-terminated pods targeted by this Alertmanager - object (their labels match the selector). - format: int32 - type: integer - selector: - description: selector used to match the pods targeted by this Alertmanager - object. - type: string - unavailableReplicas: - description: unavailableReplicas defines the total number of unavailable - pods targeted by this Alertmanager object. - format: int32 - type: integer - updatedReplicas: - description: |- - updatedReplicas defines the total number of non-terminated pods targeted by this Alertmanager - object that have the desired version spec. - format: int32 - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.replicas - statusReplicasPath: .status.replicas - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-podmonitors.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: podmonitors.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: PodMonitor - listKind: PodMonitorList - plural: podmonitors - shortNames: - - pmon - singular: podmonitor - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - The `PodMonitor` custom resource definition (CRD) defines how `Prometheus` and `PrometheusAgent` can scrape metrics from a group of pods. - Among other things, it allows to specify: - * The pods to scrape via label selectors. - * The container ports to scrape. - * Authentication credentials to use. - * Target and metric relabeling. - - `Prometheus` and `PrometheusAgent` objects select `PodMonitor` objects using label and namespace selectors. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec defines the specification of desired Pod selection for - target discovery by Prometheus. - properties: - attachMetadata: - description: |- - attachMetadata defines additional metadata which is added to the - discovered targets. - - It requires Prometheus >= v2.35.0. - properties: - node: - description: |- - node when set to true, Prometheus attaches node metadata to the discovered - targets. - - The Prometheus service account must have the `list` and `watch` - permissions on the `Nodes` objects. - type: boolean - type: object - bodySizeLimit: - description: |- - bodySizeLimit when defined specifies a job level limit on the size - of uncompressed response body that will be accepted by Prometheus. - - It requires Prometheus >= v2.28.0. - pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ - type: string - convertClassicHistogramsToNHCB: - description: |- - convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets. - It requires Prometheus >= v3.0.0. - type: boolean - fallbackScrapeProtocol: - description: |- - fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type. - - It requires Prometheus >= v3.0.0. - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - jobLabel: - description: |- - jobLabel defines the label to use to retrieve the job name from. - `jobLabel` selects the label from the associated Kubernetes `Pod` - object which will be used as the `job` label for all metrics. - - For example if `jobLabel` is set to `foo` and the Kubernetes `Pod` - object is labeled with `foo: bar`, then Prometheus adds the `job="bar"` - label to all ingested metrics. - - If the value of this field is empty, the `job` label of the metrics - defaults to the namespace and name of the PodMonitor object (e.g. `/`). - type: string - keepDroppedTargets: - description: |- - keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling - that will be kept in memory. 0 means no limit. - - It requires Prometheus >= v2.47.0. - format: int64 - type: integer - labelLimit: - description: |- - labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample. - - It requires Prometheus >= v2.27.0. - format: int64 - type: integer - labelNameLengthLimit: - description: |- - labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. - - It requires Prometheus >= v2.27.0. - format: int64 - type: integer - labelValueLengthLimit: - description: |- - labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. - - It requires Prometheus >= v2.27.0. - format: int64 - type: integer - namespaceSelector: - description: |- - namespaceSelector defines in which namespace(s) Prometheus should discover the pods. - By default, the pods are discovered in the same namespace as the `PodMonitor` object but it is possible to select pods across different/all namespaces. - properties: - any: - description: |- - any defines the boolean describing whether all namespaces are selected in contrast to a - list restricting them. - type: boolean - matchNames: - description: matchNames defines the list of namespace names to - select from. - items: - type: string - type: array - type: object - nativeHistogramBucketLimit: - description: |- - nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram, - buckets will be merged to stay within the limit. - It requires Prometheus >= v2.45.0. - format: int64 - type: integer - nativeHistogramMinBucketFactor: - anyOf: - - type: integer - - type: string - description: |- - nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this, - buckets will be merged to increase the factor sufficiently. - It requires Prometheus >= v2.50.0. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - podMetricsEndpoints: - description: podMetricsEndpoints defines how to scrape metrics from - the selected pods. - items: - description: |- - PodMetricsEndpoint defines an endpoint serving Prometheus metrics to be scraped by - Prometheus. - properties: - authorization: - description: |- - authorization configures the Authorization header credentials used by - the client. - - Cannot be set at the same time as `basicAuth`, `bearerTokenSecret` or `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the Basic Authentication credentials used by the - client. - - Cannot be set at the same time as `authorization`, `bearerTokenSecret` or `oauth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines a key of a Secret containing the bearer token - used by the client for authentication. The secret needs to be in the - same namespace as the custom resource and readable by the Prometheus - Operator. - - Cannot be set at the same time as `authorization`, `basicAuth` or `oauth2`. - - Deprecated: use `authorization` instead. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2. - type: boolean - filterRunning: - description: |- - filterRunning when true, the pods which are not running (e.g. either in Failed or - Succeeded state) are dropped during the target discovery. - - If unset, the filtering is enabled. - - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase - type: boolean - followRedirects: - description: |- - followRedirects defines whether the client should follow HTTP 3xx - redirects. - type: boolean - honorLabels: - description: |- - honorLabels when true preserves the metric's labels when they collide - with the target's labels. - type: boolean - honorTimestamps: - description: |- - honorTimestamps defines whether Prometheus preserves the timestamps - when exposed by the target. - type: boolean - interval: - description: |- - interval at which Prometheus scrapes the metrics from the target. - - If empty, Prometheus uses the global scrape interval. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - metricRelabelings: - description: |- - metricRelabelings defines the relabeling rules to apply to the - samples before ingestion. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 settings used by the client. - - It requires Prometheus >= 2.27.0. - - Cannot be set at the same time as `authorization`, `basicAuth` or `bearerTokenSecret`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - params: - additionalProperties: - items: - type: string - type: array - description: params define optional HTTP URL parameters. - type: object - path: - description: |- - path defines the HTTP path from which to scrape for metrics. - - If empty, Prometheus uses the default value (e.g. `/metrics`). - type: string - port: - description: |- - port defines the `Pod` port name which exposes the endpoint. - - If the pod doesn't expose a port with the same name, it will result - in no targets being discovered. - - If a `Pod` has multiple `Port`s with the same name (which is not - recommended), one target instance per unique port number will be - generated. - - It takes precedence over the `portNumber` and `targetPort` fields. - type: string - portNumber: - description: |- - portNumber defines the `Pod` port number which exposes the endpoint. - - The `Pod` must declare the specified `Port` in its spec or the - target will be dropped by Prometheus. - - This cannot be used to enable scraping of an undeclared port. - To scrape targets on a port which isn't exposed, you need to use - relabeling to override the `__address__` label (but beware of - duplicate targets if the `Pod` has other declared ports). - - In practice Prometheus will select targets for which the - matches the target's __meta_kubernetes_pod_container_port_number. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - relabelings: - description: |- - relabelings defines the relabeling rules to apply the target's - metadata labels. - - The Operator automatically adds relabelings for a few standard Kubernetes fields. - - The original scrape job's name is available via the `__tmp_prometheus_job_name` label. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - scheme: - description: scheme defines the HTTP scheme to use for scraping. - enum: - - http - - https - - HTTP - - HTTPS - type: string - scrapeTimeout: - description: |- - scrapeTimeout defines the timeout after which Prometheus considers the scrape to be failed. - - If empty, Prometheus uses the global scrape timeout unless it is less - than the target's scrape interval value in which the latter is used. - The value cannot be greater than the scrape interval otherwise the operator will reject the resource. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - targetPort defines the name or number of the target port of the `Pod` object behind the Service, the - port must be specified with container port property. - - Deprecated: use 'port' or 'portNumber' instead. - x-kubernetes-int-or-string: true - tlsConfig: - description: tlsConfig defines the TLS configuration used by - the client. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - trackTimestampsStaleness: - description: |- - trackTimestampsStaleness defines whether Prometheus tracks staleness of - the metrics that have an explicit timestamp present in scraped data. - Has no effect if `honorTimestamps` is false. - - It requires Prometheus >= v2.48.0. - type: boolean - type: object - type: array - podTargetLabels: - description: |- - podTargetLabels defines the labels which are transferred from the - associated Kubernetes `Pod` object onto the ingested metrics. - items: - type: string - type: array - sampleLimit: - description: |- - sampleLimit defines a per-scrape limit on the number of scraped samples - that will be accepted. - format: int64 - type: integer - scrapeClass: - description: scrapeClass defines the scrape class to apply. - minLength: 1 - type: string - scrapeClassicHistograms: - description: |- - scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. - It requires Prometheus >= v2.45.0. - - Notice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration. - type: boolean - scrapeProtocols: - description: |- - scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the - protocols supported by Prometheus in order of preference (from most to least preferred). - - If unset, Prometheus uses its default value. - - It requires Prometheus >= v2.49.0. - items: - description: |- - ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. - Supported values are: - * `OpenMetricsText0.0.1` - * `OpenMetricsText1.0.0` - * `PrometheusProto` - * `PrometheusText0.0.4` - * `PrometheusText1.0.0` - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - type: array - x-kubernetes-list-type: set - selector: - description: selector defines the label selector to select the Kubernetes - `Pod` objects to scrape metrics from. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - selectorMechanism: - description: |- - selectorMechanism defines the mechanism used to select the endpoints to scrape. - By default, the selection process relies on relabel configurations to filter the discovered targets. - Alternatively, you can opt in for role selectors, which may offer better efficiency in large clusters. - Which strategy is best for your use case needs to be carefully evaluated. - - It requires Prometheus >= v2.17.0. - enum: - - RelabelConfig - - RoleSelector - type: string - targetLimit: - description: |- - targetLimit defines a limit on the number of scraped targets that will - be accepted. - format: int64 - type: integer - required: - - selector - type: object - status: - description: |- - status defines the status subresource. It is under active development and is updated only when the - "StatusForConfigurationResources" feature gate is enabled. - - Most recent observed status of the PodMonitor. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - bindings: - description: bindings defines the list of workload resources (Prometheus, - PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration - resource. - items: - description: WorkloadBinding is a link between a configuration resource - and a workload resource. - properties: - conditions: - description: conditions defines the current state of the configuration - resource when bound to the referenced Workload object. - items: - description: ConfigResourceCondition describes the status - of configuration resources linked to Prometheus, PrometheusAgent, - Alertmanager or ThanosRuler. - properties: - lastTransitionTime: - description: lastTransitionTime defines the time of the - last update to the current status property. - format: date-time - type: string - message: - description: message defines the human-readable message - indicating details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the object. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: |- - type of the condition being reported. - Currently, only "Accepted" is supported. - enum: - - Accepted - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - group: - description: group defines the group of the referenced resource. - enum: - - monitoring.coreos.com - type: string - name: - description: name defines the name of the referenced object. - minLength: 1 - type: string - namespace: - description: namespace defines the namespace of the referenced - object. - minLength: 1 - type: string - resource: - description: resource defines the type of resource being referenced - (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager). - enum: - - prometheuses - - prometheusagents - - thanosrulers - - alertmanagers - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - name - - namespace - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-probes.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: probes.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: Probe - listKind: ProbeList - plural: probes - shortNames: - - prb - singular: probe - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - The `Probe` custom resource definition (CRD) defines how to scrape metrics from prober exporters such as the [blackbox exporter](https://github.com/prometheus/blackbox_exporter). - - The `Probe` resource needs 2 pieces of information: - * The list of probed addresses which can be defined statically or by discovering Kubernetes Ingress objects. - * The prober which exposes the availability of probed endpoints (over various protocols such HTTP, TCP, ICMP, ...) as Prometheus metrics. - - `Prometheus` and `PrometheusAgent` objects select `Probe` objects using label and namespace selectors. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec defines the specification of desired Ingress selection - for target discovery by Prometheus. - properties: - authorization: - description: authorization section for this endpoint - properties: - credentials: - description: credentials defines a key of a Secret in the namespace - that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth allow an endpoint to authenticate over basic authentication. - More info: https://prometheus.io/docs/operating/configuration/#endpoint - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenSecret: - description: |- - bearerTokenSecret defines the secret to mount to read bearer token for scraping targets. The secret - needs to be in the same namespace as the probe and accessible by - the Prometheus Operator. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - convertClassicHistogramsToNHCB: - description: |- - convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets. - It requires Prometheus >= v3.0.0. - type: boolean - fallbackScrapeProtocol: - description: |- - fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type. - - It requires Prometheus >= v3.0.0. - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - interval: - description: |- - interval at which targets are probed using the configured prober. - If not specified Prometheus' global scrape interval is used. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - jobName: - description: jobName assigned to scraped metrics by default. - type: string - keepDroppedTargets: - description: |- - keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling - that will be kept in memory. 0 means no limit. - - It requires Prometheus >= v2.47.0. - format: int64 - type: integer - labelLimit: - description: |- - labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample. - Only valid in Prometheus versions 2.27.0 and newer. - format: int64 - type: integer - labelNameLengthLimit: - description: |- - labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. - Only valid in Prometheus versions 2.27.0 and newer. - format: int64 - type: integer - labelValueLengthLimit: - description: |- - labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. - Only valid in Prometheus versions 2.27.0 and newer. - format: int64 - type: integer - metricRelabelings: - description: metricRelabelings defines the RelabelConfig to apply - to samples before ingestion. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against which - the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - module: - description: |- - module to use for probing specifying how to probe the target. - Example module configuring in the blackbox exporter: - https://github.com/prometheus/blackbox_exporter/blob/master/example.yml - type: string - nativeHistogramBucketLimit: - description: |- - nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram, - buckets will be merged to stay within the limit. - It requires Prometheus >= v2.45.0. - format: int64 - type: integer - nativeHistogramMinBucketFactor: - anyOf: - - type: integer - - type: string - description: |- - nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this, - buckets will be merged to increase the factor sufficiently. - It requires Prometheus >= v2.50.0. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - oauth2: - description: oauth2 for the URL. Only valid in Prometheus versions - 2.27.0 and newer. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing data - to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the token - request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - params: - description: |- - params defines the list of HTTP query parameters for the scrape. - Please note that the `.spec.module` field takes precedence over the `module` parameter from this list when both are defined. - The module name must be added using Module under ProbeSpec. - items: - description: ProbeParam defines specification of extra parameters - for a Probe. - properties: - name: - description: name defines the parameter name - minLength: 1 - type: string - values: - description: values defines the parameter values - items: - minLength: 1 - type: string - minItems: 1 - type: array - required: - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - prober: - description: |- - prober defines the specification for the prober to use for probing targets. - The prober.URL parameter is required. Targets cannot be probed if left empty. - properties: - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - path: - default: /probe - description: |- - path to collect metrics from. - Defaults to `/probe`. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scheme: - description: scheme defines the HTTP scheme to use when scraping - the prober. - enum: - - http - - https - - HTTP - - HTTPS - type: string - url: - description: |- - url defines the address of the prober. - - Unlike what the name indicates, the value should be in the form of - `address:port` without any scheme which should be specified in the - `scheme` field. - minLength: 1 - type: string - required: - - url - type: object - sampleLimit: - description: sampleLimit defines per-scrape limit on number of scraped - samples that will be accepted. - format: int64 - type: integer - scrapeClass: - description: scrapeClass defines the scrape class to apply. - minLength: 1 - type: string - scrapeClassicHistograms: - description: |- - scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. - It requires Prometheus >= v2.45.0. - - Notice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration. - type: boolean - scrapeProtocols: - description: |- - scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the - protocols supported by Prometheus in order of preference (from most to least preferred). - - If unset, Prometheus uses its default value. - - It requires Prometheus >= v2.49.0. - items: - description: |- - ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. - Supported values are: - * `OpenMetricsText0.0.1` - * `OpenMetricsText1.0.0` - * `PrometheusProto` - * `PrometheusText0.0.4` - * `PrometheusText1.0.0` - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - type: array - x-kubernetes-list-type: set - scrapeTimeout: - description: |- - scrapeTimeout defines the timeout for scraping metrics from the Prometheus exporter. - If not specified, the Prometheus global scrape timeout is used. - The value cannot be greater than the scrape interval otherwise the operator will reject the resource. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - targetLimit: - description: targetLimit defines a limit on the number of scraped - targets that will be accepted. - format: int64 - type: integer - targets: - description: targets defines a set of static or dynamically discovered - targets to probe. - properties: - ingress: - description: |- - ingress defines the Ingress objects to probe and the relabeling - configuration. - If `staticConfig` is also defined, `staticConfig` takes precedence. - properties: - namespaceSelector: - description: namespaceSelector defines from which namespaces - to select Ingress objects. - properties: - any: - description: |- - any defines the boolean describing whether all namespaces are selected in contrast to a - list restricting them. - type: boolean - matchNames: - description: matchNames defines the list of namespace - names to select from. - items: - type: string - type: array - type: object - relabelingConfigs: - description: |- - relabelingConfigs to apply to the label set of the target before it gets - scraped. - The original ingress address is available via the - `__tmp_prometheus_ingress_address` label. It can be used to customize the - probed URL. - The original scrape job's name is available via the `__tmp_prometheus_job_name` label. - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - selector: - description: selector to select the Ingress objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - staticConfig: - description: |- - staticConfig defines the static list of targets to probe and the - relabeling configuration. - If `ingress` is also defined, `staticConfig` takes precedence. - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config. - properties: - labels: - additionalProperties: - type: string - description: labels defines all labels assigned to all metrics - scraped from the targets. - type: object - relabelingConfigs: - description: |- - relabelingConfigs defines relabelings to be apply to the label set of the targets before it gets - scraped. - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - static: - description: static defines the list of hosts to probe. - items: - type: string - type: array - type: object - type: object - tlsConfig: - description: tlsConfig defines the TLS configuration to use when scraping - the endpoint. - properties: - ca: - description: ca defines the Certificate authority used when verifying - server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing data - to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present when - doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing data - to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for the - targets. - type: string - type: object - type: object - status: - description: |- - status defines the status subresource. It is under active development and is updated only when the - "StatusForConfigurationResources" feature gate is enabled. - - Most recent observed status of the Probe. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - bindings: - description: bindings defines the list of workload resources (Prometheus, - PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration - resource. - items: - description: WorkloadBinding is a link between a configuration resource - and a workload resource. - properties: - conditions: - description: conditions defines the current state of the configuration - resource when bound to the referenced Workload object. - items: - description: ConfigResourceCondition describes the status - of configuration resources linked to Prometheus, PrometheusAgent, - Alertmanager or ThanosRuler. - properties: - lastTransitionTime: - description: lastTransitionTime defines the time of the - last update to the current status property. - format: date-time - type: string - message: - description: message defines the human-readable message - indicating details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the object. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: |- - type of the condition being reported. - Currently, only "Accepted" is supported. - enum: - - Accepted - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - group: - description: group defines the group of the referenced resource. - enum: - - monitoring.coreos.com - type: string - name: - description: name defines the name of the referenced object. - minLength: 1 - type: string - namespace: - description: namespace defines the namespace of the referenced - object. - minLength: 1 - type: string - resource: - description: resource defines the type of resource being referenced - (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager). - enum: - - prometheuses - - prometheusagents - - thanosrulers - - alertmanagers - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - name - - namespace - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheusagents.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: prometheusagents.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: PrometheusAgent - listKind: PrometheusAgentList - plural: prometheusagents - shortNames: - - promagent - singular: prometheusagent - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The version of Prometheus agent - jsonPath: .spec.version - name: Version - type: string - - description: The number of desired replicas - jsonPath: .spec.replicas - name: Desired - type: integer - - description: The number of ready replicas - jsonPath: .status.availableReplicas - name: Ready - type: integer - - jsonPath: .status.conditions[?(@.type == 'Reconciled')].status - name: Reconciled - type: string - - jsonPath: .status.conditions[?(@.type == 'Available')].status - name: Available - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Whether the resource reconciliation is paused or not - jsonPath: .status.paused - name: Paused - priority: 1 - type: boolean - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - The `PrometheusAgent` custom resource definition (CRD) defines a desired [Prometheus Agent](https://prometheus.io/blog/2021/11/16/agent/) setup to run in a Kubernetes cluster. - - The CRD is very similar to the `Prometheus` CRD except for features which aren't available in agent mode like rule evaluation, persistent storage and Thanos sidecar. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec defines the specification of the desired behavior of the Prometheus agent. More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - additionalArgs: - description: |- - additionalArgs allows setting additional arguments for the 'prometheus' container. - - It is intended for e.g. activating hidden flags which are not supported by - the dedicated configuration options yet. The arguments are passed as-is to the - Prometheus container which may cause issues if they are invalid or not supported - by the given Prometheus version. - - In case of an argument conflict (e.g. an argument which is already set by the - operator itself) or when providing an invalid argument, the reconciliation will - fail and an error will be logged. - items: - description: Argument as part of the AdditionalArgs list. - properties: - name: - description: name of the argument, e.g. "scrape.discovery-reload-interval". - minLength: 1 - type: string - value: - description: value defines the argument value, e.g. 30s. Can - be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile) - type: string - required: - - name - type: object - type: array - additionalScrapeConfigs: - description: |- - additionalScrapeConfigs allows specifying a key of a Secret containing - additional Prometheus scrape configurations. Scrape configurations - specified are appended to the configurations generated by the Prometheus - Operator. Job configurations specified must have the form as specified - in the official Prometheus documentation: - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config. - As scrape configs are appended, the user is responsible to make sure it - is valid. Note that using this feature may expose the possibility to - break upgrades of Prometheus. It is advised to review Prometheus release - notes to ensure that no incompatible scrape configs are going to break - Prometheus after the upgrade. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - affinity: - description: affinity defines the Pods' affinity scheduling rules - if specified. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - apiserverConfig: - description: |- - apiserverConfig allows specifying a host and auth methods to access the - Kuberntees API server. - If null, Prometheus is assumed to run inside of the cluster: it will - discover the API servers automatically and use the Pod's CA certificate - and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/. - properties: - authorization: - description: |- - authorization section for the API server. - - Cannot be set at the same time as `basicAuth`, `bearerToken`, or - `bearerTokenFile`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - credentialsFile: - description: credentialsFile defines the file to read a secret - from, mutually exclusive with `credentials`. - type: string - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth configuration for the API server. - - Cannot be set at the same time as `authorization`, `bearerToken`, or - `bearerTokenFile`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerToken: - description: |- - bearerToken is deprecated: this will be removed in a future release. - *Warning: this field shouldn't be used because the token value appears - in clear-text. Prefer using `authorization`.* - type: string - bearerTokenFile: - description: |- - bearerTokenFile defines the file to read bearer token for accessing apiserver. - - Cannot be set at the same time as `basicAuth`, `authorization`, or `bearerToken`. - - Deprecated: this will be removed in a future release. Prefer using `authorization`. - type: string - host: - description: |- - host defines the Kubernetes API address consisting of a hostname or IP address followed - by an optional port number. - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: tlsConfig to use for the API server. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key file - in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - host - type: object - arbitraryFSAccessThroughSMs: - description: |- - arbitraryFSAccessThroughSMs when true, ServiceMonitor, PodMonitor and Probe object are forbidden to - reference arbitrary files on the file system of the 'prometheus' - container. - When a ServiceMonitor's endpoint specifies a `bearerTokenFile` value - (e.g. '/var/run/secrets/kubernetes.io/serviceaccount/token'), a - malicious target can get access to the Prometheus service account's - token in the Prometheus' scrape request. Setting - `spec.arbitraryFSAccessThroughSM` to 'true' would prevent the attack. - Users should instead provide the credentials using the - `spec.bearerTokenSecret` field. - properties: - deny: - description: |- - deny prevents service monitors from accessing arbitrary files on the file system. - When true, service monitors cannot use file-based configurations like BearerTokenFile - that could potentially access sensitive files. When false (default), such access is allowed. - Setting this to true enhances security by preventing potential credential theft attacks. - type: boolean - type: object - automountServiceAccountToken: - description: |- - automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod. - If the field isn't set, the operator mounts the service account token by default. - - **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery. - It is possible to use strategic merge patch to project the service account token into the 'prometheus' container. - type: boolean - bodySizeLimit: - description: |- - bodySizeLimit defines per-scrape on response body size. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedBodySizeLimit. - pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ - type: string - configMaps: - description: |- - configMaps defines a list of ConfigMaps in the same namespace as the Prometheus - object, which shall be mounted into the Prometheus Pods. - Each ConfigMap is added to the StatefulSet definition as a volume named `configmap-`. - The ConfigMaps are mounted into /etc/prometheus/configmaps/ in the 'prometheus' container. - items: - type: string - type: array - containers: - description: |- - containers allows injecting additional containers or modifying operator - generated containers. This can be used to allow adding an authentication - proxy to the Pods or to change the behavior of an operator generated - container. Containers described here modify an operator generated - container if they share the same name and modifications are done via a - strategic merge patch. - - The names of containers managed by the operator are: - * `prometheus` - * `config-reloader` - * `thanos-sidecar` - - Overriding containers is entirely outside the scope of what the - maintainers will support and by doing so, you accept that this behaviour - may break at any time without notice. - items: - description: A single application container that you want to run - within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of a set - of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource resize - policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a container - exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check on container - exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be - used by the container. - items: - description: volumeDevice describes a mapping of a raw block - device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container - that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - convertClassicHistogramsToNHCB: - description: |- - convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native - histogram with custom buckets. - - It requires Prometheus >= v3.4.0. - type: boolean - dnsConfig: - description: dnsConfig defines the DNS configuration for the pods. - properties: - nameservers: - description: |- - nameservers defines the list of DNS name server IP addresses. - This will be appended to the base nameservers generated from DNSPolicy. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - options: - description: |- - options defines the list of DNS resolver options. - This will be merged with the base options generated from DNSPolicy. - Resolution options given in Options - will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver options - of a pod. - properties: - name: - description: name is required and must be unique. - minLength: 1 - type: string - value: - description: value is optional. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - searches: - description: |- - searches defines the list of DNS search domains for host-name lookup. - This will be appended to the base search paths generated from DNSPolicy. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - type: object - dnsPolicy: - description: dnsPolicy defines the DNS policy for the pods. - enum: - - ClusterFirstWithHostNet - - ClusterFirst - - Default - - None - type: string - enableFeatures: - description: |- - enableFeatures enables access to Prometheus feature flags. By default, no features are enabled. - - Enabling features which are disabled by default is entirely outside the - scope of what the maintainers will support and by doing so, you accept - that this behaviour may break at any time without notice. - - For more information see https://prometheus.io/docs/prometheus/latest/feature_flags/ - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - enableOTLPReceiver: - description: |- - enableOTLPReceiver defines the Prometheus to be used as a receiver for the OTLP Metrics protocol. - - Note that the OTLP receiver endpoint is automatically enabled if `.spec.otlpConfig` is defined. - - It requires Prometheus >= v2.47.0. - type: boolean - enableRemoteWriteReceiver: - description: |- - enableRemoteWriteReceiver defines the Prometheus to be used as a receiver for the Prometheus remote - write protocol. - - WARNING: This is not considered an efficient way of ingesting samples. - Use it with caution for specific low-volume use cases. - It is not suitable for replacing the ingestion via scraping and turning - Prometheus into a push-based metrics collection system. - For more information see https://prometheus.io/docs/prometheus/latest/querying/api/#remote-write-receiver - - It requires Prometheus >= v2.33.0. - type: boolean - enableServiceLinks: - description: enableServiceLinks defines whether information about - services should be injected into pod's environment variables - type: boolean - enforcedBodySizeLimit: - description: |- - enforcedBodySizeLimit when defined specifies a global limit on the size - of uncompressed response body that will be accepted by Prometheus. - Targets responding with a body larger than this many bytes will cause - the scrape to fail. - - It requires Prometheus >= v2.28.0. - - When both `enforcedBodySizeLimit` and `bodySizeLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined bodySizeLimit value will inherit the global bodySizeLimit value (Prometheus >= 2.45.0) or the enforcedBodySizeLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedBodySizeLimit` is greater than the `bodySizeLimit`, the `bodySizeLimit` will be set to `enforcedBodySizeLimit`. - * Scrape objects with a bodySizeLimit value less than or equal to enforcedBodySizeLimit keep their specific value. - * Scrape objects with a bodySizeLimit value greater than enforcedBodySizeLimit are set to enforcedBodySizeLimit. - pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ - type: string - enforcedKeepDroppedTargets: - description: |- - enforcedKeepDroppedTargets when defined specifies a global limit on the number of targets - dropped by relabeling that will be kept in memory. The value overrides - any `spec.keepDroppedTargets` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.keepDroppedTargets` is - greater than zero and less than `spec.enforcedKeepDroppedTargets`. - - It requires Prometheus >= v2.47.0. - - When both `enforcedKeepDroppedTargets` and `keepDroppedTargets` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined keepDroppedTargets value will inherit the global keepDroppedTargets value (Prometheus >= 2.45.0) or the enforcedKeepDroppedTargets value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedKeepDroppedTargets` is greater than the `keepDroppedTargets`, the `keepDroppedTargets` will be set to `enforcedKeepDroppedTargets`. - * Scrape objects with a keepDroppedTargets value less than or equal to enforcedKeepDroppedTargets keep their specific value. - * Scrape objects with a keepDroppedTargets value greater than enforcedKeepDroppedTargets are set to enforcedKeepDroppedTargets. - format: int64 - type: integer - enforcedLabelLimit: - description: |- - enforcedLabelLimit when defined specifies a global limit on the number - of labels per sample. The value overrides any `spec.labelLimit` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.labelLimit` is - greater than zero and less than `spec.enforcedLabelLimit`. - - It requires Prometheus >= v2.27.0. - - When both `enforcedLabelLimit` and `labelLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined labelLimit value will inherit the global labelLimit value (Prometheus >= 2.45.0) or the enforcedLabelLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedLabelLimit` is greater than the `labelLimit`, the `labelLimit` will be set to `enforcedLabelLimit`. - * Scrape objects with a labelLimit value less than or equal to enforcedLabelLimit keep their specific value. - * Scrape objects with a labelLimit value greater than enforcedLabelLimit are set to enforcedLabelLimit. - format: int64 - type: integer - enforcedLabelNameLengthLimit: - description: |- - enforcedLabelNameLengthLimit when defined specifies a global limit on the length - of labels name per sample. The value overrides any `spec.labelNameLengthLimit` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.labelNameLengthLimit` is - greater than zero and less than `spec.enforcedLabelNameLengthLimit`. - - It requires Prometheus >= v2.27.0. - - When both `enforcedLabelNameLengthLimit` and `labelNameLengthLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined labelNameLengthLimit value will inherit the global labelNameLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelNameLengthLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedLabelNameLengthLimit` is greater than the `labelNameLengthLimit`, the `labelNameLengthLimit` will be set to `enforcedLabelNameLengthLimit`. - * Scrape objects with a labelNameLengthLimit value less than or equal to enforcedLabelNameLengthLimit keep their specific value. - * Scrape objects with a labelNameLengthLimit value greater than enforcedLabelNameLengthLimit are set to enforcedLabelNameLengthLimit. - format: int64 - type: integer - enforcedLabelValueLengthLimit: - description: |- - enforcedLabelValueLengthLimit when not null defines a global limit on the length - of labels value per sample. The value overrides any `spec.labelValueLengthLimit` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.labelValueLengthLimit` is - greater than zero and less than `spec.enforcedLabelValueLengthLimit`. - - It requires Prometheus >= v2.27.0. - - When both `enforcedLabelValueLengthLimit` and `labelValueLengthLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined labelValueLengthLimit value will inherit the global labelValueLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelValueLengthLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedLabelValueLengthLimit` is greater than the `labelValueLengthLimit`, the `labelValueLengthLimit` will be set to `enforcedLabelValueLengthLimit`. - * Scrape objects with a labelValueLengthLimit value less than or equal to enforcedLabelValueLengthLimit keep their specific value. - * Scrape objects with a labelValueLengthLimit value greater than enforcedLabelValueLengthLimit are set to enforcedLabelValueLengthLimit. - format: int64 - type: integer - enforcedNamespaceLabel: - description: |- - enforcedNamespaceLabel when not empty, a label will be added to: - - 1. All metrics scraped from `ServiceMonitor`, `PodMonitor`, `Probe` and `ScrapeConfig` objects. - 2. All metrics generated from recording rules defined in `PrometheusRule` objects. - 3. All alerts generated from alerting rules defined in `PrometheusRule` objects. - 4. All vector selectors of PromQL expressions defined in `PrometheusRule` objects. - - The label will not added for objects referenced in `spec.excludedFromEnforcement`. - - The label's name is this field's value. - The label's value is the namespace of the `ServiceMonitor`, - `PodMonitor`, `Probe`, `PrometheusRule` or `ScrapeConfig` object. - type: string - enforcedSampleLimit: - description: |- - enforcedSampleLimit when defined specifies a global limit on the number - of scraped samples that will be accepted. This overrides any - `spec.sampleLimit` set by ServiceMonitor, PodMonitor, Probe objects - unless `spec.sampleLimit` is greater than zero and less than - `spec.enforcedSampleLimit`. - - It is meant to be used by admins to keep the overall number of - samples/series under a desired limit. - - When both `enforcedSampleLimit` and `sampleLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined sampleLimit value will inherit the global sampleLimit value (Prometheus >= 2.45.0) or the enforcedSampleLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedSampleLimit` is greater than the `sampleLimit`, the `sampleLimit` will be set to `enforcedSampleLimit`. - * Scrape objects with a sampleLimit value less than or equal to enforcedSampleLimit keep their specific value. - * Scrape objects with a sampleLimit value greater than enforcedSampleLimit are set to enforcedSampleLimit. - format: int64 - type: integer - enforcedTargetLimit: - description: |- - enforcedTargetLimit when defined specifies a global limit on the number - of scraped targets. The value overrides any `spec.targetLimit` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.targetLimit` is - greater than zero and less than `spec.enforcedTargetLimit`. - - It is meant to be used by admins to to keep the overall number of - targets under a desired limit. - - When both `enforcedTargetLimit` and `targetLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined targetLimit value will inherit the global targetLimit value (Prometheus >= 2.45.0) or the enforcedTargetLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedTargetLimit` is greater than the `targetLimit`, the `targetLimit` will be set to `enforcedTargetLimit`. - * Scrape objects with a targetLimit value less than or equal to enforcedTargetLimit keep their specific value. - * Scrape objects with a targetLimit value greater than enforcedTargetLimit are set to enforcedTargetLimit. - format: int64 - type: integer - excludedFromEnforcement: - description: |- - excludedFromEnforcement defines the list of references to PodMonitor, ServiceMonitor, Probe and PrometheusRule objects - to be excluded from enforcing a namespace label of origin. - - It is only applicable if `spec.enforcedNamespaceLabel` set to true. - items: - description: ObjectReference references a PodMonitor, ServiceMonitor, - Probe or PrometheusRule object. - properties: - group: - default: monitoring.coreos.com - description: group of the referent. When not specified, it defaults - to `monitoring.coreos.com` - enum: - - monitoring.coreos.com - type: string - name: - description: name of the referent. When not set, all resources - in the namespace are matched. - type: string - namespace: - description: |- - namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - resource: - description: resource of the referent. - enum: - - prometheusrules - - servicemonitors - - podmonitors - - probes - - scrapeconfigs - type: string - required: - - namespace - - resource - type: object - type: array - externalLabels: - additionalProperties: - type: string - description: |- - externalLabels defines the labels to add to any time series or alerts when communicating with - external systems (federation, remote storage, Alertmanager). - Labels defined by `spec.replicaExternalLabelName` and - `spec.prometheusExternalLabelName` take precedence over this list. - type: object - externalUrl: - description: |- - externalUrl defines the external URL under which the Prometheus service is externally - available. This is necessary to generate correct URLs (for instance if - Prometheus is accessible behind an Ingress resource). - type: string - hostAliases: - description: |- - hostAliases defines the optional list of hosts and IPs that will be injected into the Pod's - hosts file if specified. - items: - description: |- - HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the - pod's hosts file. - properties: - hostnames: - description: hostnames defines hostnames for the above IP address. - items: - type: string - type: array - ip: - description: ip defines the IP address of the host file entry. - type: string - required: - - hostnames - - ip - type: object - type: array - x-kubernetes-list-map-keys: - - ip - x-kubernetes-list-type: map - hostNetwork: - description: |- - hostNetwork defines the host's network namespace if true. - - Make sure to understand the security implications if you want to enable - it (https://kubernetes.io/docs/concepts/configuration/overview/ ). - - When hostNetwork is enabled, this will set the DNS policy to - `ClusterFirstWithHostNet` automatically (unless `.spec.DNSPolicy` is set - to a different value). - type: boolean - hostUsers: - description: |- - hostUsers supports the user space in Kubernetes. - - More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/ - - The feature requires at least Kubernetes 1.28 with the `UserNamespacesSupport` feature gate enabled. - Starting Kubernetes 1.33, the feature is enabled by default. - type: boolean - ignoreNamespaceSelectors: - description: |- - ignoreNamespaceSelectors when true, `spec.namespaceSelector` from all PodMonitor, ServiceMonitor - and Probe objects will be ignored. They will only discover targets - within the namespace of the PodMonitor, ServiceMonitor and Probe - object. - type: boolean - image: - description: |- - image defines the container image name for Prometheus. If specified, it takes precedence - over the `spec.baseImage`, `spec.tag` and `spec.sha` fields. - - Specifying `spec.version` is still necessary to ensure the Prometheus - Operator knows which version of Prometheus is being configured. - - If neither `spec.image` nor `spec.baseImage` are defined, the operator - will use the latest upstream version of Prometheus available at the time - when the operator was released. - type: string - imagePullPolicy: - description: |- - imagePullPolicy defines the image pull policy for the 'prometheus', 'init-config-reloader' and 'config-reloader' containers. - See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details. - enum: - - "" - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: |- - imagePullSecrets defines an optional list of references to Secrets in the same namespace - to use for pulling images from registries. - See http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - initContainers: - description: |- - initContainers allows injecting initContainers to the Pod definition. Those - can be used to e.g. fetch secrets for injection into the Prometheus - configuration from external sources. Any errors during the execution of - an initContainer will lead to a restart of the Pod. More info: - https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - InitContainers described here modify an operator generated init - containers if they share the same name and modifications are done via a - strategic merge patch. - - The names of init container name managed by the operator are: - * `init-config-reloader`. - - Overriding init containers is entirely outside the scope of what the - maintainers will support and by doing so, you accept that this behaviour - may break at any time without notice. - items: - description: A single application container that you want to run - within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of a set - of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource resize - policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a container - exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check on container - exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be - used by the container. - items: - description: volumeDevice describes a mapping of a raw block - device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container - that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - keepDroppedTargets: - description: |- - keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling - that will be kept in memory. 0 means no limit. - - It requires Prometheus >= v2.47.0. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedKeepDroppedTargets. - format: int64 - type: integer - labelLimit: - description: |- - labelLimit defines per-scrape limit on number of labels that will be accepted for a sample. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelLimit. - format: int64 - type: integer - labelNameLengthLimit: - description: |- - labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelNameLengthLimit. - format: int64 - type: integer - labelValueLengthLimit: - description: |- - labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelValueLengthLimit. - format: int64 - type: integer - listenLocal: - description: |- - listenLocal when true, the Prometheus server listens on the loopback address - instead of the Pod IP's address. - type: boolean - logFormat: - description: logFormat for Log level for Prometheus and the config-reloader - sidecar. - enum: - - "" - - logfmt - - json - type: string - logLevel: - description: logLevel for Prometheus and the config-reloader sidecar. - enum: - - "" - - debug - - info - - warn - - error - type: string - maximumStartupDurationSeconds: - description: |- - maximumStartupDurationSeconds defines the maximum time that the `prometheus` container's startup probe will wait before being considered failed. The startup probe will return success after the WAL replay is complete. - If set, the value should be greater than 60 (seconds). Otherwise it will be equal to 900 seconds (15 minutes). - format: int32 - minimum: 60 - type: integer - minReadySeconds: - description: |- - minReadySeconds defines the minimum number of seconds for which a newly created Pod should be ready - without any of its container crashing for it to be considered available. - - If unset, pods will be considered available as soon as they are ready. - format: int32 - minimum: 0 - type: integer - mode: - description: |- - mode defines how the Prometheus operator deploys the PrometheusAgent pod(s). - - (Alpha) Using this field requires the `PrometheusAgentDaemonSet` feature gate to be enabled. - enum: - - StatefulSet - - DaemonSet - type: string - nameEscapingScheme: - description: |- - nameEscapingScheme defines the character escaping scheme that will be requested when scraping - for metric and label names that do not conform to the legacy Prometheus - character set. - - It requires Prometheus >= v3.4.0. - enum: - - AllowUTF8 - - Underscores - - Dots - - Values - type: string - nameValidationScheme: - description: |- - nameValidationScheme defines the validation scheme for metric and label names. - - It requires Prometheus >= v2.55.0. - enum: - - UTF8 - - Legacy - type: string - nodeSelector: - additionalProperties: - type: string - description: nodeSelector defines on which Nodes the Pods are scheduled. - type: object - otlp: - description: |- - otlp defines the settings related to the OTLP receiver feature. - It requires Prometheus >= v2.55.0. - properties: - convertHistogramsToNHCB: - description: |- - convertHistogramsToNHCB defines optional translation of OTLP explicit bucket histograms into native histograms with custom buckets. - It requires Prometheus >= v3.4.0. - type: boolean - ignoreResourceAttributes: - description: |- - ignoreResourceAttributes defines the list of OpenTelemetry resource attributes to ignore when `promoteAllResourceAttributes` is true. - - It requires `promoteAllResourceAttributes` to be true. - It requires Prometheus >= v3.5.0. - items: - minLength: 1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - keepIdentifyingResourceAttributes: - description: |- - keepIdentifyingResourceAttributes enables adding `service.name`, `service.namespace` and `service.instance.id` - resource attributes to the `target_info` metric, on top of converting them into the `instance` and `job` labels. - - It requires Prometheus >= v3.1.0. - type: boolean - promoteAllResourceAttributes: - description: |- - promoteAllResourceAttributes promotes all resource attributes to metric labels except the ones defined in `ignoreResourceAttributes`. - - Cannot be true when `promoteResourceAttributes` is defined. - It requires Prometheus >= v3.5.0. - type: boolean - promoteResourceAttributes: - description: |- - promoteResourceAttributes defines the list of OpenTelemetry Attributes that should be promoted to metric labels, defaults to none. - Cannot be defined when `promoteAllResourceAttributes` is true. - items: - minLength: 1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - promoteScopeMetadata: - description: |- - promoteScopeMetadata controls whether to promote OpenTelemetry scope metadata (i.e. name, version, schema URL, and attributes) to metric labels. - As per the OpenTelemetry specification, the aforementioned scope metadata should be identifying, i.e. made into metric labels. - It requires Prometheus >= v3.6.0. - type: boolean - translationStrategy: - description: |- - translationStrategy defines how the OTLP receiver endpoint translates the incoming metrics. - - It requires Prometheus >= v3.0.0. - enum: - - NoUTF8EscapingWithSuffixes - - UnderscoreEscapingWithSuffixes - - NoTranslation - - UnderscoreEscapingWithoutSuffixes - type: string - type: object - overrideHonorLabels: - description: |- - overrideHonorLabels when true, Prometheus resolves label conflicts by renaming the labels in the scraped data - to “exported_” for all targets created from ServiceMonitor, PodMonitor and - ScrapeConfig objects. Otherwise the HonorLabels field of the service or pod monitor applies. - In practice,`OverrideHonorLabels:true` enforces `honorLabels:false` - for all ServiceMonitor, PodMonitor and ScrapeConfig objects. - type: boolean - overrideHonorTimestamps: - description: |- - overrideHonorTimestamps when true, Prometheus ignores the timestamps for all the targets created - from service and pod monitors. - Otherwise the HonorTimestamps field of the service or pod monitor applies. - type: boolean - paused: - description: |- - paused defines when a Prometheus deployment is paused, no actions except for deletion - will be performed on the underlying objects. - type: boolean - persistentVolumeClaimRetentionPolicy: - description: |- - persistentVolumeClaimRetentionPolicy defines the field controls if and how PVCs are deleted during the lifecycle of a StatefulSet. - The default behavior is all PVCs are retained. - This is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26. - It requires enabling the StatefulSetAutoDeletePVC feature gate. - properties: - whenDeleted: - description: |- - WhenDeleted specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is deleted. The default policy - of `Retain` causes PVCs to not be affected by StatefulSet deletion. The - `Delete` policy causes those PVCs to be deleted. - type: string - whenScaled: - description: |- - WhenScaled specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is scaled down. The default - policy of `Retain` causes PVCs to not be affected by a scaledown. The - `Delete` policy causes the associated PVCs for any excess pods above - the replica count to be deleted. - type: string - type: object - podMetadata: - description: |- - podMetadata defines labels and annotations which are propagated to the Prometheus pods. - - The following items are reserved and cannot be overridden: - * "prometheus" label, set to the name of the Prometheus object. - * "app.kubernetes.io/instance" label, set to the name of the Prometheus object. - * "app.kubernetes.io/managed-by" label, set to "prometheus-operator". - * "app.kubernetes.io/name" label, set to "prometheus". - * "app.kubernetes.io/version" label, set to the Prometheus version. - * "operator.prometheus.io/name" label, set to the name of the Prometheus object. - * "operator.prometheus.io/shard" label, set to the shard number of the Prometheus object. - * "kubectl.kubernetes.io/default-container" annotation, set to "prometheus". - properties: - annotations: - additionalProperties: - type: string - description: |- - annotations defines an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - labels: - additionalProperties: - type: string - description: |- - labels define the map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - name: - description: |- - name must be unique within a namespace. Is required when creating resources, although - some resources may allow a client to request the generation of an appropriate name - automatically. Name is primarily intended for creation idempotence and configuration - definition. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - type: string - type: object - podMonitorNamespaceSelector: - description: |- - podMonitorNamespaceSelector defines the namespaces to match for PodMonitors discovery. An empty label selector - matches all namespaces. A null label selector (default value) matches the current - namespace only. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podMonitorSelector: - description: |- - podMonitorSelector defines the podMonitors to be selected for target discovery. An empty label selector - matches all objects. A null label selector matches no objects. - - If `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector` - and `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged. - The Prometheus operator will ensure that the Prometheus configuration's - Secret exists, but it is the responsibility of the user to provide the raw - gzipped Prometheus configuration under the `prometheus.yaml.gz` key. - This behavior is *deprecated* and will be removed in the next major version - of the custom resource definition. It is recommended to use - `spec.additionalScrapeConfigs` instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podTargetLabels: - description: |- - podTargetLabels are appended to the `spec.podTargetLabels` field of all - PodMonitor and ServiceMonitor objects. - items: - type: string - type: array - portName: - default: web - description: |- - portName used for the pods and governing service. - Default: "web" - type: string - priorityClassName: - description: priorityClassName assigned to the Pods. - type: string - probeNamespaceSelector: - description: |- - probeNamespaceSelector defines the namespaces to match for Probe discovery. An empty label - selector matches all namespaces. A null label selector matches the - current namespace only. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - probeSelector: - description: |- - probeSelector defines the probes to be selected for target discovery. An empty label selector - matches all objects. A null label selector matches no objects. - - If `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector` - and `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged. - The Prometheus operator will ensure that the Prometheus configuration's - Secret exists, but it is the responsibility of the user to provide the raw - gzipped Prometheus configuration under the `prometheus.yaml.gz` key. - This behavior is *deprecated* and will be removed in the next major version - of the custom resource definition. It is recommended to use - `spec.additionalScrapeConfigs` instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - prometheusExternalLabelName: - description: |- - prometheusExternalLabelName defines the name of Prometheus external label used to denote the Prometheus instance - name. The external label will _not_ be added when the field is set to - the empty string (`""`). - - Default: "prometheus" - type: string - reloadStrategy: - description: |- - reloadStrategy defines the strategy used to reload the Prometheus configuration. - If not specified, the configuration is reloaded using the /-/reload HTTP endpoint. - enum: - - HTTP - - ProcessSignal - type: string - remoteWrite: - description: remoteWrite defines the list of remote write configurations. - items: - description: |- - RemoteWriteSpec defines the configuration to write samples from Prometheus - to a remote endpoint. - properties: - authorization: - description: |- - authorization section for the URL. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - credentialsFile: - description: credentialsFile defines the file to read a - secret from, mutually exclusive with `credentials`. - type: string - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - azureAd: - description: |- - azureAd for the URL. - - It requires Prometheus >= v2.45.0 or Thanos >= v0.31.0. - - Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`. - properties: - cloud: - description: cloud defines the Azure Cloud. Options are - 'AzurePublic', 'AzureChina', or 'AzureGovernment'. - enum: - - AzureChina - - AzureGovernment - - AzurePublic - type: string - managedIdentity: - description: |- - managedIdentity defines the Azure User-assigned Managed identity. - Cannot be set at the same time as `oauth` or `sdk`. - properties: - clientId: - description: |- - clientId defines the Azure User-assigned Managed identity. - - For Prometheus >= 3.5.0 and Thanos >= 0.40.0, this field is allowed to be empty to support system-assigned managed identities. - minLength: 1 - type: string - type: object - oauth: - description: |- - oauth defines the oauth config that is being used to authenticate. - Cannot be set at the same time as `managedIdentity` or `sdk`. - - It requires Prometheus >= v2.48.0 or Thanos >= v0.31.0. - properties: - clientId: - description: clientId defines the clientId of the Azure - Active Directory application that is being used to - authenticate. - minLength: 1 - type: string - clientSecret: - description: clientSecret specifies a key of a Secret - containing the client secret of the Azure Active Directory - application that is being used to authenticate. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tenantId: - description: tenantId is the tenant ID of the Azure - Active Directory application that is being used to - authenticate. - minLength: 1 - pattern: ^[0-9a-zA-Z-.]+$ - type: string - required: - - clientId - - clientSecret - - tenantId - type: object - sdk: - description: |- - sdk defines the Azure SDK config that is being used to authenticate. - See https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication - Cannot be set at the same time as `oauth` or `managedIdentity`. - - It requires Prometheus >= v2.52.0 or Thanos >= v0.36.0. - properties: - tenantId: - description: tenantId defines the tenant ID of the azure - active directory application that is being used to - authenticate. - pattern: ^[0-9a-zA-Z-.]+$ - type: string - type: object - type: object - basicAuth: - description: |- - basicAuth configuration for the URL. - - Cannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerToken: - description: |- - bearerToken is deprecated: this will be removed in a future release. - *Warning: this field shouldn't be used because the token value appears - in clear-text. Prefer using `authorization`.* - type: string - bearerTokenFile: - description: |- - bearerTokenFile defines the file from which to read bearer token for the URL. - - Deprecated: this will be removed in a future release. Prefer using `authorization`. - type: string - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects defines whether HTTP requests follow HTTP 3xx redirects. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - type: boolean - headers: - additionalProperties: - type: string - description: |- - headers defines the custom HTTP headers to be sent along with each remote write request. - Be aware that headers that are set by Prometheus itself can't be overwritten. - - It requires Prometheus >= v2.25.0 or Thanos >= v0.24.0. - type: object - messageVersion: - description: |- - messageVersion defines the Remote Write message's version to use when writing to the endpoint. - - `Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0. - `Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0. - - When `Version2.0` is selected, Prometheus will automatically be - configured to append the metadata of scraped metrics to the WAL. - - Before setting this field, consult with your remote storage provider - what message version it supports. - - It requires Prometheus >= v2.54.0 or Thanos >= v0.37.0. - enum: - - V1.0 - - V2.0 - type: string - metadataConfig: - description: |- - metadataConfig defines how to send a series metadata to the remote storage. - - When the field is empty, **no metadata** is sent. But when the field is - null, metadata is sent. - properties: - maxSamplesPerSend: - description: |- - maxSamplesPerSend defines the maximum number of metadata samples per send. - - It requires Prometheus >= v2.29.0. - format: int32 - minimum: -1 - type: integer - send: - description: send defines whether metric metadata is sent - to the remote storage or not. - type: boolean - sendInterval: - description: sendInterval defines how frequently metric - metadata is sent to the remote storage. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - name: - description: |- - name of the remote write queue, it must be unique if specified. The - name is used in metrics and logging in order to differentiate queues. - - It requires Prometheus >= v2.15.0 or Thanos >= 0.24.0. - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 configuration for the URL. - - It requires Prometheus >= v2.27.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - queueConfig: - description: queueConfig allows tuning of the remote write queue - parameters. - properties: - batchSendDeadline: - description: batchSendDeadline defines the maximum time - a sample will wait in buffer. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - capacity: - description: |- - capacity defines the number of samples to buffer per shard before we start - dropping them. - type: integer - maxBackoff: - description: maxBackoff defines the maximum retry delay. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - maxRetries: - description: maxRetries defines the maximum number of times - to retry a batch on recoverable errors. - type: integer - maxSamplesPerSend: - description: maxSamplesPerSend defines the maximum number - of samples per send. - type: integer - maxShards: - description: maxShards defines the maximum number of shards, - i.e. amount of concurrency. - type: integer - minBackoff: - description: minBackoff defines the initial retry delay. - Gets doubled for every retry. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - minShards: - description: minShards defines the minimum number of shards, - i.e. amount of concurrency. - type: integer - retryOnRateLimit: - description: |- - retryOnRateLimit defines the retry upon receiving a 429 status code from the remote-write storage. - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - type: boolean - sampleAgeLimit: - description: |- - sampleAgeLimit drops samples older than the limit. - It requires Prometheus >= v2.50.0 or Thanos >= v0.32.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - remoteTimeout: - description: remoteTimeout defines the timeout for requests - to the remote write endpoint. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - roundRobinDNS: - description: "roundRobinDNS controls the DNS resolution behavior - for remote-write connections.\nWhen enabled:\n - The remote-write - mechanism will resolve the hostname via DNS.\n - It will - randomly select one of the resolved IP addresses and connect - to it.\n\nWhen disabled (default behavior):\n - The Go standard - library will handle hostname resolution.\n - It will attempt - connections to each resolved IP address sequentially.\n\nNote: - The connection timeout applies to the entire resolution and - connection process.\n\n\tIf disabled, the timeout is distributed - across all connection attempts.\n\nIt requires Prometheus - >= v3.1.0 or Thanos >= v0.38.0." - type: boolean - sendExemplars: - description: |- - sendExemplars enables sending of exemplars over remote write. Note that - exemplar-storage itself must be enabled using the `spec.enableFeatures` - option for exemplars to be scraped in the first place. - - It requires Prometheus >= v2.27.0 or Thanos >= v0.24.0. - type: boolean - sendNativeHistograms: - description: |- - sendNativeHistograms enables sending of native histograms, also known as sparse histograms - over remote write. - - It requires Prometheus >= v2.40.0 or Thanos >= v0.30.0. - type: boolean - sigv4: - description: |- - sigv4 defines the AWS's Signature Verification 4 for the URL. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`. - properties: - accessKey: - description: |- - accessKey defines the AWS API key. If not specified, the environment variable - `AWS_ACCESS_KEY_ID` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - profile: - description: profile defines the named AWS profile used - to authenticate. - type: string - region: - description: region defines the AWS region. If blank, the - region from the default credentials chain used. - type: string - roleArn: - description: roleArn defines the named AWS profile used - to authenticate. - type: string - secretKey: - description: |- - secretKey defines the AWS API secret. If not specified, the environment - variable `AWS_SECRET_ACCESS_KEY` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useFIPSSTSEndpoint: - description: |- - useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint. - It requires Prometheus >= v2.54.0. - type: boolean - type: object - tlsConfig: - description: tlsConfig to use for the URL. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key - file in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - url: - description: url defines the URL of the endpoint to send samples - to. - minLength: 1 - type: string - writeRelabelConfigs: - description: writeRelabelConfigs defines the list of remote - write relabel configurations. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - required: - - url - type: object - type: array - remoteWriteReceiverMessageVersions: - description: |- - remoteWriteReceiverMessageVersions list of the protobuf message versions to accept when receiving the - remote writes. - - It requires Prometheus >= v2.54.0. - items: - enum: - - V1.0 - - V2.0 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - replicaExternalLabelName: - description: |- - replicaExternalLabelName defines the name of Prometheus external label used to denote the replica name. - The external label will _not_ be added when the field is set to the - empty string (`""`). - - Default: "prometheus_replica" - type: string - replicas: - description: |- - replicas defines the number of replicas of each shard to deploy for a Prometheus deployment. - `spec.replicas` multiplied by `spec.shards` is the total number of Pods - created. - - Default: 1 - format: int32 - type: integer - resources: - description: resources defines the resources requests and limits of - the 'prometheus' container. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - routePrefix: - description: |- - routePrefix defines the route prefix Prometheus registers HTTP handlers for. - - This is useful when using `spec.externalURL`, and a proxy is rewriting - HTTP routes of a request, and the actual ExternalURL is still true, but - the server serves requests under a different route prefix. For example - for use with `kubectl proxy`. - type: string - runtime: - description: runtime defines the values for the Prometheus process - behavior - properties: - goGC: - description: |- - goGC defines the Go garbage collection target percentage. Lowering this number may increase the CPU usage. - See: https://tip.golang.org/doc/gc-guide#GOGC - format: int32 - minimum: -1 - type: integer - type: object - sampleLimit: - description: |- - sampleLimit defines per-scrape limit on number of scraped samples that will be accepted. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedSampleLimit. - format: int64 - type: integer - scrapeClasses: - description: |- - scrapeClasses defines the list of scrape classes to expose to scraping objects such as - PodMonitors, ServiceMonitors, Probes and ScrapeConfigs. - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - items: - properties: - attachMetadata: - description: |- - attachMetadata defines additional metadata to the discovered targets. - When the scrape object defines its own configuration, it takes - precedence over the scrape class configuration. - properties: - node: - description: |- - node when set to true, Prometheus attaches node metadata to the discovered - targets. - - The Prometheus service account must have the `list` and `watch` - permissions on the `Nodes` objects. - type: boolean - type: object - authorization: - description: |- - authorization section for the ScrapeClass. - It will only apply if the scrape resource doesn't specify any Authorization. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - credentialsFile: - description: credentialsFile defines the file to read a - secret from, mutually exclusive with `credentials`. - type: string - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - default: - description: |- - default defines that the scrape applies to all scrape objects that - don't configure an explicit scrape class name. - - Only one scrape class can be set as the default. - type: boolean - fallbackScrapeProtocol: - description: |- - fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type. - It will only apply if the scrape resource doesn't specify any FallbackScrapeProtocol - - It requires Prometheus >= v3.0.0. - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - metricRelabelings: - description: |- - metricRelabelings defines the relabeling rules to apply to all samples before ingestion. - - The Operator adds the scrape class metric relabelings defined here. - Then the Operator adds the target-specific metric relabelings defined in ServiceMonitors, PodMonitors, Probes and ScrapeConfigs. - Then the Operator adds namespace enforcement relabeling rule, specified in '.spec.enforcedNamespaceLabel'. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - name: - description: name of the scrape class. - minLength: 1 - type: string - relabelings: - description: |- - relabelings defines the relabeling rules to apply to all scrape targets. - - The Operator automatically adds relabelings for a few standard Kubernetes fields - like `__meta_kubernetes_namespace` and `__meta_kubernetes_service_name`. - Then the Operator adds the scrape class relabelings defined here. - Then the Operator adds the target-specific relabelings defined in the scrape object. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS settings to use for the scrape. When the - scrape objects define their own CA, certificate and/or key, they take - precedence over the corresponding scrape class fields. - - For now only the `caFile`, `certFile` and `keyFile` fields are supported. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key - file in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - scrapeClassicHistograms: - description: |- - scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. - - Notice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration. - - It requires Prometheus >= v3.5.0. - type: boolean - scrapeConfigNamespaceSelector: - description: |- - scrapeConfigNamespaceSelector defines the namespaces to match for ScrapeConfig discovery. An empty label selector - matches all namespaces. A null label selector matches the current - namespace only. - - Note that the ScrapeConfig custom resource definition is currently at Alpha level. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - scrapeConfigSelector: - description: |- - scrapeConfigSelector defines the scrapeConfigs to be selected for target discovery. An empty label - selector matches all objects. A null label selector matches no objects. - - If `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector` - and `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged. - The Prometheus operator will ensure that the Prometheus configuration's - Secret exists, but it is the responsibility of the user to provide the raw - gzipped Prometheus configuration under the `prometheus.yaml.gz` key. - This behavior is *deprecated* and will be removed in the next major version - of the custom resource definition. It is recommended to use - `spec.additionalScrapeConfigs` instead. - - Note that the ScrapeConfig custom resource definition is currently at Alpha level. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - scrapeFailureLogFile: - description: |- - scrapeFailureLogFile defines the file to which scrape failures are logged. - Reloading the configuration will reopen the file. - - If the filename has an empty path, e.g. 'file.log', The Prometheus Pods - will mount the file into an emptyDir volume at `/var/log/prometheus`. - If a full path is provided, e.g. '/var/log/prometheus/file.log', you - must mount a volume in the specified directory and it must be writable. - It requires Prometheus >= v2.55.0. - minLength: 1 - type: string - scrapeInterval: - default: 30s - description: |- - scrapeInterval defines interval between consecutive scrapes. - - Default: "30s" - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - scrapeProtocols: - description: |- - scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the - protocols supported by Prometheus in order of preference (from most to least preferred). - - If unset, Prometheus uses its default value. - - It requires Prometheus >= v2.49.0. - - `PrometheusText1.0.0` requires Prometheus >= v3.0.0. - items: - description: |- - ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. - Supported values are: - * `OpenMetricsText0.0.1` - * `OpenMetricsText1.0.0` - * `PrometheusProto` - * `PrometheusText0.0.4` - * `PrometheusText1.0.0` - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - type: array - x-kubernetes-list-type: set - scrapeTimeout: - description: |- - scrapeTimeout defines the number of seconds to wait until a scrape request times out. - The value cannot be greater than the scrape interval otherwise the operator will reject the resource. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - secrets: - description: |- - secrets defines a list of Secrets in the same namespace as the Prometheus - object, which shall be mounted into the Prometheus Pods. - Each Secret is added to the StatefulSet definition as a volume named `secret-`. - The Secrets are mounted into /etc/prometheus/secrets/ in the 'prometheus' container. - items: - type: string - type: array - x-kubernetes-list-type: set - securityContext: - description: |- - securityContext holds pod-level security attributes and common container settings. - This defaults to the default PodSecurityContext. - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccountName: - description: |- - serviceAccountName is the name of the ServiceAccount to use to run the - Prometheus Pods. - type: string - serviceDiscoveryRole: - description: |- - serviceDiscoveryRole defines the service discovery role used to discover targets from - `ServiceMonitor` objects and Alertmanager endpoints. - - If set, the value should be either "Endpoints" or "EndpointSlice". - If unset, the operator assumes the "Endpoints" role. - enum: - - Endpoints - - EndpointSlice - type: string - serviceMonitorNamespaceSelector: - description: |- - serviceMonitorNamespaceSelector defines the namespaces to match for ServicedMonitors discovery. An empty label selector - matches all namespaces. A null label selector (default value) matches the current - namespace only. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - serviceMonitorSelector: - description: |- - serviceMonitorSelector defines the serviceMonitors to be selected for target discovery. An empty label - selector matches all objects. A null label selector matches no objects. - - If `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector` - and `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged. - The Prometheus operator will ensure that the Prometheus configuration's - Secret exists, but it is the responsibility of the user to provide the raw - gzipped Prometheus configuration under the `prometheus.yaml.gz` key. - This behavior is *deprecated* and will be removed in the next major version - of the custom resource definition. It is recommended to use - `spec.additionalScrapeConfigs` instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - serviceName: - description: |- - serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service. - If defined, the Service must be created before the Prometheus/PrometheusAgent resource in the same namespace and it must define a selector that matches the pod labels. - If empty, the operator will create and manage a headless service named `prometheus-operated` for Prometheus resources, - or `prometheus-agent-operated` for PrometheusAgent resources. - When deploying multiple Prometheus/PrometheusAgent resources in the same namespace, it is recommended to specify a different value for each. - See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details. - minLength: 1 - type: string - shards: - description: |- - shards defines the number of shards to distribute the scraped targets onto. - - `spec.replicas` multiplied by `spec.shards` is the total number of Pods - being created. - - When not defined, the operator assumes only one shard. - - Note that scaling down shards will not reshard data onto the remaining - instances, it must be manually moved. Increasing shards will not reshard - data either but it will continue to be available from the same - instances. To query globally, use either - * Thanos sidecar + querier for query federation and Thanos Ruler for rules. - * Remote-write to send metrics to a central location. - - By default, the sharding of targets is performed on: - * The `__address__` target's metadata label for PodMonitor, - ServiceMonitor and ScrapeConfig resources. - * The `__param_target__` label for Probe resources. - - Users can define their own sharding implementation by setting the - `__tmp_hash` label during the target discovery with relabeling - configuration (either in the monitoring resources or via scrape class). - - You can also disable sharding on a specific target by setting the - `__tmp_disable_sharding` label with relabeling configuration. When - the label value isn't empty, all Prometheus shards will scrape the target. - format: int32 - type: integer - storage: - description: storage defines the storage used by Prometheus. - properties: - disableMountSubPath: - description: 'disableMountSubPath deprecated: subPath usage will - be removed in a future release.' - type: boolean - emptyDir: - description: |- - emptyDir to be used by the StatefulSet. - If specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral to be used by the StatefulSet. - This is a beta field in k8s 1.21 and GA in 1.15. - For lower versions, starting with k8s 1.19, it requires enabling the GenericEphemeralVolume feature gate. - More info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - volumeClaimTemplate: - description: |- - volumeClaimTemplate defines the PVC spec to be used by the Prometheus StatefulSets. - The easiest way to use a volume that cannot be automatically provisioned - is to use a label selector alongside manually created PersistentVolumes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: metadata defines EmbeddedMetadata contains metadata - relevant to an EmbeddedResource. - properties: - annotations: - additionalProperties: - type: string - description: |- - annotations defines an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - labels: - additionalProperties: - type: string - description: |- - labels define the map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - name: - description: |- - name must be unique within a namespace. Is required when creating resources, although - some resources may allow a client to request the generation of an appropriate name - automatically. Name is primarily intended for creation idempotence and configuration - definition. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - type: string - type: object - spec: - description: |- - spec defines the specification of the characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: 'status is deprecated: this field is never set.' - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status - of resource being resized for the given PVC.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nClaimResourceStatus can be in any - of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with - a terminal error.\n\t- NodeResizePending:\n\t\tState - set when resize controller has finished resizing the - volume but further resizing of\n\t\tvolume is needed - on the node.\n\t- NodeResizeInProgress:\n\t\tState set - when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this - field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, - it means that no resize operation is in progress for - the given PVC.\n\nA controller that receives PVC update - with previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources - allocated to a PVC including its capacity.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nCapacity reported here may be larger - than the actual capacity when a volume expansion operation\nis - requested.\nFor storage quota, the larger value from - allocatedResources and PVC.spec.resources is used.\nIf - allocatedResources is not set, PVC.spec.resources alone - is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and - if the actual volume capacity\nis equal or lower than - the requested capacity.\n\nA controller that receives - PVC update with previously unknown resourceName\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources - of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'Resizing'. - items: - description: PersistentVolumeClaimCondition contains - details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed - the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the - condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "Resizing" that means the underlying - persistent volume is being resized. - type: string - status: - description: |- - Status is the status of the condition. - Can be True, False, Unknown. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required - type: string - type: - description: |- - Type is the type of the condition. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible - indicates that the request has been rejected as - invalid by the CSI driver. To\n\t resolve the error, - a valid VolumeAttributesClass needs to be specified.\nNote: - New statuses can be added in the future. Consumers - should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: object - targetLimit: - description: |- - targetLimit defines a limit on the number of scraped targets that will be accepted. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedTargetLimit. - format: int64 - type: integer - terminationGracePeriodSeconds: - description: |- - terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down) which may lead to data corruption. - - Defaults to 600 seconds. - format: int64 - minimum: 0 - type: integer - tolerations: - description: tolerations defines the Pods' tolerations if specified. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: topologySpreadConstraints defines the pod's topology - spread constraints if specified. - items: - properties: - additionalLabelSelectors: - description: additionalLabelSelectors Defines what Prometheus - Operator managed labels should be added to labelSelector on - the topologySpreadConstraint. - enum: - - OnResource - - OnShard - type: string - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - tracingConfig: - description: |- - tracingConfig defines tracing in Prometheus. - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - properties: - clientType: - description: clientType defines the client used to export the - traces. Supported values are `http` or `grpc`. - enum: - - http - - grpc - type: string - compression: - description: compression key for supported compression types. - The only supported value is `gzip`. - enum: - - gzip - type: string - endpoint: - description: endpoint to send the traces to. Should be provided - in format :. - minLength: 1 - type: string - headers: - additionalProperties: - type: string - description: headers defines the key-value pairs to be used as - headers associated with gRPC or HTTP requests. - type: object - insecure: - description: insecure if disabled, the client will use a secure - connection. - type: boolean - samplingFraction: - anyOf: - - type: integer - - type: string - description: samplingFraction defines the probability a given - trace will be sampled. Must be a float from 0 through 1. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - timeout: - description: timeout defines the maximum time the exporter will - wait for each batch export. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tlsConfig: - description: tlsConfig to use when sending traces. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key file - in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - endpoint - type: object - tsdb: - description: |- - tsdb defines the runtime reloadable configuration of the timeseries database(TSDB). - It requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0. - properties: - outOfOrderTimeWindow: - description: |- - outOfOrderTimeWindow defines how old an out-of-order/out-of-bounds sample can be with - respect to the TSDB max time. - - An out-of-order/out-of-bounds sample is ingested into the TSDB as long as - the timestamp of the sample is >= (TSDB.MaxTime - outOfOrderTimeWindow). - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - - It requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - version: - description: |- - version of Prometheus being deployed. The operator uses this information - to generate the Prometheus StatefulSet + configuration files. - - If not specified, the operator assumes the latest upstream version of - Prometheus available at the time when the version of the operator was - released. - type: string - volumeMounts: - description: |- - volumeMounts allows the configuration of additional VolumeMounts. - - VolumeMounts will be appended to other VolumeMounts in the 'prometheus' - container, that are generated as a result of StorageSpec objects. - items: - description: VolumeMount describes a mounting of a Volume within - a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: |- - volumes allows the configuration of additional volumes on the output - StatefulSet definition. Volumes specified will be appended to other - volumes that are generated as a result of StorageSpec objects. - items: - description: Volume represents a named volume in a pod that may - be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: None, - Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk in the - blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the blob - storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed data - disk (only in managed availability set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that contains - Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted root, - rather than the full Ceph tree, default is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should populate - this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap or its - keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents ephemeral - storage that is handled by certain external CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about the pod - that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the pod: - only annotations, labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative path - name of the file to be created. Must not be absolute - or contain the ''..'' path. Must be utf-8 encoded. - The first item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that is - attached to a kubelet's host machine and then exposed to the - pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to use for - this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds extra - command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. This - is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that details - Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support iSCSI - Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support iSCSI - Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI target - and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon Controller - persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources secrets, - configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume root - to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the configMap - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the downwardAPI - data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name, namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will be - addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret data - to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether the - Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information about - the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an already - created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool associated - with the protection domain. - type: string - system: - description: system is the name of the storage system as - configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy Based - Management (SPBM) profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy Based - Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies vSphere - volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - walCompression: - description: |- - walCompression defines the compression of the write-ahead log (WAL) using Snappy. - - WAL compression is enabled by default for Prometheus >= 2.20.0 - - Requires Prometheus v2.11.0 and above. - type: boolean - web: - description: web defines the configuration of the Prometheus web server. - properties: - httpConfig: - description: httpConfig defines HTTP parameters for web server. - properties: - headers: - description: headers defines a list of headers that can be - added to HTTP responses. - properties: - contentSecurityPolicy: - description: |- - contentSecurityPolicy defines the Content-Security-Policy header to HTTP responses. - Unset if blank. - type: string - strictTransportSecurity: - description: |- - strictTransportSecurity defines the Strict-Transport-Security header to HTTP responses. - Unset if blank. - Please make sure that you use this with care as this header might force - browsers to load Prometheus and the other applications hosted on the same - domain and subdomains over HTTPS. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - type: string - xContentTypeOptions: - description: |- - xContentTypeOptions defines the X-Content-Type-Options header to HTTP responses. - Unset if blank. Accepted value is nosniff. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options - enum: - - "" - - NoSniff - type: string - xFrameOptions: - description: |- - xFrameOptions defines the X-Frame-Options header to HTTP responses. - Unset if blank. Accepted values are deny and sameorigin. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options - enum: - - "" - - Deny - - SameOrigin - type: string - xXSSProtection: - description: |- - xXSSProtection defines the X-XSS-Protection header to all responses. - Unset if blank. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection - type: string - type: object - http2: - description: |- - http2 enable HTTP/2 support. Note that HTTP/2 is only supported with TLS. - When TLSConfig is not configured, HTTP/2 will be disabled. - Whenever the value of the field changes, a rolling update will be triggered. - type: boolean - type: object - maxConnections: - description: |- - maxConnections defines the maximum number of simultaneous connections - A zero value means that Prometheus doesn't accept any incoming connection. - format: int32 - minimum: 0 - type: integer - pageTitle: - description: pageTitle defines the prometheus web page title. - type: string - tlsConfig: - description: tlsConfig defines the TLS parameters for HTTPS. - properties: - cert: - description: |- - cert defines the Secret or ConfigMap containing the TLS certificate for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `certFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: |- - certFile defines the path to the TLS certificate file in the container for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `cert`. - type: string - cipherSuites: - description: |- - cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. - - If not defined, the Go default cipher suites are used. - Available cipher suites are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#pkg-constants - items: - type: string - type: array - client_ca: - description: |- - client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate - authentication to the server. - - It is mutually exclusive with `clientCAFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientAuthType: - description: |- - clientAuthType defines the server policy for client TLS authentication. - - For more detail on clientAuth options: - https://golang.org/pkg/crypto/tls/#ClientAuthType - type: string - clientCAFile: - description: |- - clientCAFile defines the path to the CA certificate file for client certificate authentication to - the server. - - It is mutually exclusive with `client_ca`. - type: string - curvePreferences: - description: |- - curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference - order. - - Available curves are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#CurveID - items: - type: string - type: array - keyFile: - description: |- - keyFile defines the path to the TLS private key file in the container for the web server. - - If defined, either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keySecret`. - type: string - keySecret: - description: |- - keySecret defines the secret containing the TLS private key for the web server. - - Either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keyFile`. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: maxVersion defines the Maximum TLS version that - is acceptable. - type: string - minVersion: - description: minVersion defines the minimum TLS version that - is acceptable. - type: string - preferServerCipherSuites: - description: |- - preferServerCipherSuites defines whether the server selects the client's most preferred cipher - suite, or the server's most preferred cipher suite. - - If true then the server's preference, as expressed in - the order of elements in cipherSuites, is used. - type: boolean - type: object - type: object - type: object - x-kubernetes-validations: - - message: replicas cannot be set when mode is DaemonSet - rule: '!(has(self.mode) && self.mode == ''DaemonSet'' && has(self.replicas))' - - message: storage cannot be set when mode is DaemonSet - rule: '!(has(self.mode) && self.mode == ''DaemonSet'' && has(self.storage))' - - message: shards cannot be greater than 1 when mode is DaemonSet - rule: '!(has(self.mode) && self.mode == ''DaemonSet'' && has(self.shards) - && self.shards > 1)' - - message: persistentVolumeClaimRetentionPolicy cannot be set when mode - is DaemonSet - rule: '!(has(self.mode) && self.mode == ''DaemonSet'' && has(self.persistentVolumeClaimRetentionPolicy))' - - message: scrapeConfigSelector cannot be set when mode is DaemonSet - rule: '!(has(self.mode) && self.mode == ''DaemonSet'' && has(self.scrapeConfigSelector))' - - message: probeSelector cannot be set when mode is DaemonSet - rule: '!(has(self.mode) && self.mode == ''DaemonSet'' && has(self.probeSelector))' - status: - description: |- - status defines the most recent observed status of the Prometheus cluster. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - availableReplicas: - description: |- - availableReplicas defines the total number of available pods (ready for at least minReadySeconds) - targeted by this Prometheus deployment. - format: int32 - type: integer - conditions: - description: conditions defines the current state of the Prometheus - deployment. - items: - description: |- - Condition represents the state of the resources associated with the - Prometheus, Alertmanager or ThanosRuler resource. - properties: - lastTransitionTime: - description: lastTransitionTime is the time of the last update - to the current status property. - format: date-time - type: string - message: - description: message defines human-readable message indicating - details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the - instance. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: type of the condition being reported. - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - paused: - description: |- - paused defines whether any actions on the underlying managed objects are - being performed. Only delete actions will be performed. - type: boolean - replicas: - description: |- - replicas defines the total number of non-terminated pods targeted by this Prometheus deployment - (their labels match the selector). - format: int32 - type: integer - selector: - description: selector used to match the pods targeted by this Prometheus - resource. - type: string - shardStatuses: - description: shardStatuses defines the list has one entry per shard. - Each entry provides a summary of the shard status. - items: - properties: - availableReplicas: - description: |- - availableReplicas defines the total number of available pods (ready for at least minReadySeconds) - targeted by this shard. - format: int32 - type: integer - replicas: - description: replicas defines the total number of pods targeted - by this shard. - format: int32 - type: integer - shardID: - description: shardID defines the identifier of the shard. - type: string - unavailableReplicas: - description: unavailableReplicas defines the Total number of - unavailable pods targeted by this shard. - format: int32 - type: integer - updatedReplicas: - description: |- - updatedReplicas defines the total number of non-terminated pods targeted by this shard - that have the desired spec. - format: int32 - type: integer - required: - - availableReplicas - - replicas - - shardID - - unavailableReplicas - - updatedReplicas - type: object - type: array - x-kubernetes-list-map-keys: - - shardID - x-kubernetes-list-type: map - shards: - description: shards defines the most recently observed number of shards. - format: int32 - type: integer - unavailableReplicas: - description: unavailableReplicas defines the total number of unavailable - pods targeted by this Prometheus deployment. - format: int32 - type: integer - updatedReplicas: - description: |- - updatedReplicas defines the total number of non-terminated pods targeted by this Prometheus deployment - that have the desired version spec. - format: int32 - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.shards - statusReplicasPath: .status.shards - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheuses.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: prometheuses.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: Prometheus - listKind: PrometheusList - plural: prometheuses - shortNames: - - prom - singular: prometheus - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The version of Prometheus - jsonPath: .spec.version - name: Version - type: string - - description: The number of desired replicas - jsonPath: .spec.replicas - name: Desired - type: integer - - description: The number of ready replicas - jsonPath: .status.availableReplicas - name: Ready - type: integer - - jsonPath: .status.conditions[?(@.type == 'Reconciled')].status - name: Reconciled - type: string - - jsonPath: .status.conditions[?(@.type == 'Available')].status - name: Available - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Whether the resource reconciliation is paused or not - jsonPath: .status.paused - name: Paused - priority: 1 - type: boolean - name: v1 - schema: - openAPIV3Schema: - description: |- - The `Prometheus` custom resource definition (CRD) defines a desired [Prometheus](https://prometheus.io/docs/prometheus) setup to run in a Kubernetes cluster. It allows to specify many options such as the number of replicas, persistent storage, and Alertmanagers where firing alerts should be sent and many more. - - For each `Prometheus` resource, the Operator deploys one or several `StatefulSet` objects in the same namespace. The number of StatefulSets is equal to the number of shards which is 1 by default. - - The resource defines via label and namespace selectors which `ServiceMonitor`, `PodMonitor`, `Probe` and `PrometheusRule` objects should be associated to the deployed Prometheus instances. - - The Operator continuously reconciles the scrape and rules configuration and a sidecar container running in the Prometheus pods triggers a reload of the configuration when needed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec defines the specification of the desired behavior of the Prometheus cluster. More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - additionalAlertManagerConfigs: - description: |- - additionalAlertManagerConfigs defines a key of a Secret containing - additional Prometheus Alertmanager configurations. The Alertmanager - configurations are appended to the configuration generated by the - Prometheus Operator. They must be formatted according to the official - Prometheus documentation: - - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config - - The user is responsible for making sure that the configurations are valid - - Note that using this feature may expose the possibility to break - upgrades of Prometheus. It is advised to review Prometheus release notes - to ensure that no incompatible AlertManager configs are going to break - Prometheus after the upgrade. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - additionalAlertRelabelConfigs: - description: |- - additionalAlertRelabelConfigs defines a key of a Secret containing - additional Prometheus alert relabel configurations. The alert relabel - configurations are appended to the configuration generated by the - Prometheus Operator. They must be formatted according to the official - Prometheus documentation: - - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs - - The user is responsible for making sure that the configurations are valid - - Note that using this feature may expose the possibility to break - upgrades of Prometheus. It is advised to review Prometheus release notes - to ensure that no incompatible alert relabel configs are going to break - Prometheus after the upgrade. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - additionalArgs: - description: |- - additionalArgs allows setting additional arguments for the 'prometheus' container. - - It is intended for e.g. activating hidden flags which are not supported by - the dedicated configuration options yet. The arguments are passed as-is to the - Prometheus container which may cause issues if they are invalid or not supported - by the given Prometheus version. - - In case of an argument conflict (e.g. an argument which is already set by the - operator itself) or when providing an invalid argument, the reconciliation will - fail and an error will be logged. - items: - description: Argument as part of the AdditionalArgs list. - properties: - name: - description: name of the argument, e.g. "scrape.discovery-reload-interval". - minLength: 1 - type: string - value: - description: value defines the argument value, e.g. 30s. Can - be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile) - type: string - required: - - name - type: object - type: array - additionalScrapeConfigs: - description: |- - additionalScrapeConfigs allows specifying a key of a Secret containing - additional Prometheus scrape configurations. Scrape configurations - specified are appended to the configurations generated by the Prometheus - Operator. Job configurations specified must have the form as specified - in the official Prometheus documentation: - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config. - As scrape configs are appended, the user is responsible to make sure it - is valid. Note that using this feature may expose the possibility to - break upgrades of Prometheus. It is advised to review Prometheus release - notes to ensure that no incompatible scrape configs are going to break - Prometheus after the upgrade. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - affinity: - description: affinity defines the Pods' affinity scheduling rules - if specified. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - alerting: - description: alerting defines the settings related to Alertmanager. - properties: - alertmanagers: - description: alertmanagers endpoints where Prometheus should send - alerts to. - items: - description: |- - AlertmanagerEndpoints defines a selection of a single Endpoints object - containing Alertmanager IPs to fire alerts against. - properties: - alertRelabelings: - description: |- - alertRelabelings defines the relabeling configs applied before sending alerts to a specific Alertmanager. - It requires Prometheus >= v2.51.0. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression - against which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between - concatenated SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - apiVersion: - description: |- - apiVersion defines the version of the Alertmanager API that Prometheus uses to send alerts. - It can be "V1" or "V2". - The field has no effect for Prometheus >= v3.0.0 because only the v2 API is supported. - enum: - - v1 - - V1 - - v2 - - V2 - type: string - authorization: - description: |- - authorization section for Alertmanager. - - Cannot be set at the same time as `basicAuth`, `bearerTokenFile` or `sigv4`. - properties: - credentials: - description: credentials defines a key of a Secret in - the namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth configuration for Alertmanager. - - Cannot be set at the same time as `bearerTokenFile`, `authorization` or `sigv4`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenFile: - description: |- - bearerTokenFile defines the file to read bearer token for Alertmanager. - - Cannot be set at the same time as `basicAuth`, `authorization`, or `sigv4`. - - Deprecated: this will be removed in a future release. Prefer using `authorization`. - type: string - enableHttp2: - description: enableHttp2 defines whether to enable HTTP2. - type: boolean - name: - description: name of the Endpoints object in the namespace. - minLength: 1 - type: string - namespace: - description: |- - namespace of the Endpoints object. - - If not set, the object will be discovered in the namespace of the - Prometheus object. - minLength: 1 - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - pathPrefix: - description: pathPrefix defines the prefix for the HTTP - path alerts are pushed to. - minLength: 1 - type: string - port: - anyOf: - - type: integer - - type: string - description: port on which the Alertmanager API is exposed. - x-kubernetes-int-or-string: true - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - relabelings: - description: relabelings defines the relabel configuration - applied to the discovered Alertmanagers. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression - against which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between - concatenated SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - scheme: - description: scheme defines the HTTP scheme to use when - sending alerts. - enum: - - http - - https - - HTTP - - HTTPS - type: string - sigv4: - description: |- - sigv4 defines AWS's Signature Verification 4 for the URL. - - It requires Prometheus >= v2.48.0. - - Cannot be set at the same time as `basicAuth`, `bearerTokenFile` or `authorization`. - properties: - accessKey: - description: |- - accessKey defines the AWS API key. If not specified, the environment variable - `AWS_ACCESS_KEY_ID` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - profile: - description: profile defines the named AWS profile used - to authenticate. - type: string - region: - description: region defines the AWS region. If blank, - the region from the default credentials chain used. - type: string - roleArn: - description: roleArn defines the named AWS profile used - to authenticate. - type: string - secretKey: - description: |- - secretKey defines the AWS API secret. If not specified, the environment - variable `AWS_SECRET_ACCESS_KEY` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useFIPSSTSEndpoint: - description: |- - useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint. - It requires Prometheus >= v2.54.0. - type: boolean - type: object - timeout: - description: timeout defines a per-target Alertmanager timeout - when pushing alerts. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tlsConfig: - description: tlsConfig to use for Alertmanager. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert - in the Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client - cert file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client - key file in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - required: - - name - - port - type: object - type: array - required: - - alertmanagers - type: object - allowOverlappingBlocks: - description: |- - allowOverlappingBlocks enables vertical compaction and vertical query - merge in Prometheus. - - Deprecated: this flag has no effect for Prometheus >= 2.39.0 where overlapping blocks are enabled by default. - type: boolean - apiserverConfig: - description: |- - apiserverConfig allows specifying a host and auth methods to access the - Kuberntees API server. - If null, Prometheus is assumed to run inside of the cluster: it will - discover the API servers automatically and use the Pod's CA certificate - and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/. - properties: - authorization: - description: |- - authorization section for the API server. - - Cannot be set at the same time as `basicAuth`, `bearerToken`, or - `bearerTokenFile`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - credentialsFile: - description: credentialsFile defines the file to read a secret - from, mutually exclusive with `credentials`. - type: string - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth configuration for the API server. - - Cannot be set at the same time as `authorization`, `bearerToken`, or - `bearerTokenFile`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerToken: - description: |- - bearerToken is deprecated: this will be removed in a future release. - *Warning: this field shouldn't be used because the token value appears - in clear-text. Prefer using `authorization`.* - type: string - bearerTokenFile: - description: |- - bearerTokenFile defines the file to read bearer token for accessing apiserver. - - Cannot be set at the same time as `basicAuth`, `authorization`, or `bearerToken`. - - Deprecated: this will be removed in a future release. Prefer using `authorization`. - type: string - host: - description: |- - host defines the Kubernetes API address consisting of a hostname or IP address followed - by an optional port number. - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - tlsConfig: - description: tlsConfig to use for the API server. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key file - in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - host - type: object - arbitraryFSAccessThroughSMs: - description: |- - arbitraryFSAccessThroughSMs when true, ServiceMonitor, PodMonitor and Probe object are forbidden to - reference arbitrary files on the file system of the 'prometheus' - container. - When a ServiceMonitor's endpoint specifies a `bearerTokenFile` value - (e.g. '/var/run/secrets/kubernetes.io/serviceaccount/token'), a - malicious target can get access to the Prometheus service account's - token in the Prometheus' scrape request. Setting - `spec.arbitraryFSAccessThroughSM` to 'true' would prevent the attack. - Users should instead provide the credentials using the - `spec.bearerTokenSecret` field. - properties: - deny: - description: |- - deny prevents service monitors from accessing arbitrary files on the file system. - When true, service monitors cannot use file-based configurations like BearerTokenFile - that could potentially access sensitive files. When false (default), such access is allowed. - Setting this to true enhances security by preventing potential credential theft attacks. - type: boolean - type: object - automountServiceAccountToken: - description: |- - automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod. - If the field isn't set, the operator mounts the service account token by default. - - **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery. - It is possible to use strategic merge patch to project the service account token into the 'prometheus' container. - type: boolean - baseImage: - description: 'baseImage is deprecated: use ''spec.image'' instead.' - type: string - bodySizeLimit: - description: |- - bodySizeLimit defines per-scrape on response body size. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedBodySizeLimit. - pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ - type: string - configMaps: - description: |- - configMaps defines a list of ConfigMaps in the same namespace as the Prometheus - object, which shall be mounted into the Prometheus Pods. - Each ConfigMap is added to the StatefulSet definition as a volume named `configmap-`. - The ConfigMaps are mounted into /etc/prometheus/configmaps/ in the 'prometheus' container. - items: - type: string - type: array - containers: - description: |- - containers allows injecting additional containers or modifying operator - generated containers. This can be used to allow adding an authentication - proxy to the Pods or to change the behavior of an operator generated - container. Containers described here modify an operator generated - container if they share the same name and modifications are done via a - strategic merge patch. - - The names of containers managed by the operator are: - * `prometheus` - * `config-reloader` - * `thanos-sidecar` - - Overriding containers is entirely outside the scope of what the - maintainers will support and by doing so, you accept that this behaviour - may break at any time without notice. - items: - description: A single application container that you want to run - within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of a set - of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource resize - policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a container - exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check on container - exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be - used by the container. - items: - description: volumeDevice describes a mapping of a raw block - device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container - that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - convertClassicHistogramsToNHCB: - description: |- - convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native - histogram with custom buckets. - - It requires Prometheus >= v3.4.0. - type: boolean - disableCompaction: - description: |- - disableCompaction when true, the Prometheus compaction is disabled. - When `spec.thanos.objectStorageConfig` or `spec.objectStorageConfigFile` are defined, the operator automatically - disables block compaction to avoid race conditions during block uploads (as the Thanos documentation recommends). - type: boolean - dnsConfig: - description: dnsConfig defines the DNS configuration for the pods. - properties: - nameservers: - description: |- - nameservers defines the list of DNS name server IP addresses. - This will be appended to the base nameservers generated from DNSPolicy. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - options: - description: |- - options defines the list of DNS resolver options. - This will be merged with the base options generated from DNSPolicy. - Resolution options given in Options - will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver options - of a pod. - properties: - name: - description: name is required and must be unique. - minLength: 1 - type: string - value: - description: value is optional. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - searches: - description: |- - searches defines the list of DNS search domains for host-name lookup. - This will be appended to the base search paths generated from DNSPolicy. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - type: object - dnsPolicy: - description: dnsPolicy defines the DNS policy for the pods. - enum: - - ClusterFirstWithHostNet - - ClusterFirst - - Default - - None - type: string - enableAdminAPI: - description: |- - enableAdminAPI defines access to the Prometheus web admin API. - - WARNING: Enabling the admin APIs enables mutating endpoints, to delete data, - shutdown Prometheus, and more. Enabling this should be done with care and the - user is advised to add additional authentication authorization via a proxy to - ensure only clients authorized to perform these actions can do so. - - For more information: - https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis - type: boolean - enableFeatures: - description: |- - enableFeatures enables access to Prometheus feature flags. By default, no features are enabled. - - Enabling features which are disabled by default is entirely outside the - scope of what the maintainers will support and by doing so, you accept - that this behaviour may break at any time without notice. - - For more information see https://prometheus.io/docs/prometheus/latest/feature_flags/ - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - enableOTLPReceiver: - description: |- - enableOTLPReceiver defines the Prometheus to be used as a receiver for the OTLP Metrics protocol. - - Note that the OTLP receiver endpoint is automatically enabled if `.spec.otlpConfig` is defined. - - It requires Prometheus >= v2.47.0. - type: boolean - enableRemoteWriteReceiver: - description: |- - enableRemoteWriteReceiver defines the Prometheus to be used as a receiver for the Prometheus remote - write protocol. - - WARNING: This is not considered an efficient way of ingesting samples. - Use it with caution for specific low-volume use cases. - It is not suitable for replacing the ingestion via scraping and turning - Prometheus into a push-based metrics collection system. - For more information see https://prometheus.io/docs/prometheus/latest/querying/api/#remote-write-receiver - - It requires Prometheus >= v2.33.0. - type: boolean - enableServiceLinks: - description: enableServiceLinks defines whether information about - services should be injected into pod's environment variables - type: boolean - enforcedBodySizeLimit: - description: |- - enforcedBodySizeLimit when defined specifies a global limit on the size - of uncompressed response body that will be accepted by Prometheus. - Targets responding with a body larger than this many bytes will cause - the scrape to fail. - - It requires Prometheus >= v2.28.0. - - When both `enforcedBodySizeLimit` and `bodySizeLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined bodySizeLimit value will inherit the global bodySizeLimit value (Prometheus >= 2.45.0) or the enforcedBodySizeLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedBodySizeLimit` is greater than the `bodySizeLimit`, the `bodySizeLimit` will be set to `enforcedBodySizeLimit`. - * Scrape objects with a bodySizeLimit value less than or equal to enforcedBodySizeLimit keep their specific value. - * Scrape objects with a bodySizeLimit value greater than enforcedBodySizeLimit are set to enforcedBodySizeLimit. - pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ - type: string - enforcedKeepDroppedTargets: - description: |- - enforcedKeepDroppedTargets when defined specifies a global limit on the number of targets - dropped by relabeling that will be kept in memory. The value overrides - any `spec.keepDroppedTargets` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.keepDroppedTargets` is - greater than zero and less than `spec.enforcedKeepDroppedTargets`. - - It requires Prometheus >= v2.47.0. - - When both `enforcedKeepDroppedTargets` and `keepDroppedTargets` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined keepDroppedTargets value will inherit the global keepDroppedTargets value (Prometheus >= 2.45.0) or the enforcedKeepDroppedTargets value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedKeepDroppedTargets` is greater than the `keepDroppedTargets`, the `keepDroppedTargets` will be set to `enforcedKeepDroppedTargets`. - * Scrape objects with a keepDroppedTargets value less than or equal to enforcedKeepDroppedTargets keep their specific value. - * Scrape objects with a keepDroppedTargets value greater than enforcedKeepDroppedTargets are set to enforcedKeepDroppedTargets. - format: int64 - type: integer - enforcedLabelLimit: - description: |- - enforcedLabelLimit when defined specifies a global limit on the number - of labels per sample. The value overrides any `spec.labelLimit` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.labelLimit` is - greater than zero and less than `spec.enforcedLabelLimit`. - - It requires Prometheus >= v2.27.0. - - When both `enforcedLabelLimit` and `labelLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined labelLimit value will inherit the global labelLimit value (Prometheus >= 2.45.0) or the enforcedLabelLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedLabelLimit` is greater than the `labelLimit`, the `labelLimit` will be set to `enforcedLabelLimit`. - * Scrape objects with a labelLimit value less than or equal to enforcedLabelLimit keep their specific value. - * Scrape objects with a labelLimit value greater than enforcedLabelLimit are set to enforcedLabelLimit. - format: int64 - type: integer - enforcedLabelNameLengthLimit: - description: |- - enforcedLabelNameLengthLimit when defined specifies a global limit on the length - of labels name per sample. The value overrides any `spec.labelNameLengthLimit` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.labelNameLengthLimit` is - greater than zero and less than `spec.enforcedLabelNameLengthLimit`. - - It requires Prometheus >= v2.27.0. - - When both `enforcedLabelNameLengthLimit` and `labelNameLengthLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined labelNameLengthLimit value will inherit the global labelNameLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelNameLengthLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedLabelNameLengthLimit` is greater than the `labelNameLengthLimit`, the `labelNameLengthLimit` will be set to `enforcedLabelNameLengthLimit`. - * Scrape objects with a labelNameLengthLimit value less than or equal to enforcedLabelNameLengthLimit keep their specific value. - * Scrape objects with a labelNameLengthLimit value greater than enforcedLabelNameLengthLimit are set to enforcedLabelNameLengthLimit. - format: int64 - type: integer - enforcedLabelValueLengthLimit: - description: |- - enforcedLabelValueLengthLimit when not null defines a global limit on the length - of labels value per sample. The value overrides any `spec.labelValueLengthLimit` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.labelValueLengthLimit` is - greater than zero and less than `spec.enforcedLabelValueLengthLimit`. - - It requires Prometheus >= v2.27.0. - - When both `enforcedLabelValueLengthLimit` and `labelValueLengthLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined labelValueLengthLimit value will inherit the global labelValueLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelValueLengthLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedLabelValueLengthLimit` is greater than the `labelValueLengthLimit`, the `labelValueLengthLimit` will be set to `enforcedLabelValueLengthLimit`. - * Scrape objects with a labelValueLengthLimit value less than or equal to enforcedLabelValueLengthLimit keep their specific value. - * Scrape objects with a labelValueLengthLimit value greater than enforcedLabelValueLengthLimit are set to enforcedLabelValueLengthLimit. - format: int64 - type: integer - enforcedNamespaceLabel: - description: |- - enforcedNamespaceLabel when not empty, a label will be added to: - - 1. All metrics scraped from `ServiceMonitor`, `PodMonitor`, `Probe` and `ScrapeConfig` objects. - 2. All metrics generated from recording rules defined in `PrometheusRule` objects. - 3. All alerts generated from alerting rules defined in `PrometheusRule` objects. - 4. All vector selectors of PromQL expressions defined in `PrometheusRule` objects. - - The label will not added for objects referenced in `spec.excludedFromEnforcement`. - - The label's name is this field's value. - The label's value is the namespace of the `ServiceMonitor`, - `PodMonitor`, `Probe`, `PrometheusRule` or `ScrapeConfig` object. - type: string - enforcedSampleLimit: - description: |- - enforcedSampleLimit when defined specifies a global limit on the number - of scraped samples that will be accepted. This overrides any - `spec.sampleLimit` set by ServiceMonitor, PodMonitor, Probe objects - unless `spec.sampleLimit` is greater than zero and less than - `spec.enforcedSampleLimit`. - - It is meant to be used by admins to keep the overall number of - samples/series under a desired limit. - - When both `enforcedSampleLimit` and `sampleLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined sampleLimit value will inherit the global sampleLimit value (Prometheus >= 2.45.0) or the enforcedSampleLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedSampleLimit` is greater than the `sampleLimit`, the `sampleLimit` will be set to `enforcedSampleLimit`. - * Scrape objects with a sampleLimit value less than or equal to enforcedSampleLimit keep their specific value. - * Scrape objects with a sampleLimit value greater than enforcedSampleLimit are set to enforcedSampleLimit. - format: int64 - type: integer - enforcedTargetLimit: - description: |- - enforcedTargetLimit when defined specifies a global limit on the number - of scraped targets. The value overrides any `spec.targetLimit` set by - ServiceMonitor, PodMonitor, Probe objects unless `spec.targetLimit` is - greater than zero and less than `spec.enforcedTargetLimit`. - - It is meant to be used by admins to to keep the overall number of - targets under a desired limit. - - When both `enforcedTargetLimit` and `targetLimit` are defined and greater than zero, the following rules apply: - * Scrape objects without a defined targetLimit value will inherit the global targetLimit value (Prometheus >= 2.45.0) or the enforcedTargetLimit value (Prometheus < v2.45.0). - If Prometheus version is >= 2.45.0 and the `enforcedTargetLimit` is greater than the `targetLimit`, the `targetLimit` will be set to `enforcedTargetLimit`. - * Scrape objects with a targetLimit value less than or equal to enforcedTargetLimit keep their specific value. - * Scrape objects with a targetLimit value greater than enforcedTargetLimit are set to enforcedTargetLimit. - format: int64 - type: integer - evaluationInterval: - default: 30s - description: |- - evaluationInterval defines the interval between rule evaluations. - Default: "30s" - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - excludedFromEnforcement: - description: |- - excludedFromEnforcement defines the list of references to PodMonitor, ServiceMonitor, Probe and PrometheusRule objects - to be excluded from enforcing a namespace label of origin. - - It is only applicable if `spec.enforcedNamespaceLabel` set to true. - items: - description: ObjectReference references a PodMonitor, ServiceMonitor, - Probe or PrometheusRule object. - properties: - group: - default: monitoring.coreos.com - description: group of the referent. When not specified, it defaults - to `monitoring.coreos.com` - enum: - - monitoring.coreos.com - type: string - name: - description: name of the referent. When not set, all resources - in the namespace are matched. - type: string - namespace: - description: |- - namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - resource: - description: resource of the referent. - enum: - - prometheusrules - - servicemonitors - - podmonitors - - probes - - scrapeconfigs - type: string - required: - - namespace - - resource - type: object - type: array - exemplars: - description: |- - exemplars related settings that are runtime reloadable. - It requires to enable the `exemplar-storage` feature flag to be effective. - properties: - maxSize: - description: |- - maxSize defines the maximum number of exemplars stored in memory for all series. - - exemplar-storage itself must be enabled using the `spec.enableFeature` - option for exemplars to be scraped in the first place. - - If not set, Prometheus uses its default value. A value of zero or less - than zero disables the storage. - format: int64 - type: integer - type: object - externalLabels: - additionalProperties: - type: string - description: |- - externalLabels defines the labels to add to any time series or alerts when communicating with - external systems (federation, remote storage, Alertmanager). - Labels defined by `spec.replicaExternalLabelName` and - `spec.prometheusExternalLabelName` take precedence over this list. - type: object - externalUrl: - description: |- - externalUrl defines the external URL under which the Prometheus service is externally - available. This is necessary to generate correct URLs (for instance if - Prometheus is accessible behind an Ingress resource). - type: string - hostAliases: - description: |- - hostAliases defines the optional list of hosts and IPs that will be injected into the Pod's - hosts file if specified. - items: - description: |- - HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the - pod's hosts file. - properties: - hostnames: - description: hostnames defines hostnames for the above IP address. - items: - type: string - type: array - ip: - description: ip defines the IP address of the host file entry. - type: string - required: - - hostnames - - ip - type: object - type: array - x-kubernetes-list-map-keys: - - ip - x-kubernetes-list-type: map - hostNetwork: - description: |- - hostNetwork defines the host's network namespace if true. - - Make sure to understand the security implications if you want to enable - it (https://kubernetes.io/docs/concepts/configuration/overview/ ). - - When hostNetwork is enabled, this will set the DNS policy to - `ClusterFirstWithHostNet` automatically (unless `.spec.DNSPolicy` is set - to a different value). - type: boolean - hostUsers: - description: |- - hostUsers supports the user space in Kubernetes. - - More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/ - - The feature requires at least Kubernetes 1.28 with the `UserNamespacesSupport` feature gate enabled. - Starting Kubernetes 1.33, the feature is enabled by default. - type: boolean - ignoreNamespaceSelectors: - description: |- - ignoreNamespaceSelectors when true, `spec.namespaceSelector` from all PodMonitor, ServiceMonitor - and Probe objects will be ignored. They will only discover targets - within the namespace of the PodMonitor, ServiceMonitor and Probe - object. - type: boolean - image: - description: |- - image defines the container image name for Prometheus. If specified, it takes precedence - over the `spec.baseImage`, `spec.tag` and `spec.sha` fields. - - Specifying `spec.version` is still necessary to ensure the Prometheus - Operator knows which version of Prometheus is being configured. - - If neither `spec.image` nor `spec.baseImage` are defined, the operator - will use the latest upstream version of Prometheus available at the time - when the operator was released. - type: string - imagePullPolicy: - description: |- - imagePullPolicy defines the image pull policy for the 'prometheus', 'init-config-reloader' and 'config-reloader' containers. - See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details. - enum: - - "" - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: |- - imagePullSecrets defines an optional list of references to Secrets in the same namespace - to use for pulling images from registries. - See http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - initContainers: - description: |- - initContainers allows injecting initContainers to the Pod definition. Those - can be used to e.g. fetch secrets for injection into the Prometheus - configuration from external sources. Any errors during the execution of - an initContainer will lead to a restart of the Pod. More info: - https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - InitContainers described here modify an operator generated init - containers if they share the same name and modifications are done via a - strategic merge patch. - - The names of init container name managed by the operator are: - * `init-config-reloader`. - - Overriding init containers is entirely outside the scope of what the - maintainers will support and by doing so, you accept that this behaviour - may break at any time without notice. - items: - description: A single application container that you want to run - within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of a set - of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource resize - policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a container - exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check on container - exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be - used by the container. - items: - description: volumeDevice describes a mapping of a raw block - device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container - that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - keepDroppedTargets: - description: |- - keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling - that will be kept in memory. 0 means no limit. - - It requires Prometheus >= v2.47.0. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedKeepDroppedTargets. - format: int64 - type: integer - labelLimit: - description: |- - labelLimit defines per-scrape limit on number of labels that will be accepted for a sample. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelLimit. - format: int64 - type: integer - labelNameLengthLimit: - description: |- - labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelNameLengthLimit. - format: int64 - type: integer - labelValueLengthLimit: - description: |- - labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelValueLengthLimit. - format: int64 - type: integer - listenLocal: - description: |- - listenLocal when true, the Prometheus server listens on the loopback address - instead of the Pod IP's address. - type: boolean - logFormat: - description: logFormat for Log level for Prometheus and the config-reloader - sidecar. - enum: - - "" - - logfmt - - json - type: string - logLevel: - description: logLevel for Prometheus and the config-reloader sidecar. - enum: - - "" - - debug - - info - - warn - - error - type: string - maximumStartupDurationSeconds: - description: |- - maximumStartupDurationSeconds defines the maximum time that the `prometheus` container's startup probe will wait before being considered failed. The startup probe will return success after the WAL replay is complete. - If set, the value should be greater than 60 (seconds). Otherwise it will be equal to 900 seconds (15 minutes). - format: int32 - minimum: 60 - type: integer - minReadySeconds: - description: |- - minReadySeconds defines the minimum number of seconds for which a newly created Pod should be ready - without any of its container crashing for it to be considered available. - - If unset, pods will be considered available as soon as they are ready. - format: int32 - minimum: 0 - type: integer - nameEscapingScheme: - description: |- - nameEscapingScheme defines the character escaping scheme that will be requested when scraping - for metric and label names that do not conform to the legacy Prometheus - character set. - - It requires Prometheus >= v3.4.0. - enum: - - AllowUTF8 - - Underscores - - Dots - - Values - type: string - nameValidationScheme: - description: |- - nameValidationScheme defines the validation scheme for metric and label names. - - It requires Prometheus >= v2.55.0. - enum: - - UTF8 - - Legacy - type: string - nodeSelector: - additionalProperties: - type: string - description: nodeSelector defines on which Nodes the Pods are scheduled. - type: object - otlp: - description: |- - otlp defines the settings related to the OTLP receiver feature. - It requires Prometheus >= v2.55.0. - properties: - convertHistogramsToNHCB: - description: |- - convertHistogramsToNHCB defines optional translation of OTLP explicit bucket histograms into native histograms with custom buckets. - It requires Prometheus >= v3.4.0. - type: boolean - ignoreResourceAttributes: - description: |- - ignoreResourceAttributes defines the list of OpenTelemetry resource attributes to ignore when `promoteAllResourceAttributes` is true. - - It requires `promoteAllResourceAttributes` to be true. - It requires Prometheus >= v3.5.0. - items: - minLength: 1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - keepIdentifyingResourceAttributes: - description: |- - keepIdentifyingResourceAttributes enables adding `service.name`, `service.namespace` and `service.instance.id` - resource attributes to the `target_info` metric, on top of converting them into the `instance` and `job` labels. - - It requires Prometheus >= v3.1.0. - type: boolean - promoteAllResourceAttributes: - description: |- - promoteAllResourceAttributes promotes all resource attributes to metric labels except the ones defined in `ignoreResourceAttributes`. - - Cannot be true when `promoteResourceAttributes` is defined. - It requires Prometheus >= v3.5.0. - type: boolean - promoteResourceAttributes: - description: |- - promoteResourceAttributes defines the list of OpenTelemetry Attributes that should be promoted to metric labels, defaults to none. - Cannot be defined when `promoteAllResourceAttributes` is true. - items: - minLength: 1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - promoteScopeMetadata: - description: |- - promoteScopeMetadata controls whether to promote OpenTelemetry scope metadata (i.e. name, version, schema URL, and attributes) to metric labels. - As per the OpenTelemetry specification, the aforementioned scope metadata should be identifying, i.e. made into metric labels. - It requires Prometheus >= v3.6.0. - type: boolean - translationStrategy: - description: |- - translationStrategy defines how the OTLP receiver endpoint translates the incoming metrics. - - It requires Prometheus >= v3.0.0. - enum: - - NoUTF8EscapingWithSuffixes - - UnderscoreEscapingWithSuffixes - - NoTranslation - - UnderscoreEscapingWithoutSuffixes - type: string - type: object - overrideHonorLabels: - description: |- - overrideHonorLabels when true, Prometheus resolves label conflicts by renaming the labels in the scraped data - to “exported_” for all targets created from ServiceMonitor, PodMonitor and - ScrapeConfig objects. Otherwise the HonorLabels field of the service or pod monitor applies. - In practice,`OverrideHonorLabels:true` enforces `honorLabels:false` - for all ServiceMonitor, PodMonitor and ScrapeConfig objects. - type: boolean - overrideHonorTimestamps: - description: |- - overrideHonorTimestamps when true, Prometheus ignores the timestamps for all the targets created - from service and pod monitors. - Otherwise the HonorTimestamps field of the service or pod monitor applies. - type: boolean - paused: - description: |- - paused defines when a Prometheus deployment is paused, no actions except for deletion - will be performed on the underlying objects. - type: boolean - persistentVolumeClaimRetentionPolicy: - description: |- - persistentVolumeClaimRetentionPolicy defines the field controls if and how PVCs are deleted during the lifecycle of a StatefulSet. - The default behavior is all PVCs are retained. - This is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26. - It requires enabling the StatefulSetAutoDeletePVC feature gate. - properties: - whenDeleted: - description: |- - WhenDeleted specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is deleted. The default policy - of `Retain` causes PVCs to not be affected by StatefulSet deletion. The - `Delete` policy causes those PVCs to be deleted. - type: string - whenScaled: - description: |- - WhenScaled specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is scaled down. The default - policy of `Retain` causes PVCs to not be affected by a scaledown. The - `Delete` policy causes the associated PVCs for any excess pods above - the replica count to be deleted. - type: string - type: object - podMetadata: - description: |- - podMetadata defines labels and annotations which are propagated to the Prometheus pods. - - The following items are reserved and cannot be overridden: - * "prometheus" label, set to the name of the Prometheus object. - * "app.kubernetes.io/instance" label, set to the name of the Prometheus object. - * "app.kubernetes.io/managed-by" label, set to "prometheus-operator". - * "app.kubernetes.io/name" label, set to "prometheus". - * "app.kubernetes.io/version" label, set to the Prometheus version. - * "operator.prometheus.io/name" label, set to the name of the Prometheus object. - * "operator.prometheus.io/shard" label, set to the shard number of the Prometheus object. - * "kubectl.kubernetes.io/default-container" annotation, set to "prometheus". - properties: - annotations: - additionalProperties: - type: string - description: |- - annotations defines an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - labels: - additionalProperties: - type: string - description: |- - labels define the map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - name: - description: |- - name must be unique within a namespace. Is required when creating resources, although - some resources may allow a client to request the generation of an appropriate name - automatically. Name is primarily intended for creation idempotence and configuration - definition. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - type: string - type: object - podMonitorNamespaceSelector: - description: |- - podMonitorNamespaceSelector defines the namespaces to match for PodMonitors discovery. An empty label selector - matches all namespaces. A null label selector (default value) matches the current - namespace only. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podMonitorSelector: - description: |- - podMonitorSelector defines the podMonitors to be selected for target discovery. An empty label selector - matches all objects. A null label selector matches no objects. - - If `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector` - and `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged. - The Prometheus operator will ensure that the Prometheus configuration's - Secret exists, but it is the responsibility of the user to provide the raw - gzipped Prometheus configuration under the `prometheus.yaml.gz` key. - This behavior is *deprecated* and will be removed in the next major version - of the custom resource definition. It is recommended to use - `spec.additionalScrapeConfigs` instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podTargetLabels: - description: |- - podTargetLabels are appended to the `spec.podTargetLabels` field of all - PodMonitor and ServiceMonitor objects. - items: - type: string - type: array - portName: - default: web - description: |- - portName used for the pods and governing service. - Default: "web" - type: string - priorityClassName: - description: priorityClassName assigned to the Pods. - type: string - probeNamespaceSelector: - description: |- - probeNamespaceSelector defines the namespaces to match for Probe discovery. An empty label - selector matches all namespaces. A null label selector matches the - current namespace only. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - probeSelector: - description: |- - probeSelector defines the probes to be selected for target discovery. An empty label selector - matches all objects. A null label selector matches no objects. - - If `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector` - and `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged. - The Prometheus operator will ensure that the Prometheus configuration's - Secret exists, but it is the responsibility of the user to provide the raw - gzipped Prometheus configuration under the `prometheus.yaml.gz` key. - This behavior is *deprecated* and will be removed in the next major version - of the custom resource definition. It is recommended to use - `spec.additionalScrapeConfigs` instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - prometheusExternalLabelName: - description: |- - prometheusExternalLabelName defines the name of Prometheus external label used to denote the Prometheus instance - name. The external label will _not_ be added when the field is set to - the empty string (`""`). - - Default: "prometheus" - type: string - prometheusRulesExcludedFromEnforce: - description: |- - prometheusRulesExcludedFromEnforce defines the list of PrometheusRule objects to which the namespace label - enforcement doesn't apply. - This is only relevant when `spec.enforcedNamespaceLabel` is set to true. - Deprecated: use `spec.excludedFromEnforcement` instead. - items: - description: |- - PrometheusRuleExcludeConfig enables users to configure excluded - PrometheusRule names and their namespaces to be ignored while enforcing - namespace label for alerts and metrics. - properties: - ruleName: - description: ruleName defines the name of the excluded PrometheusRule - object. - type: string - ruleNamespace: - description: ruleNamespace defines the namespace of the excluded - PrometheusRule object. - type: string - required: - - ruleName - - ruleNamespace - type: object - type: array - query: - description: query defines the configuration of the Prometheus query - service. - properties: - lookbackDelta: - description: lookbackDelta defines the delta difference allowed - for retrieving metrics during expression evaluations. - type: string - maxConcurrency: - description: maxConcurrency defines the number of concurrent queries - that can be run at once. - format: int32 - minimum: 1 - type: integer - maxSamples: - description: |- - maxSamples defines the maximum number of samples a single query can load into memory. Note that - queries will fail if they would load more samples than this into memory, - so this also limits the number of samples a query can return. - format: int32 - type: integer - timeout: - description: timeout defines the maximum time a query may take - before being aborted. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - queryLogFile: - description: |- - queryLogFile specifies where the file to which PromQL queries are logged. - - If the filename has an empty path, e.g. 'query.log', The Prometheus Pods - will mount the file into an emptyDir volume at `/var/log/prometheus`. - If a full path is provided, e.g. '/var/log/prometheus/query.log', you - must mount a volume in the specified directory and it must be writable. - This is because the prometheus container runs with a read-only root - filesystem for security reasons. - Alternatively, the location can be set to a standard I/O stream, e.g. - `/dev/stdout`, to log query information to the default Prometheus log - stream. - type: string - reloadStrategy: - description: |- - reloadStrategy defines the strategy used to reload the Prometheus configuration. - If not specified, the configuration is reloaded using the /-/reload HTTP endpoint. - enum: - - HTTP - - ProcessSignal - type: string - remoteRead: - description: remoteRead defines the list of remote read configurations. - items: - description: |- - RemoteReadSpec defines the configuration for Prometheus to read back samples - from a remote endpoint. - properties: - authorization: - description: |- - authorization section for the URL. - - It requires Prometheus >= v2.26.0. - - Cannot be set at the same time as `basicAuth`, or `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - credentialsFile: - description: credentialsFile defines the file to read a - secret from, mutually exclusive with `credentials`. - type: string - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth configuration for the URL. - - Cannot be set at the same time as `authorization`, or `oauth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerToken: - description: |- - bearerToken is deprecated: this will be removed in a future release. - *Warning: this field shouldn't be used because the token value appears - in clear-text. Prefer using `authorization`.* - type: string - bearerTokenFile: - description: |- - bearerTokenFile defines the file from which to read the bearer token for the URL. - - Deprecated: this will be removed in a future release. Prefer using `authorization`. - type: string - filterExternalLabels: - description: |- - filterExternalLabels defines whether to use the external labels as selectors for the remote read endpoint. - - It requires Prometheus >= v2.34.0. - type: boolean - followRedirects: - description: |- - followRedirects defines whether HTTP requests follow HTTP 3xx redirects. - - It requires Prometheus >= v2.26.0. - type: boolean - headers: - additionalProperties: - type: string - description: |- - headers defines the custom HTTP headers to be sent along with each remote read request. - Be aware that headers that are set by Prometheus itself can't be overwritten. - Only valid in Prometheus versions 2.26.0 and newer. - type: object - name: - description: |- - name of the remote read queue, it must be unique if specified. The - name is used in metrics and logging in order to differentiate read - configurations. - - It requires Prometheus >= v2.15.0. - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 configuration for the URL. - - It requires Prometheus >= v2.27.0. - - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - readRecent: - description: |- - readRecent defines whether reads should be made for queries for time ranges that - the local storage should have complete data for. - type: boolean - remoteTimeout: - description: remoteTimeout defines the timeout for requests - to the remote read endpoint. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - requiredMatchers: - additionalProperties: - type: string - description: |- - requiredMatchers defines an optional list of equality matchers which have to be present - in a selector to query the remote read endpoint. - type: object - tlsConfig: - description: tlsConfig to use for the URL. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key - file in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - url: - description: url defines the URL of the endpoint to query from. - type: string - required: - - url - type: object - type: array - remoteWrite: - description: remoteWrite defines the list of remote write configurations. - items: - description: |- - RemoteWriteSpec defines the configuration to write samples from Prometheus - to a remote endpoint. - properties: - authorization: - description: |- - authorization section for the URL. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - credentialsFile: - description: credentialsFile defines the file to read a - secret from, mutually exclusive with `credentials`. - type: string - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - azureAd: - description: |- - azureAd for the URL. - - It requires Prometheus >= v2.45.0 or Thanos >= v0.31.0. - - Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`. - properties: - cloud: - description: cloud defines the Azure Cloud. Options are - 'AzurePublic', 'AzureChina', or 'AzureGovernment'. - enum: - - AzureChina - - AzureGovernment - - AzurePublic - type: string - managedIdentity: - description: |- - managedIdentity defines the Azure User-assigned Managed identity. - Cannot be set at the same time as `oauth` or `sdk`. - properties: - clientId: - description: |- - clientId defines the Azure User-assigned Managed identity. - - For Prometheus >= 3.5.0 and Thanos >= 0.40.0, this field is allowed to be empty to support system-assigned managed identities. - minLength: 1 - type: string - type: object - oauth: - description: |- - oauth defines the oauth config that is being used to authenticate. - Cannot be set at the same time as `managedIdentity` or `sdk`. - - It requires Prometheus >= v2.48.0 or Thanos >= v0.31.0. - properties: - clientId: - description: clientId defines the clientId of the Azure - Active Directory application that is being used to - authenticate. - minLength: 1 - type: string - clientSecret: - description: clientSecret specifies a key of a Secret - containing the client secret of the Azure Active Directory - application that is being used to authenticate. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tenantId: - description: tenantId is the tenant ID of the Azure - Active Directory application that is being used to - authenticate. - minLength: 1 - pattern: ^[0-9a-zA-Z-.]+$ - type: string - required: - - clientId - - clientSecret - - tenantId - type: object - sdk: - description: |- - sdk defines the Azure SDK config that is being used to authenticate. - See https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication - Cannot be set at the same time as `oauth` or `managedIdentity`. - - It requires Prometheus >= v2.52.0 or Thanos >= v0.36.0. - properties: - tenantId: - description: tenantId defines the tenant ID of the azure - active directory application that is being used to - authenticate. - pattern: ^[0-9a-zA-Z-.]+$ - type: string - type: object - type: object - basicAuth: - description: |- - basicAuth configuration for the URL. - - Cannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerToken: - description: |- - bearerToken is deprecated: this will be removed in a future release. - *Warning: this field shouldn't be used because the token value appears - in clear-text. Prefer using `authorization`.* - type: string - bearerTokenFile: - description: |- - bearerTokenFile defines the file from which to read bearer token for the URL. - - Deprecated: this will be removed in a future release. Prefer using `authorization`. - type: string - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects defines whether HTTP requests follow HTTP 3xx redirects. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - type: boolean - headers: - additionalProperties: - type: string - description: |- - headers defines the custom HTTP headers to be sent along with each remote write request. - Be aware that headers that are set by Prometheus itself can't be overwritten. - - It requires Prometheus >= v2.25.0 or Thanos >= v0.24.0. - type: object - messageVersion: - description: |- - messageVersion defines the Remote Write message's version to use when writing to the endpoint. - - `Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0. - `Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0. - - When `Version2.0` is selected, Prometheus will automatically be - configured to append the metadata of scraped metrics to the WAL. - - Before setting this field, consult with your remote storage provider - what message version it supports. - - It requires Prometheus >= v2.54.0 or Thanos >= v0.37.0. - enum: - - V1.0 - - V2.0 - type: string - metadataConfig: - description: |- - metadataConfig defines how to send a series metadata to the remote storage. - - When the field is empty, **no metadata** is sent. But when the field is - null, metadata is sent. - properties: - maxSamplesPerSend: - description: |- - maxSamplesPerSend defines the maximum number of metadata samples per send. - - It requires Prometheus >= v2.29.0. - format: int32 - minimum: -1 - type: integer - send: - description: send defines whether metric metadata is sent - to the remote storage or not. - type: boolean - sendInterval: - description: sendInterval defines how frequently metric - metadata is sent to the remote storage. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - name: - description: |- - name of the remote write queue, it must be unique if specified. The - name is used in metrics and logging in order to differentiate queues. - - It requires Prometheus >= v2.15.0 or Thanos >= 0.24.0. - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 configuration for the URL. - - It requires Prometheus >= v2.27.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - queueConfig: - description: queueConfig allows tuning of the remote write queue - parameters. - properties: - batchSendDeadline: - description: batchSendDeadline defines the maximum time - a sample will wait in buffer. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - capacity: - description: |- - capacity defines the number of samples to buffer per shard before we start - dropping them. - type: integer - maxBackoff: - description: maxBackoff defines the maximum retry delay. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - maxRetries: - description: maxRetries defines the maximum number of times - to retry a batch on recoverable errors. - type: integer - maxSamplesPerSend: - description: maxSamplesPerSend defines the maximum number - of samples per send. - type: integer - maxShards: - description: maxShards defines the maximum number of shards, - i.e. amount of concurrency. - type: integer - minBackoff: - description: minBackoff defines the initial retry delay. - Gets doubled for every retry. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - minShards: - description: minShards defines the minimum number of shards, - i.e. amount of concurrency. - type: integer - retryOnRateLimit: - description: |- - retryOnRateLimit defines the retry upon receiving a 429 status code from the remote-write storage. - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - type: boolean - sampleAgeLimit: - description: |- - sampleAgeLimit drops samples older than the limit. - It requires Prometheus >= v2.50.0 or Thanos >= v0.32.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - remoteTimeout: - description: remoteTimeout defines the timeout for requests - to the remote write endpoint. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - roundRobinDNS: - description: "roundRobinDNS controls the DNS resolution behavior - for remote-write connections.\nWhen enabled:\n - The remote-write - mechanism will resolve the hostname via DNS.\n - It will - randomly select one of the resolved IP addresses and connect - to it.\n\nWhen disabled (default behavior):\n - The Go standard - library will handle hostname resolution.\n - It will attempt - connections to each resolved IP address sequentially.\n\nNote: - The connection timeout applies to the entire resolution and - connection process.\n\n\tIf disabled, the timeout is distributed - across all connection attempts.\n\nIt requires Prometheus - >= v3.1.0 or Thanos >= v0.38.0." - type: boolean - sendExemplars: - description: |- - sendExemplars enables sending of exemplars over remote write. Note that - exemplar-storage itself must be enabled using the `spec.enableFeatures` - option for exemplars to be scraped in the first place. - - It requires Prometheus >= v2.27.0 or Thanos >= v0.24.0. - type: boolean - sendNativeHistograms: - description: |- - sendNativeHistograms enables sending of native histograms, also known as sparse histograms - over remote write. - - It requires Prometheus >= v2.40.0 or Thanos >= v0.30.0. - type: boolean - sigv4: - description: |- - sigv4 defines the AWS's Signature Verification 4 for the URL. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`. - properties: - accessKey: - description: |- - accessKey defines the AWS API key. If not specified, the environment variable - `AWS_ACCESS_KEY_ID` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - profile: - description: profile defines the named AWS profile used - to authenticate. - type: string - region: - description: region defines the AWS region. If blank, the - region from the default credentials chain used. - type: string - roleArn: - description: roleArn defines the named AWS profile used - to authenticate. - type: string - secretKey: - description: |- - secretKey defines the AWS API secret. If not specified, the environment - variable `AWS_SECRET_ACCESS_KEY` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useFIPSSTSEndpoint: - description: |- - useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint. - It requires Prometheus >= v2.54.0. - type: boolean - type: object - tlsConfig: - description: tlsConfig to use for the URL. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key - file in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - url: - description: url defines the URL of the endpoint to send samples - to. - minLength: 1 - type: string - writeRelabelConfigs: - description: writeRelabelConfigs defines the list of remote - write relabel configurations. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - required: - - url - type: object - type: array - remoteWriteReceiverMessageVersions: - description: |- - remoteWriteReceiverMessageVersions list of the protobuf message versions to accept when receiving the - remote writes. - - It requires Prometheus >= v2.54.0. - items: - enum: - - V1.0 - - V2.0 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - replicaExternalLabelName: - description: |- - replicaExternalLabelName defines the name of Prometheus external label used to denote the replica name. - The external label will _not_ be added when the field is set to the - empty string (`""`). - - Default: "prometheus_replica" - type: string - replicas: - description: |- - replicas defines the number of replicas of each shard to deploy for a Prometheus deployment. - `spec.replicas` multiplied by `spec.shards` is the total number of Pods - created. - - Default: 1 - format: int32 - type: integer - resources: - description: resources defines the resources requests and limits of - the 'prometheus' container. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - retention: - description: |- - retention defines how long to retain the Prometheus data. - - Default: "24h" if `spec.retention` and `spec.retentionSize` are empty. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - retentionSize: - description: retentionSize defines the maximum number of bytes used - by the Prometheus data. - pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ - type: string - routePrefix: - description: |- - routePrefix defines the route prefix Prometheus registers HTTP handlers for. - - This is useful when using `spec.externalURL`, and a proxy is rewriting - HTTP routes of a request, and the actual ExternalURL is still true, but - the server serves requests under a different route prefix. For example - for use with `kubectl proxy`. - type: string - ruleNamespaceSelector: - description: |- - ruleNamespaceSelector defines the namespaces to match for PrometheusRule discovery. An empty label selector - matches all namespaces. A null label selector matches the current - namespace only. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - ruleQueryOffset: - description: |- - ruleQueryOffset defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past. - It requires Prometheus >= v2.53.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - ruleSelector: - description: |- - ruleSelector defines the prometheusRule objects to be selected for rule evaluation. An empty - label selector matches all objects. A null label selector matches no - objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - rules: - description: rules defines the configuration of the Prometheus rules' - engine. - properties: - alert: - description: |- - alert defines the parameters of the Prometheus rules' engine. - - Any update to these parameters trigger a restart of the pods. - properties: - forGracePeriod: - description: |- - forGracePeriod defines the minimum duration between alert and restored 'for' state. - - This is maintained only for alerts with a configured 'for' time greater - than the grace period. - type: string - forOutageTolerance: - description: |- - forOutageTolerance defines the max time to tolerate prometheus outage for restoring 'for' state of - alert. - type: string - resendDelay: - description: |- - resendDelay defines the minimum amount of time to wait before resending an alert to - Alertmanager. - type: string - type: object - type: object - runtime: - description: runtime defines the values for the Prometheus process - behavior - properties: - goGC: - description: |- - goGC defines the Go garbage collection target percentage. Lowering this number may increase the CPU usage. - See: https://tip.golang.org/doc/gc-guide#GOGC - format: int32 - minimum: -1 - type: integer - type: object - sampleLimit: - description: |- - sampleLimit defines per-scrape limit on number of scraped samples that will be accepted. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedSampleLimit. - format: int64 - type: integer - scrapeClasses: - description: |- - scrapeClasses defines the list of scrape classes to expose to scraping objects such as - PodMonitors, ServiceMonitors, Probes and ScrapeConfigs. - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - items: - properties: - attachMetadata: - description: |- - attachMetadata defines additional metadata to the discovered targets. - When the scrape object defines its own configuration, it takes - precedence over the scrape class configuration. - properties: - node: - description: |- - node when set to true, Prometheus attaches node metadata to the discovered - targets. - - The Prometheus service account must have the `list` and `watch` - permissions on the `Nodes` objects. - type: boolean - type: object - authorization: - description: |- - authorization section for the ScrapeClass. - It will only apply if the scrape resource doesn't specify any Authorization. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - credentialsFile: - description: credentialsFile defines the file to read a - secret from, mutually exclusive with `credentials`. - type: string - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - default: - description: |- - default defines that the scrape applies to all scrape objects that - don't configure an explicit scrape class name. - - Only one scrape class can be set as the default. - type: boolean - fallbackScrapeProtocol: - description: |- - fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type. - It will only apply if the scrape resource doesn't specify any FallbackScrapeProtocol - - It requires Prometheus >= v3.0.0. - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - metricRelabelings: - description: |- - metricRelabelings defines the relabeling rules to apply to all samples before ingestion. - - The Operator adds the scrape class metric relabelings defined here. - Then the Operator adds the target-specific metric relabelings defined in ServiceMonitors, PodMonitors, Probes and ScrapeConfigs. - Then the Operator adds namespace enforcement relabeling rule, specified in '.spec.enforcedNamespaceLabel'. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - name: - description: name of the scrape class. - minLength: 1 - type: string - relabelings: - description: |- - relabelings defines the relabeling rules to apply to all scrape targets. - - The Operator automatically adds relabelings for a few standard Kubernetes fields - like `__meta_kubernetes_namespace` and `__meta_kubernetes_service_name`. - Then the Operator adds the scrape class relabelings defined here. - Then the Operator adds the target-specific relabelings defined in the scrape object. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS settings to use for the scrape. When the - scrape objects define their own CA, certificate and/or key, they take - precedence over the corresponding scrape class fields. - - For now only the `caFile`, `certFile` and `keyFile` fields are supported. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key - file in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - scrapeClassicHistograms: - description: |- - scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. - - Notice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration. - - It requires Prometheus >= v3.5.0. - type: boolean - scrapeConfigNamespaceSelector: - description: |- - scrapeConfigNamespaceSelector defines the namespaces to match for ScrapeConfig discovery. An empty label selector - matches all namespaces. A null label selector matches the current - namespace only. - - Note that the ScrapeConfig custom resource definition is currently at Alpha level. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - scrapeConfigSelector: - description: |- - scrapeConfigSelector defines the scrapeConfigs to be selected for target discovery. An empty label - selector matches all objects. A null label selector matches no objects. - - If `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector` - and `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged. - The Prometheus operator will ensure that the Prometheus configuration's - Secret exists, but it is the responsibility of the user to provide the raw - gzipped Prometheus configuration under the `prometheus.yaml.gz` key. - This behavior is *deprecated* and will be removed in the next major version - of the custom resource definition. It is recommended to use - `spec.additionalScrapeConfigs` instead. - - Note that the ScrapeConfig custom resource definition is currently at Alpha level. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - scrapeFailureLogFile: - description: |- - scrapeFailureLogFile defines the file to which scrape failures are logged. - Reloading the configuration will reopen the file. - - If the filename has an empty path, e.g. 'file.log', The Prometheus Pods - will mount the file into an emptyDir volume at `/var/log/prometheus`. - If a full path is provided, e.g. '/var/log/prometheus/file.log', you - must mount a volume in the specified directory and it must be writable. - It requires Prometheus >= v2.55.0. - minLength: 1 - type: string - scrapeInterval: - default: 30s - description: |- - scrapeInterval defines interval between consecutive scrapes. - - Default: "30s" - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - scrapeProtocols: - description: |- - scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the - protocols supported by Prometheus in order of preference (from most to least preferred). - - If unset, Prometheus uses its default value. - - It requires Prometheus >= v2.49.0. - - `PrometheusText1.0.0` requires Prometheus >= v3.0.0. - items: - description: |- - ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. - Supported values are: - * `OpenMetricsText0.0.1` - * `OpenMetricsText1.0.0` - * `PrometheusProto` - * `PrometheusText0.0.4` - * `PrometheusText1.0.0` - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - type: array - x-kubernetes-list-type: set - scrapeTimeout: - description: |- - scrapeTimeout defines the number of seconds to wait until a scrape request times out. - The value cannot be greater than the scrape interval otherwise the operator will reject the resource. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - secrets: - description: |- - secrets defines a list of Secrets in the same namespace as the Prometheus - object, which shall be mounted into the Prometheus Pods. - Each Secret is added to the StatefulSet definition as a volume named `secret-`. - The Secrets are mounted into /etc/prometheus/secrets/ in the 'prometheus' container. - items: - type: string - type: array - x-kubernetes-list-type: set - securityContext: - description: |- - securityContext holds pod-level security attributes and common container settings. - This defaults to the default PodSecurityContext. - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccountName: - description: |- - serviceAccountName is the name of the ServiceAccount to use to run the - Prometheus Pods. - type: string - serviceDiscoveryRole: - description: |- - serviceDiscoveryRole defines the service discovery role used to discover targets from - `ServiceMonitor` objects and Alertmanager endpoints. - - If set, the value should be either "Endpoints" or "EndpointSlice". - If unset, the operator assumes the "Endpoints" role. - enum: - - Endpoints - - EndpointSlice - type: string - serviceMonitorNamespaceSelector: - description: |- - serviceMonitorNamespaceSelector defines the namespaces to match for ServicedMonitors discovery. An empty label selector - matches all namespaces. A null label selector (default value) matches the current - namespace only. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - serviceMonitorSelector: - description: |- - serviceMonitorSelector defines the serviceMonitors to be selected for target discovery. An empty label - selector matches all objects. A null label selector matches no objects. - - If `spec.serviceMonitorSelector`, `spec.podMonitorSelector`, `spec.probeSelector` - and `spec.scrapeConfigSelector` are null, the Prometheus configuration is unmanaged. - The Prometheus operator will ensure that the Prometheus configuration's - Secret exists, but it is the responsibility of the user to provide the raw - gzipped Prometheus configuration under the `prometheus.yaml.gz` key. - This behavior is *deprecated* and will be removed in the next major version - of the custom resource definition. It is recommended to use - `spec.additionalScrapeConfigs` instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - serviceName: - description: |- - serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service. - If defined, the Service must be created before the Prometheus/PrometheusAgent resource in the same namespace and it must define a selector that matches the pod labels. - If empty, the operator will create and manage a headless service named `prometheus-operated` for Prometheus resources, - or `prometheus-agent-operated` for PrometheusAgent resources. - When deploying multiple Prometheus/PrometheusAgent resources in the same namespace, it is recommended to specify a different value for each. - See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details. - minLength: 1 - type: string - sha: - description: 'sha is deprecated: use ''spec.image'' instead. The image''s - digest can be specified as part of the image name.' - type: string - shardRetentionPolicy: - description: |- - shardRetentionPolicy defines the retention policy for the Prometheus shards. - (Alpha) Using this field requires the 'PrometheusShardRetentionPolicy' feature gate to be enabled. - - The final goals for this feature can be seen at https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/proposals/202310-shard-autoscaling.md#graceful-scale-down-of-prometheus-servers, - however, the feature is not yet fully implemented in this PR. The limitation being: - * Retention duration is not settable, for now, shards are retained forever. - properties: - retain: - description: |- - retain defines the config for retention when the retention policy is set to `Retain`. - This field is ineffective as of now. - properties: - retentionPeriod: - description: retentionPeriod defines the retentionPeriod for - shard retention policy. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - required: - - retentionPeriod - type: object - whenScaled: - description: |- - whenScaled defines the retention policy when the Prometheus shards are scaled down. - * `Delete`, the operator will delete the pods from the scaled-down shard(s). - * `Retain`, the operator will keep the pods from the scaled-down shard(s), so the data can still be queried. - - If not defined, the operator assumes the `Delete` value. - enum: - - Retain - - Delete - type: string - type: object - shards: - description: |- - shards defines the number of shards to distribute the scraped targets onto. - - `spec.replicas` multiplied by `spec.shards` is the total number of Pods - being created. - - When not defined, the operator assumes only one shard. - - Note that scaling down shards will not reshard data onto the remaining - instances, it must be manually moved. Increasing shards will not reshard - data either but it will continue to be available from the same - instances. To query globally, use either - * Thanos sidecar + querier for query federation and Thanos Ruler for rules. - * Remote-write to send metrics to a central location. - - By default, the sharding of targets is performed on: - * The `__address__` target's metadata label for PodMonitor, - ServiceMonitor and ScrapeConfig resources. - * The `__param_target__` label for Probe resources. - - Users can define their own sharding implementation by setting the - `__tmp_hash` label during the target discovery with relabeling - configuration (either in the monitoring resources or via scrape class). - - You can also disable sharding on a specific target by setting the - `__tmp_disable_sharding` label with relabeling configuration. When - the label value isn't empty, all Prometheus shards will scrape the target. - format: int32 - type: integer - storage: - description: storage defines the storage used by Prometheus. - properties: - disableMountSubPath: - description: 'disableMountSubPath deprecated: subPath usage will - be removed in a future release.' - type: boolean - emptyDir: - description: |- - emptyDir to be used by the StatefulSet. - If specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral to be used by the StatefulSet. - This is a beta field in k8s 1.21 and GA in 1.15. - For lower versions, starting with k8s 1.19, it requires enabling the GenericEphemeralVolume feature gate. - More info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - volumeClaimTemplate: - description: |- - volumeClaimTemplate defines the PVC spec to be used by the Prometheus StatefulSets. - The easiest way to use a volume that cannot be automatically provisioned - is to use a label selector alongside manually created PersistentVolumes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: metadata defines EmbeddedMetadata contains metadata - relevant to an EmbeddedResource. - properties: - annotations: - additionalProperties: - type: string - description: |- - annotations defines an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - labels: - additionalProperties: - type: string - description: |- - labels define the map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - name: - description: |- - name must be unique within a namespace. Is required when creating resources, although - some resources may allow a client to request the generation of an appropriate name - automatically. Name is primarily intended for creation idempotence and configuration - definition. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - type: string - type: object - spec: - description: |- - spec defines the specification of the characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: 'status is deprecated: this field is never set.' - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status - of resource being resized for the given PVC.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nClaimResourceStatus can be in any - of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with - a terminal error.\n\t- NodeResizePending:\n\t\tState - set when resize controller has finished resizing the - volume but further resizing of\n\t\tvolume is needed - on the node.\n\t- NodeResizeInProgress:\n\t\tState set - when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this - field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, - it means that no resize operation is in progress for - the given PVC.\n\nA controller that receives PVC update - with previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources - allocated to a PVC including its capacity.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nCapacity reported here may be larger - than the actual capacity when a volume expansion operation\nis - requested.\nFor storage quota, the larger value from - allocatedResources and PVC.spec.resources is used.\nIf - allocatedResources is not set, PVC.spec.resources alone - is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and - if the actual volume capacity\nis equal or lower than - the requested capacity.\n\nA controller that receives - PVC update with previously unknown resourceName\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources - of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'Resizing'. - items: - description: PersistentVolumeClaimCondition contains - details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed - the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the - condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "Resizing" that means the underlying - persistent volume is being resized. - type: string - status: - description: |- - Status is the status of the condition. - Can be True, False, Unknown. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required - type: string - type: - description: |- - Type is the type of the condition. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible - indicates that the request has been rejected as - invalid by the CSI driver. To\n\t resolve the error, - a valid VolumeAttributesClass needs to be specified.\nNote: - New statuses can be added in the future. Consumers - should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: object - tag: - description: 'tag is deprecated: use ''spec.image'' instead. The image''s - tag can be specified as part of the image name.' - type: string - targetLimit: - description: |- - targetLimit defines a limit on the number of scraped targets that will be accepted. - Only valid in Prometheus versions 2.45.0 and newer. - - Note that the global limit only applies to scrape objects that don't specify an explicit limit value. - If you want to enforce a maximum limit for all scrape objects, refer to enforcedTargetLimit. - format: int64 - type: integer - terminationGracePeriodSeconds: - description: |- - terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down) which may lead to data corruption. - - Defaults to 600 seconds. - format: int64 - minimum: 0 - type: integer - thanos: - description: thanos defines the configuration of the optional Thanos - sidecar. - properties: - additionalArgs: - description: |- - additionalArgs allows setting additional arguments for the Thanos container. - The arguments are passed as-is to the Thanos container which may cause issues - if they are invalid or not supported the given Thanos version. - In case of an argument conflict (e.g. an argument which is already set by the - operator itself) or when providing an invalid argument, the reconciliation will - fail and an error will be logged. - items: - description: Argument as part of the AdditionalArgs list. - properties: - name: - description: name of the argument, e.g. "scrape.discovery-reload-interval". - minLength: 1 - type: string - value: - description: value defines the argument value, e.g. 30s. - Can be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile) - type: string - required: - - name - type: object - type: array - baseImage: - description: 'baseImage is deprecated: use ''image'' instead.' - type: string - blockSize: - default: 2h - description: |- - blockSize controls the size of TSDB blocks produced by Prometheus. - The default value is 2h to match the upstream Prometheus defaults. - - WARNING: Changing the block duration can impact the performance and - efficiency of the entire Prometheus/Thanos stack due to how it interacts - with memory and Thanos compactors. It is recommended to keep this value - set to a multiple of 120 times your longest scrape or rule interval. For - example, 30s * 120 = 1h. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - getConfigInterval: - description: getConfigInterval defines how often to retrieve the - Prometheus configuration. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - getConfigTimeout: - description: getConfigTimeout defines the maximum time to wait - when retrieving the Prometheus configuration. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - grpcListenLocal: - description: |- - grpcListenLocal defines when true, the Thanos sidecar listens on the loopback interface instead - of the Pod IP's address for the gRPC endpoints. - - It has no effect if `listenLocal` is true. - type: boolean - grpcServerTlsConfig: - description: |- - grpcServerTlsConfig defines the TLS parameters for the gRPC server providing the StoreAPI. - - Note: Currently only the `caFile`, `certFile`, and `keyFile` fields are supported. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key file - in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - httpListenLocal: - description: |- - httpListenLocal when true, the Thanos sidecar listens on the loopback interface instead - of the Pod IP's address for the HTTP endpoints. - - It has no effect if `listenLocal` is true. - type: boolean - image: - description: |- - image defines the container image name for Thanos. If specified, it takes precedence over - the `spec.thanos.baseImage`, `spec.thanos.tag` and `spec.thanos.sha` - fields. - - Specifying `spec.thanos.version` is still necessary to ensure the - Prometheus Operator knows which version of Thanos is being configured. - - If neither `spec.thanos.image` nor `spec.thanos.baseImage` are defined, - the operator will use the latest upstream version of Thanos available at - the time when the operator was released. - type: string - listenLocal: - description: 'listenLocal is deprecated: use `grpcListenLocal` - and `httpListenLocal` instead.' - type: boolean - logFormat: - description: logFormat for the Thanos sidecar. - enum: - - "" - - logfmt - - json - type: string - logLevel: - description: logLevel for the Thanos sidecar. - enum: - - "" - - debug - - info - - warn - - error - type: string - minTime: - description: |- - minTime defines the start of time range limit served by the Thanos sidecar's StoreAPI. - The field's value should be a constant time in RFC3339 format or a time - duration relative to current time, such as -1d or 2h45m. Valid duration - units are ms, s, m, h, d, w, y. - type: string - objectStorageConfig: - description: |- - objectStorageConfig defines the Thanos sidecar's configuration to upload TSDB blocks to object storage. - - More info: https://thanos.io/tip/thanos/storage.md/ - - objectStorageConfigFile takes precedence over this field. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - objectStorageConfigFile: - description: |- - objectStorageConfigFile defines the Thanos sidecar's configuration file to upload TSDB blocks to object storage. - - More info: https://thanos.io/tip/thanos/storage.md/ - - This field takes precedence over objectStorageConfig. - type: string - readyTimeout: - description: |- - readyTimeout defines the maximum time that the Thanos sidecar will wait for - Prometheus to start. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - resources: - description: resources defines the resources requests and limits - of the Thanos sidecar. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - sha: - description: 'sha is deprecated: use ''image'' instead. The image - digest can be specified as part of the image name.' - type: string - tag: - description: 'tag is deprecated: use ''image'' instead. The image''s - tag can be specified as as part of the image name.' - type: string - tracingConfig: - description: |- - tracingConfig defines the tracing configuration for the Thanos sidecar. - - `tracingConfigFile` takes precedence over this field. - - More info: https://thanos.io/tip/thanos/tracing.md/ - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tracingConfigFile: - description: |- - tracingConfigFile defines the tracing configuration file for the Thanos sidecar. - - This field takes precedence over `tracingConfig`. - - More info: https://thanos.io/tip/thanos/tracing.md/ - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - type: string - version: - description: |- - version of Thanos being deployed. The operator uses this information - to generate the Prometheus StatefulSet + configuration files. - - If not specified, the operator assumes the latest upstream release of - Thanos available at the time when the version of the operator was - released. - type: string - volumeMounts: - description: |- - volumeMounts allows configuration of additional VolumeMounts for Thanos. - VolumeMounts specified will be appended to other VolumeMounts in the - 'thanos-sidecar' container. - items: - description: VolumeMount describes a mounting of a Volume within - a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - type: object - tolerations: - description: tolerations defines the Pods' tolerations if specified. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: topologySpreadConstraints defines the pod's topology - spread constraints if specified. - items: - properties: - additionalLabelSelectors: - description: additionalLabelSelectors Defines what Prometheus - Operator managed labels should be added to labelSelector on - the topologySpreadConstraint. - enum: - - OnResource - - OnShard - type: string - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - tracingConfig: - description: |- - tracingConfig defines tracing in Prometheus. - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - properties: - clientType: - description: clientType defines the client used to export the - traces. Supported values are `http` or `grpc`. - enum: - - http - - grpc - type: string - compression: - description: compression key for supported compression types. - The only supported value is `gzip`. - enum: - - gzip - type: string - endpoint: - description: endpoint to send the traces to. Should be provided - in format :. - minLength: 1 - type: string - headers: - additionalProperties: - type: string - description: headers defines the key-value pairs to be used as - headers associated with gRPC or HTTP requests. - type: object - insecure: - description: insecure if disabled, the client will use a secure - connection. - type: boolean - samplingFraction: - anyOf: - - type: integer - - type: string - description: samplingFraction defines the probability a given - trace will be sampled. Must be a float from 0 through 1. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - timeout: - description: timeout defines the maximum time the exporter will - wait for each batch export. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tlsConfig: - description: tlsConfig to use when sending traces. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key file - in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - endpoint - type: object - tsdb: - description: |- - tsdb defines the runtime reloadable configuration of the timeseries database(TSDB). - It requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0. - properties: - outOfOrderTimeWindow: - description: |- - outOfOrderTimeWindow defines how old an out-of-order/out-of-bounds sample can be with - respect to the TSDB max time. - - An out-of-order/out-of-bounds sample is ingested into the TSDB as long as - the timestamp of the sample is >= (TSDB.MaxTime - outOfOrderTimeWindow). - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - - It requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - version: - description: |- - version of Prometheus being deployed. The operator uses this information - to generate the Prometheus StatefulSet + configuration files. - - If not specified, the operator assumes the latest upstream version of - Prometheus available at the time when the version of the operator was - released. - type: string - volumeMounts: - description: |- - volumeMounts allows the configuration of additional VolumeMounts. - - VolumeMounts will be appended to other VolumeMounts in the 'prometheus' - container, that are generated as a result of StorageSpec objects. - items: - description: VolumeMount describes a mounting of a Volume within - a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: |- - volumes allows the configuration of additional volumes on the output - StatefulSet definition. Volumes specified will be appended to other - volumes that are generated as a result of StorageSpec objects. - items: - description: Volume represents a named volume in a pod that may - be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: None, - Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk in the - blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the blob - storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed data - disk (only in managed availability set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that contains - Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted root, - rather than the full Ceph tree, default is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should populate - this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap or its - keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents ephemeral - storage that is handled by certain external CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about the pod - that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the pod: - only annotations, labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative path - name of the file to be created. Must not be absolute - or contain the ''..'' path. Must be utf-8 encoded. - The first item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that is - attached to a kubelet's host machine and then exposed to the - pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to use for - this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds extra - command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. This - is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that details - Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support iSCSI - Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support iSCSI - Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI target - and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon Controller - persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources secrets, - configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume root - to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the configMap - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the downwardAPI - data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name, namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will be - addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret data - to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether the - Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information about - the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an already - created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool associated - with the protection domain. - type: string - system: - description: system is the name of the storage system as - configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy Based - Management (SPBM) profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy Based - Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies vSphere - volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - walCompression: - description: |- - walCompression defines the compression of the write-ahead log (WAL) using Snappy. - - WAL compression is enabled by default for Prometheus >= 2.20.0 - - Requires Prometheus v2.11.0 and above. - type: boolean - web: - description: web defines the configuration of the Prometheus web server. - properties: - httpConfig: - description: httpConfig defines HTTP parameters for web server. - properties: - headers: - description: headers defines a list of headers that can be - added to HTTP responses. - properties: - contentSecurityPolicy: - description: |- - contentSecurityPolicy defines the Content-Security-Policy header to HTTP responses. - Unset if blank. - type: string - strictTransportSecurity: - description: |- - strictTransportSecurity defines the Strict-Transport-Security header to HTTP responses. - Unset if blank. - Please make sure that you use this with care as this header might force - browsers to load Prometheus and the other applications hosted on the same - domain and subdomains over HTTPS. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - type: string - xContentTypeOptions: - description: |- - xContentTypeOptions defines the X-Content-Type-Options header to HTTP responses. - Unset if blank. Accepted value is nosniff. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options - enum: - - "" - - NoSniff - type: string - xFrameOptions: - description: |- - xFrameOptions defines the X-Frame-Options header to HTTP responses. - Unset if blank. Accepted values are deny and sameorigin. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options - enum: - - "" - - Deny - - SameOrigin - type: string - xXSSProtection: - description: |- - xXSSProtection defines the X-XSS-Protection header to all responses. - Unset if blank. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection - type: string - type: object - http2: - description: |- - http2 enable HTTP/2 support. Note that HTTP/2 is only supported with TLS. - When TLSConfig is not configured, HTTP/2 will be disabled. - Whenever the value of the field changes, a rolling update will be triggered. - type: boolean - type: object - maxConnections: - description: |- - maxConnections defines the maximum number of simultaneous connections - A zero value means that Prometheus doesn't accept any incoming connection. - format: int32 - minimum: 0 - type: integer - pageTitle: - description: pageTitle defines the prometheus web page title. - type: string - tlsConfig: - description: tlsConfig defines the TLS parameters for HTTPS. - properties: - cert: - description: |- - cert defines the Secret or ConfigMap containing the TLS certificate for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `certFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: |- - certFile defines the path to the TLS certificate file in the container for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `cert`. - type: string - cipherSuites: - description: |- - cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. - - If not defined, the Go default cipher suites are used. - Available cipher suites are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#pkg-constants - items: - type: string - type: array - client_ca: - description: |- - client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate - authentication to the server. - - It is mutually exclusive with `clientCAFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientAuthType: - description: |- - clientAuthType defines the server policy for client TLS authentication. - - For more detail on clientAuth options: - https://golang.org/pkg/crypto/tls/#ClientAuthType - type: string - clientCAFile: - description: |- - clientCAFile defines the path to the CA certificate file for client certificate authentication to - the server. - - It is mutually exclusive with `client_ca`. - type: string - curvePreferences: - description: |- - curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference - order. - - Available curves are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#CurveID - items: - type: string - type: array - keyFile: - description: |- - keyFile defines the path to the TLS private key file in the container for the web server. - - If defined, either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keySecret`. - type: string - keySecret: - description: |- - keySecret defines the secret containing the TLS private key for the web server. - - Either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keyFile`. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: maxVersion defines the Maximum TLS version that - is acceptable. - type: string - minVersion: - description: minVersion defines the minimum TLS version that - is acceptable. - type: string - preferServerCipherSuites: - description: |- - preferServerCipherSuites defines whether the server selects the client's most preferred cipher - suite, or the server's most preferred cipher suite. - - If true then the server's preference, as expressed in - the order of elements in cipherSuites, is used. - type: boolean - type: object - type: object - type: object - status: - description: |- - status defines the most recent observed status of the Prometheus cluster. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - availableReplicas: - description: |- - availableReplicas defines the total number of available pods (ready for at least minReadySeconds) - targeted by this Prometheus deployment. - format: int32 - type: integer - conditions: - description: conditions defines the current state of the Prometheus - deployment. - items: - description: |- - Condition represents the state of the resources associated with the - Prometheus, Alertmanager or ThanosRuler resource. - properties: - lastTransitionTime: - description: lastTransitionTime is the time of the last update - to the current status property. - format: date-time - type: string - message: - description: message defines human-readable message indicating - details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the - instance. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: type of the condition being reported. - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - paused: - description: |- - paused defines whether any actions on the underlying managed objects are - being performed. Only delete actions will be performed. - type: boolean - replicas: - description: |- - replicas defines the total number of non-terminated pods targeted by this Prometheus deployment - (their labels match the selector). - format: int32 - type: integer - selector: - description: selector used to match the pods targeted by this Prometheus - resource. - type: string - shardStatuses: - description: shardStatuses defines the list has one entry per shard. - Each entry provides a summary of the shard status. - items: - properties: - availableReplicas: - description: |- - availableReplicas defines the total number of available pods (ready for at least minReadySeconds) - targeted by this shard. - format: int32 - type: integer - replicas: - description: replicas defines the total number of pods targeted - by this shard. - format: int32 - type: integer - shardID: - description: shardID defines the identifier of the shard. - type: string - unavailableReplicas: - description: unavailableReplicas defines the Total number of - unavailable pods targeted by this shard. - format: int32 - type: integer - updatedReplicas: - description: |- - updatedReplicas defines the total number of non-terminated pods targeted by this shard - that have the desired spec. - format: int32 - type: integer - required: - - availableReplicas - - replicas - - shardID - - unavailableReplicas - - updatedReplicas - type: object - type: array - x-kubernetes-list-map-keys: - - shardID - x-kubernetes-list-type: map - shards: - description: shards defines the most recently observed number of shards. - format: int32 - type: integer - unavailableReplicas: - description: unavailableReplicas defines the total number of unavailable - pods targeted by this Prometheus deployment. - format: int32 - type: integer - updatedReplicas: - description: |- - updatedReplicas defines the total number of non-terminated pods targeted by this Prometheus deployment - that have the desired version spec. - format: int32 - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.shards - statusReplicasPath: .status.shards - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheusrules.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: prometheusrules.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: PrometheusRule - listKind: PrometheusRuleList - plural: prometheusrules - shortNames: - - promrule - singular: prometheusrule - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - The `PrometheusRule` custom resource definition (CRD) defines [alerting](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) and [recording](https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/) rules to be evaluated by `Prometheus` or `ThanosRuler` objects. - - `Prometheus` and `ThanosRuler` objects select `PrometheusRule` objects using label and namespace selectors. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec defines the specification of desired alerting rule definitions - for Prometheus. - properties: - groups: - description: groups defines the content of Prometheus rule file - items: - description: RuleGroup is a list of sequentially evaluated recording - and alerting rules. - properties: - interval: - description: interval defines how often rules in the group are - evaluated. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - labels: - additionalProperties: - type: string - description: |- - labels define the labels to add or overwrite before storing the result for its rules. - The labels defined at the rule level take precedence. - - It requires Prometheus >= 3.0.0. - The field is ignored for Thanos Ruler. - type: object - limit: - description: |- - limit defines the number of alerts an alerting rule and series a recording - rule can produce. - Limit is supported starting with Prometheus >= 2.31 and Thanos Ruler >= 0.24. - type: integer - name: - description: name defines the name of the rule group. - minLength: 1 - type: string - partial_response_strategy: - description: |- - partial_response_strategy is only used by ThanosRuler and will - be ignored by Prometheus instances. - More info: https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md#partial-response - pattern: ^(?i)(abort|warn)?$ - type: string - query_offset: - description: |- - query_offset defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past. - - It requires Prometheus >= v2.53.0. - It is not supported for ThanosRuler. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - rules: - description: rules defines the list of alerting and recording - rules. - items: - description: |- - Rule describes an alerting or recording rule - See Prometheus documentation: [alerting](https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) or [recording](https://www.prometheus.io/docs/prometheus/latest/configuration/recording_rules/#recording-rules) rule - properties: - alert: - description: |- - alert defines the name of the alert. Must be a valid label value. - Only one of `record` and `alert` must be set. - type: string - annotations: - additionalProperties: - type: string - description: |- - annotations defines annotations to add to each alert. - Only valid for alerting rules. - type: object - expr: - anyOf: - - type: integer - - type: string - description: expr defines the PromQL expression to evaluate. - x-kubernetes-int-or-string: true - for: - description: for defines how alerts are considered firing - once they have been returned for this long. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - keep_firing_for: - description: keep_firing_for defines how long an alert - will continue firing after the condition that triggered - it has cleared. - minLength: 1 - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - labels: - additionalProperties: - type: string - description: labels defines labels to add or overwrite. - type: object - record: - description: |- - record defines the name of the time series to output to. Must be a valid metric name. - Only one of `record` and `alert` must be set. - type: string - required: - - expr - type: object - type: array - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - status: - description: |- - status defines the status subresource. It is under active development and is updated only when the - "StatusForConfigurationResources" feature gate is enabled. - - Most recent observed status of the PrometheusRule. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - bindings: - description: bindings defines the list of workload resources (Prometheus, - PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration - resource. - items: - description: WorkloadBinding is a link between a configuration resource - and a workload resource. - properties: - conditions: - description: conditions defines the current state of the configuration - resource when bound to the referenced Workload object. - items: - description: ConfigResourceCondition describes the status - of configuration resources linked to Prometheus, PrometheusAgent, - Alertmanager or ThanosRuler. - properties: - lastTransitionTime: - description: lastTransitionTime defines the time of the - last update to the current status property. - format: date-time - type: string - message: - description: message defines the human-readable message - indicating details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the object. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: |- - type of the condition being reported. - Currently, only "Accepted" is supported. - enum: - - Accepted - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - group: - description: group defines the group of the referenced resource. - enum: - - monitoring.coreos.com - type: string - name: - description: name defines the name of the referenced object. - minLength: 1 - type: string - namespace: - description: namespace defines the namespace of the referenced - object. - minLength: 1 - type: string - resource: - description: resource defines the type of resource being referenced - (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager). - enum: - - prometheuses - - prometheusagents - - thanosrulers - - alertmanagers - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - name - - namespace - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-scrapeconfigs.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: scrapeconfigs.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: ScrapeConfig - listKind: ScrapeConfigList - plural: scrapeconfigs - shortNames: - - scfg - singular: scrapeconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ScrapeConfig defines a namespaced Prometheus scrape_config to be aggregated across - multiple namespaces into the Prometheus configuration. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec defines the specification of ScrapeConfigSpec. - properties: - authorization: - description: authorization defines the header to use on every scrape - request. - properties: - credentials: - description: credentials defines a key of a Secret in the namespace - that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - azureSDConfigs: - description: azureSDConfigs defines a list of Azure service discovery - configurations. - items: - description: |- - AzureSDConfig allow retrieving scrape targets from Azure VMs. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#azure_sd_config - properties: - authenticationMethod: - description: |- - authenticationMethod defines the authentication method, either `OAuth` or `ManagedIdentity` or `SDK`. - See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview - SDK authentication method uses environment variables by default. - See https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication - enum: - - OAuth - - ManagedIdentity - - SDK - type: string - authorization: - description: |- - authorization defines the authorization header configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `oAuth2`, or `basicAuth`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the information to authenticate against the target HTTP endpoint. - More info: https://prometheus.io/docs/operating/configuration/#endpoints - Cannot be set at the same time as `authorization`, or `oAuth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientID: - description: clientID defines client ID. Only required with - the OAuth authentication method. - minLength: 1 - type: string - clientSecret: - description: clientSecret defines client secret. Only required - with the OAuth authentication method. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - environment: - description: environment defines the Azure environment. - minLength: 1 - type: string - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: oauth2 defines the configuration to use on every - scrape request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: |- - port defines the port to scrape metrics from. If using the public IP address, this must - instead be specified in the relabeling rule. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - resourceGroup: - description: |- - resourceGroup defines resource group name. Limits discovery to this resource group. - Requires Prometheus v2.35.0 and above - minLength: 1 - type: string - subscriptionID: - description: subscriptionID defines subscription ID. Always - required. - minLength: 1 - type: string - tenantID: - description: tenantID defines tenant ID. Only required with - the OAuth authentication method. - minLength: 1 - type: string - tlsConfig: - description: tlsConfig defies the TLS configuration applying - to the target HTTP endpoint. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - subscriptionID - type: object - type: array - basicAuth: - description: basicAuth defines information to use on every scrape - request. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - consulSDConfigs: - description: consulSDConfigs defines a list of Consul service discovery - configurations. - items: - description: |- - ConsulSDConfig defines a Consul service discovery configuration - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#consul_sd_config - properties: - allowStale: - description: |- - allowStale Consul results (see https://www.consul.io/api/features/consistency.html). Will reduce load on Consul. - If unset, Prometheus uses its default value. - type: boolean - authorization: - description: |- - authorization defines the header configuration to authenticate against the Consul Server. - Cannot be set at the same time as `basicAuth`, or `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the information to authenticate against the Consul Server. - More info: https://prometheus.io/docs/operating/configuration/#endpoints - Cannot be set at the same time as `authorization`, or `oauth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - datacenter: - description: datacenter defines the consul Datacenter name, - if not provided it will use the local Consul Agent Datacenter. - minLength: 1 - type: string - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - filter: - description: |- - filter defines the filter expression used to filter the catalog results. - See https://www.consul.io/api-docs/catalog#list-services - It requires Prometheus >= 3.0.0. - minLength: 1 - type: string - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - namespace: - description: |- - namespace are only supported in Consul Enterprise. - - It requires Prometheus >= 2.28.0. - minLength: 1 - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - nodeMeta: - additionalProperties: - type: string - description: |- - nodeMeta defines the node metadata key/value pairs to filter nodes for a given service. - Starting with Consul 1.14, it is recommended to use `filter` with the `NodeMeta` selector instead. - type: object - x-kubernetes-map-type: atomic - oauth2: - description: |- - oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - partition: - description: partition defines the admin Partitions are only - supported in Consul Enterprise. - minLength: 1 - type: string - pathPrefix: - description: |- - pathPrefix defines the prefix for URIs for when consul is behind an API gateway (reverse proxy). - - It requires Prometheus >= 2.45.0. - minLength: 1 - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - scheme: - description: scheme defines the HTTP Scheme. - enum: - - http - - https - - HTTP - - HTTPS - type: string - server: - description: server defines the consul server address. A valid - string consisting of a hostname or IP followed by an optional - port number. - minLength: 1 - type: string - services: - description: services defines a list of services for which targets - are retrieved. If omitted, all services are scraped. - items: - type: string - type: array - x-kubernetes-list-type: set - tagSeparator: - description: |- - tagSeparator defines the string by which Consul tags are joined into the tag label. - If unset, Prometheus uses its default value. - minLength: 1 - type: string - tags: - description: |- - tags defines an optional list of tags used to filter nodes for a given service. Services must contain all tags in the list. - Starting with Consul 1.14, it is recommended to use `filter` with the `ServiceTags` selector instead. - items: - type: string - type: array - x-kubernetes-list-type: set - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - tokenRef: - description: tokenRef defines the consul ACL TokenRef, if not - provided it will use the ACL from the local Consul Agent. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - server - type: object - type: array - convertClassicHistogramsToNHCB: - description: |- - convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets. - It requires Prometheus >= v3.0.0. - type: boolean - digitalOceanSDConfigs: - description: digitalOceanSDConfigs defines a list of DigitalOcean - service discovery configurations. - items: - description: |- - DigitalOceanSDConfig allow retrieving scrape targets from DigitalOcean's Droplets API. - This service discovery uses the public IPv4 address by default, by that can be changed with relabeling - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#digitalocean_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: oauth2 defines the configuration to use on every - scrape request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: port defines the port to scrape metrics from. If - using the public IP address, this must - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - type: object - type: array - dnsSDConfigs: - description: dnsSDConfigs defines a list of DNS service discovery - configurations. - items: - description: |- - DNSSDConfig allows specifying a set of DNS domain names which are periodically queried to discover a list of targets. - The DNS servers to be contacted are read from /etc/resolv.conf. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#dns_sd_config - properties: - names: - description: names defines a list of DNS domain names to be - queried. - items: - minLength: 1 - type: string - minItems: 1 - type: array - port: - description: |- - port defines the port to scrape metrics from. If using the public IP address, this must - Ignored for SRV records - format: int32 - maximum: 65535 - minimum: 0 - type: integer - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: - description: |- - type defines the type of DNS query to perform. One of SRV, A, AAAA, MX or NS. - If not set, Prometheus uses its default value. - - When set to NS, it requires Prometheus >= v2.49.0. - When set to MX, it requires Prometheus >= v2.38.0 - enum: - - A - - AAAA - - MX - - NS - - SRV - type: string - required: - - names - type: object - type: array - dockerSDConfigs: - description: dockerSDConfigs defines a list of Docker service discovery - configurations. - items: - description: |- - Docker SD configurations allow retrieving scrape targets from Docker Engine hosts. - This SD discovers "containers" and will create a target for each network IP and - port the container is configured to expose. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#docker_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: basicAuth defines information to use on every scrape - request. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - filters: - description: filters defines filters to limit the discovery - process to a subset of the available resources. - items: - description: Filter name and value pairs to limit the discovery - process to a subset of available resources. - properties: - name: - description: name of the Filter. - type: string - values: - description: values defines values to filter on. - items: - minLength: 1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - required: - - name - - values - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - host: - description: host defines the address of the docker daemon - minLength: 1 - type: string - hostNetworkingHost: - description: hostNetworkingHost defines the host to use if the - container is in host networking mode. - minLength: 1 - type: string - matchFirstNetwork: - description: |- - matchFirstNetwork defines whether to match the first network if the container has multiple networks defined. - If unset, Prometheus uses true by default. - It requires Prometheus >= v2.54.1. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: oauth2 defines the configuration to use on every - scrape request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: port defines the port to scrape metrics from. If - using the public IP address, this must - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - host - type: object - type: array - dockerSwarmSDConfigs: - description: dockerSwarmSDConfigs defines a list of Dockerswarm service - discovery configurations. - items: - description: |- - DockerSwarmSDConfig configurations allow retrieving scrape targets from Docker Swarm engine. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#dockerswarm_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: basicAuth defines information to use on every scrape - request. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - filters: - description: |- - filters defines the filters to limit the discovery process to a subset of available - resources. - The available filters are listed in the upstream documentation: - Services: https://docs.docker.com/engine/api/v1.40/#operation/ServiceList - Tasks: https://docs.docker.com/engine/api/v1.40/#operation/TaskList - Nodes: https://docs.docker.com/engine/api/v1.40/#operation/NodeList - items: - description: Filter name and value pairs to limit the discovery - process to a subset of available resources. - properties: - name: - description: name of the Filter. - type: string - values: - description: values defines values to filter on. - items: - minLength: 1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - required: - - name - - values - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - host: - description: host defines the address of the Docker daemon - pattern: ^[a-zA-Z][a-zA-Z0-9+.-]*://.+$ - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: |- - port defines the port to scrape metrics from. If using the public IP address, this must - tasks and services that don't have published ports. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - role: - description: role of the targets to retrieve. Must be `Services`, - `Tasks`, or `Nodes`. - enum: - - Services - - Tasks - - Nodes - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - host - - role - type: object - type: array - ec2SDConfigs: - description: ec2SDConfigs defines a list of EC2 service discovery - configurations. - items: - description: |- - EC2SDConfig allow retrieving scrape targets from AWS EC2 instances. - The private IP address is used by default, but may be changed to the public IP address with relabeling. - The IAM credentials used must have the ec2:DescribeInstances permission to discover scrape targets - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#ec2_sd_config - - The EC2 service discovery requires AWS API keys or role ARN for authentication. - BasicAuth, Authorization and OAuth2 fields are not present on purpose. - properties: - accessKey: - description: accessKey defines the AWS API key. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHTTP2: - description: |- - enableHTTP2 defines whether to enable HTTP2. - It requires Prometheus >= v2.41.0 - type: boolean - filters: - description: |- - filters can be used optionally to filter the instance list by other criteria. - Available filter criteria can be found here: - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html - Filter API documentation: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Filter.html - It requires Prometheus >= v2.3.0 - items: - description: Filter name and value pairs to limit the discovery - process to a subset of available resources. - properties: - name: - description: name of the Filter. - type: string - values: - description: values defines values to filter on. - items: - minLength: 1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - required: - - name - - values - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - followRedirects: - description: |- - followRedirects defines whether HTTP requests follow HTTP 3xx redirects. - It requires Prometheus >= v2.41.0 - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - port: - description: |- - port defines the port to scrape metrics from. If using the public IP address, this must - instead be specified in the relabeling rule. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - region: - description: region defines the AWS region. - minLength: 1 - type: string - roleARN: - description: roleARN defines an alternative to using AWS API - keys. - minLength: 1 - type: string - secretKey: - description: secretKey defines the AWS API secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to connect to the Consul API. - It requires Prometheus >= v2.41.0 - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - type: object - type: array - enableCompression: - description: |- - enableCompression when false, Prometheus will request uncompressed response from the scraped target. - - It requires Prometheus >= v2.49.0. - - If unset, Prometheus uses true by default. - type: boolean - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - eurekaSDConfigs: - description: eurekaSDConfigs defines a list of Eureka service discovery - configurations. - items: - description: |- - Eureka SD configurations allow retrieving scrape targets using the Eureka REST API. - Prometheus will periodically check the REST endpoint and create a target for every app instance. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#eureka_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: basicAuth defines the BasicAuth information to - use on every scrape request. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: oauth2 defines the configuration to use on every - scrape request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - server: - description: server defines the URL to connect to the Eureka - server. - minLength: 1 - pattern: ^http(s)?://.+$ - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - server - type: object - type: array - fallbackScrapeProtocol: - description: |- - fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type. - - It requires Prometheus >= v3.0.0. - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - fileSDConfigs: - description: fileSDConfigs defines a list of file service discovery - configurations. - items: - description: |- - FileSDConfig defines a Prometheus file service discovery configuration - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#file_sd_config - properties: - files: - description: |- - files defines the list of files to be used for file discovery. Recommendation: use absolute paths. While relative paths work, the - prometheus-operator project makes no guarantees about the working directory where the configuration file is - stored. - Files must be mounted using Prometheus.ConfigMaps or Prometheus.Secrets. - items: - description: SDFile represents a file used for service discovery - pattern: ^[^*]*(\*[^/]*)?\.(json|yml|yaml|JSON|YML|YAML)$ - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - required: - - files - type: object - type: array - gceSDConfigs: - description: gceSDConfigs defines a list of GCE service discovery - configurations. - items: - description: |- - GCESDConfig configures scrape targets from GCP GCE instances. - The private IP address is used by default, but may be changed to - the public IP address with relabeling. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config - - The GCE service discovery will load the Google Cloud credentials - from the file specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. - See https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform - - A pre-requisite for using GCESDConfig is that a Secret containing valid - Google Cloud credentials is mounted into the Prometheus or PrometheusAgent - pod via the `.spec.secrets` field and that the GOOGLE_APPLICATION_CREDENTIALS - environment variable is set to /etc/prometheus/secrets//. - properties: - filter: - description: |- - filter defines the filter that can be used optionally to filter the instance list by other criteria - Syntax of this filter is described in the filter query parameter section: - https://cloud.google.com/compute/docs/reference/latest/instances/list - minLength: 1 - type: string - port: - description: |- - port defines the port to scrape metrics from. If using the public IP address, this must - instead be specified in the relabeling rule. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - project: - description: project defines the Google Cloud Project ID - minLength: 1 - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tagSeparator: - description: tagSeparator defines the tag separator is used - to separate the tags on concatenation - minLength: 1 - type: string - zone: - description: zone defines the zone of the scrape targets. If - you need multiple zones use multiple GCESDConfigs. - minLength: 1 - type: string - required: - - project - - zone - type: object - type: array - hetznerSDConfigs: - description: hetznerSDConfigs defines a list of Hetzner service discovery - configurations. - items: - description: |- - HetznerSDConfig allow retrieving scrape targets from Hetzner Cloud API and Robot API. - This service discovery uses the public IPv4 address by default, but that can be changed with relabeling - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#hetzner_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: basicAuth defines information to use on every scrape - request. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - labelSelector: - description: |- - labelSelector defines the label selector used to filter the servers when fetching them from the API. - It requires Prometheus >= v3.5.0. - minLength: 1 - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: oauth2 defines the configuration to use on every - scrape request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: port defines the port to scrape metrics from. If - using the public IP address, this must - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - role: - description: role defines the Hetzner role of entities that - should be discovered. - enum: - - hcloud - - Hcloud - - robot - - Robot - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - role - type: object - type: array - honorLabels: - description: |- - honorLabels defines when true the metric's labels when they collide - with the target's labels. - type: boolean - honorTimestamps: - description: |- - honorTimestamps defines whether Prometheus preserves the timestamps - when exposed by the target. - type: boolean - httpSDConfigs: - description: httpSDConfigs defines a list of HTTP service discovery - configurations. - items: - description: |- - HTTPSDConfig defines a prometheus HTTP service discovery configuration - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config - properties: - authorization: - description: |- - authorization defines the authorization header configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `oAuth2`, or `basicAuth`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines information to use on every scrape request. - More info: https://prometheus.io/docs/operating/configuration/#endpoints - Cannot be set at the same time as `authorization`, or `oAuth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration applying - to the target HTTP endpoint. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - url: - description: url defines the URL from which the targets are - fetched. - minLength: 1 - pattern: ^http(s)?://.+$ - type: string - required: - - url - type: object - type: array - ionosSDConfigs: - description: ionosSDConfigs defines a list of IONOS service discovery - configurations. - items: - description: |- - IonosSDConfig configurations allow retrieving scrape targets from IONOS resources. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#ionos_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the IONOS. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - datacenterID: - description: datacenterID defines the unique ID of the IONOS - data center. - minLength: 1 - type: string - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: oauth2 defines the configuration to use on every - scrape request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: port defines the port to scrape metrics from. If - using the public IP address, this must - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - authorization - - datacenterID - type: object - type: array - jobName: - description: |- - jobName defines the value of the `job` label assigned to the scraped metrics by default. - - The `job_name` field in the rendered scrape configuration is always controlled by the - operator to prevent duplicate job names, which Prometheus does not allow. Instead the - `job` label is set by means of relabeling configs. - minLength: 1 - type: string - keepDroppedTargets: - description: |- - keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling - that will be kept in memory. 0 means no limit. - - It requires Prometheus >= v2.47.0. - format: int64 - type: integer - kubernetesSDConfigs: - description: kubernetesSDConfigs defines a list of Kubernetes service - discovery configurations. - items: - description: |- - KubernetesSDConfig allows retrieving scrape targets from Kubernetes' REST API. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config - properties: - apiServer: - description: |- - apiServer defines the API server address consisting of a hostname or IP address followed - by an optional port number. - If left empty, Prometheus is assumed to run inside - of the cluster. It will discover API servers automatically and use the pod's - CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/. - minLength: 1 - type: string - attachMetadata: - description: |- - attachMetadata defines the metadata to attach to discovered targets. - It requires Prometheus >= v2.35.0 when using the `Pod` role and - Prometheus >= v2.37.0 for `Endpoints` and `Endpointslice` roles. - properties: - node: - description: |- - node attaches node metadata to discovered targets. - When set to true, Prometheus must have the `get` permission on the - `Nodes` objects. - Only valid for Pod, Endpoint and Endpointslice roles. - type: boolean - type: object - authorization: - description: |- - authorization defines the authorization header to use on every scrape request. - Cannot be set at the same time as `basicAuth`, or `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines information to use on every scrape request. - Cannot be set at the same time as `authorization`, or `oauth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - namespaces: - description: namespaces defines the namespace discovery. If - omitted, Prometheus discovers targets across all namespaces. - properties: - names: - description: |- - names defines a list of namespaces where to watch for resources. - If empty and `ownNamespace` isn't true, Prometheus watches for resources in all namespaces. - items: - type: string - type: array - x-kubernetes-list-type: set - ownNamespace: - description: ownNamespace includes the namespace in which - the Prometheus pod runs to the list of watched namespaces. - type: boolean - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - role: - description: |- - role defines the Kubernetes role of the entities that should be discovered. - Role `Endpointslice` requires Prometheus >= v2.21.0 - enum: - - Pod - - Endpoints - - Ingress - - Service - - Node - - EndpointSlice - type: string - selectors: - description: |- - selectors defines the selector to select objects. - It requires Prometheus >= v2.17.0 - items: - description: K8SSelectorConfig is Kubernetes Selector Config - properties: - field: - description: |- - field defines an optional field selector to limit the service discovery to resources which have fields with specific values. - e.g: `metadata.name=foobar` - minLength: 1 - type: string - label: - description: |- - label defines an optional label selector to limit the service discovery to resources with specific labels and label values. - e.g: `node.kubernetes.io/instance-type=master` - minLength: 1 - type: string - role: - description: |- - role defines the type of Kubernetes resource to limit the service discovery to. - Accepted values are: Node, Pod, Endpoints, EndpointSlice, Service, Ingress. - enum: - - Pod - - Endpoints - - Ingress - - Service - - Node - - EndpointSlice - type: string - required: - - role - type: object - type: array - x-kubernetes-list-map-keys: - - role - x-kubernetes-list-type: map - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Kubernetes API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - role - type: object - type: array - kumaSDConfigs: - description: kumaSDConfigs defines a list of Kuma service discovery - configurations. - items: - description: |- - KumaSDConfig allow retrieving scrape targets from Kuma's control plane. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kuma_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: basicAuth defines information to use on every scrape - request. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientID: - description: |- - clientID is used by Kuma Control Plane to compute Monitoring Assignment for specific Prometheus backend. - It requires Prometheus >= v2.50.0. - minLength: 1 - type: string - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - fetchTimeout: - description: fetchTimeout defines the time after which the monitoring - assignments are refreshed. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: oauth2 defines the configuration to use on every - scrape request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - server: - description: server defines the address of the Kuma Control - Plane's MADS xDS server. - pattern: ^https?://.+$ - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - server - type: object - type: array - labelLimit: - description: |- - labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample. - Only valid in Prometheus versions 2.27.0 and newer. - format: int64 - type: integer - labelNameLengthLimit: - description: |- - labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. - Only valid in Prometheus versions 2.27.0 and newer. - format: int64 - type: integer - labelValueLengthLimit: - description: |- - labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. - Only valid in Prometheus versions 2.27.0 and newer. - format: int64 - type: integer - lightSailSDConfigs: - description: lightSailSDConfigs defines a list of Lightsail service - discovery configurations. - items: - description: |- - LightSailSDConfig configurations allow retrieving scrape targets from AWS Lightsail instances. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#lightsail_sd_config - properties: - accessKey: - description: accessKey defines the AWS API key. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines information to use on every scrape request. - Cannot be set at the same time as `authorization`, or `oauth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - endpoint: - description: endpoint defines the custom endpoint to be used. - minLength: 1 - type: string - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: port defines the port to scrape metrics from. If - using the public IP address, this must - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - region: - description: region defines the AWS region. - minLength: 1 - type: string - roleARN: - description: roleARN defines the AWS Role ARN, an alternative - to using AWS API keys. - type: string - secretKey: - description: secretKey defines the AWS API secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - type: object - type: array - linodeSDConfigs: - description: linodeSDConfigs defines a list of Linode service discovery - configurations. - items: - description: |- - LinodeSDConfig configurations allow retrieving scrape targets from Linode's Linode APIv4. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#linode_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: port defines the port to scrape metrics from. If - using the public IP address, this must - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - region: - description: region defines the region to filter on. - minLength: 1 - type: string - tagSeparator: - description: tagSeparator defines the string by which Linode - Instance tags are joined into the tag label.el. - minLength: 1 - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - type: object - type: array - metricRelabelings: - description: metricRelabelings defines the metricRelabelings to apply - to samples before ingestion. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against which - the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - minItems: 1 - type: array - metricsPath: - description: metricsPath defines the HTTP path to scrape for metrics. - If empty, Prometheus uses the default value (e.g. /metrics). - minLength: 1 - type: string - nameEscapingScheme: - description: |- - nameEscapingScheme defines the metric name escaping mode to request through content negotiation. - - It requires Prometheus >= v3.4.0. - enum: - - AllowUTF8 - - Underscores - - Dots - - Values - type: string - nameValidationScheme: - description: |- - nameValidationScheme defines the validation scheme for metric and label names. - - It requires Prometheus >= v3.0.0. - enum: - - UTF8 - - Legacy - type: string - nativeHistogramBucketLimit: - description: |- - nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram, - buckets will be merged to stay within the limit. - It requires Prometheus >= v2.45.0. - format: int64 - type: integer - nativeHistogramMinBucketFactor: - anyOf: - - type: integer - - type: string - description: |- - nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this, - buckets will be merged to increase the factor sufficiently. - It requires Prometheus >= v2.50.0. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - nomadSDConfigs: - description: nomadSDConfigs defines a list of Nomad service discovery - configurations. - items: - description: |- - NomadSDConfig configurations allow retrieving scrape targets from Nomad's Service API. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#nomad_sd_config - properties: - allowStale: - description: |- - allowStale defines the information to access the Nomad API. It is to be defined - as the Nomad documentation requires. - type: boolean - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: basicAuth defines information to use on every scrape - request. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - namespace: - description: |- - namespace defines the Nomad namespace to query for service discovery. - When specified, only resources within this namespace will be discovered. - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: oauth2 defines the configuration to use on every - scrape request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - region: - description: |- - region defines the Nomad region to query for service discovery. - When specified, only resources within this region will be discovered. - type: string - server: - description: |- - server defines the Nomad server address to connect to for service discovery. - This should be the full URL including protocol (e.g., "https://nomad.example.com:4646"). - minLength: 1 - type: string - tagSeparator: - description: |- - tagSeparator defines the separator used to join multiple tags. - This determines how Nomad service tags are concatenated into Prometheus labels. - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - required: - - server - type: object - type: array - oauth2: - description: oauth2 defines the configuration to use on every scrape - request. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing data - to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the token - request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - openstackSDConfigs: - description: openstackSDConfigs defines a list of OpenStack service - discovery configurations. - items: - description: |- - OpenStackSDConfig allow retrieving scrape targets from OpenStack Nova instances. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#openstack_sd_config - properties: - allTenants: - description: |- - allTenants defines whether the service discovery should list all instances for all projects. - It is only relevant for the 'instance' role and usually requires admin permissions. - type: boolean - applicationCredentialId: - description: applicationCredentialId defines the OpenStack applicationCredentialId. - type: string - applicationCredentialName: - description: |- - applicationCredentialName defines the ApplicationCredentialID or ApplicationCredentialName fields are - required if using an application credential to authenticate. Some providers - allow you to create an application credential to authenticate rather than a - password. - minLength: 1 - type: string - applicationCredentialSecret: - description: |- - applicationCredentialSecret defines the required field if using an application - credential to authenticate. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - availability: - description: availability defines the availability of the endpoint - to connect to. - enum: - - Public - - public - - Admin - - admin - - Internal - - internal - type: string - domainID: - description: domainID defines The OpenStack domainID. - minLength: 1 - type: string - domainName: - description: |- - domainName defines at most one of domainId and domainName that must be provided if using username - with Identity V3. Otherwise, either are optional. - minLength: 1 - type: string - identityEndpoint: - description: |- - identityEndpoint defines the HTTP endpoint that is required to work with - the Identity API of the appropriate version. - pattern: ^http(s)?:\/\/.+$ - type: string - password: - description: |- - password defines the password for the Identity V2 and V3 APIs. Consult with your provider's - control panel to discover your account's preferred method of authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - port: - description: |- - port defines the port to scrape metrics from. If using the public IP address, this must - instead be specified in the relabeling rule. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - projectID: - description: projectID defines the OpenStack projectID. - minLength: 1 - type: string - projectName: - description: |- - projectName defines an optional field for the Identity V2 API. - Some providers allow you to specify a ProjectName instead of the ProjectId. - Some require both. Your provider's authentication policies will determine - how these fields influence authentication. - minLength: 1 - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - region: - description: region defines the OpenStack Region. - minLength: 1 - type: string - role: - description: |- - role defines the OpenStack role of entities that should be discovered. - - Note: The `LoadBalancer` role requires Prometheus >= v3.2.0. - enum: - - Instance - - Hypervisor - - LoadBalancer - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration applying - to the target HTTP endpoint. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - userid: - description: userid defines the OpenStack userid. - minLength: 1 - type: string - username: - description: |- - username defines the username required if using Identity V2 API. Consult with your provider's - control panel to discover your account's username. - In Identity V3, either userid or a combination of username - and domainId or domainName are needed - minLength: 1 - type: string - required: - - region - - role - type: object - type: array - ovhcloudSDConfigs: - description: ovhcloudSDConfigs defines a list of OVHcloud service - discovery configurations. - items: - description: |- - OVHCloudSDConfig configurations allow retrieving scrape targets from OVHcloud's dedicated servers and VPS using their API. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#ovhcloud_sd_config - properties: - applicationKey: - description: |- - applicationKey defines the access key to use for OVHCloud API authentication. - This is obtained from the OVHCloud API credentials at https://api.ovh.com. - minLength: 1 - type: string - applicationSecret: - description: |- - applicationSecret defines the secret key for OVHCloud API authentication. - This contains the application secret obtained during OVHCloud API credential creation. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - consumerKey: - description: |- - consumerKey defines the consumer key for OVHCloud API authentication. - This is the third component of OVHCloud's three-key authentication system. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpoint: - description: |- - endpoint defines a custom API endpoint to be used. - When not specified, defaults to the standard OVHCloud API endpoint for the region. - minLength: 1 - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - service: - description: |- - service defines the service type of the targets to retrieve. - Must be either `VPS` or `DedicatedServer` to specify which OVHCloud resources to discover. - enum: - - VPS - - DedicatedServer - type: string - required: - - applicationKey - - applicationSecret - - consumerKey - - service - type: object - type: array - params: - additionalProperties: - items: - type: string - type: array - description: params defines optional HTTP URL parameters - type: object - x-kubernetes-map-type: atomic - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - puppetDBSDConfigs: - description: puppetDBSDConfigs defines a list of PuppetDB service - discovery configurations. - items: - description: |- - PuppetDBSDConfig configurations allow retrieving scrape targets from PuppetDB resources. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#puppetdb_sd_config - properties: - authorization: - description: |- - authorization defines the header configuration to authenticate against the DigitalOcean API. - Cannot be set at the same time as `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines information to use on every scrape request. - Cannot be set at the same time as `authorization`, or `oauth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - includeParameters: - description: |- - includeParameters defines whether to include the parameters as meta labels. - Note: Enabling this exposes parameters in the Prometheus UI and API. Make sure - that you don't have secrets exposed as parameters if you enable this. - type: boolean - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the optional OAuth 2.0 configuration to authenticate against the target HTTP endpoint. - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - port: - description: port defines the port to scrape metrics from. If - using the public IP address, this must - format: int32 - maximum: 65535 - minimum: 0 - type: integer - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - query: - description: |- - query defines the Puppet Query Language (PQL) query. Only resources are supported. - https://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html - minLength: 1 - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - url: - description: url defines the URL of the PuppetDB root query - endpoint. - minLength: 1 - pattern: ^http(s)?://.+$ - type: string - required: - - query - - url - type: object - type: array - relabelings: - description: |- - relabelings defines how to rewrite the target's labels before scraping. - Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. - The original scrape job's name is available via the `__tmp_prometheus_job_name` label. - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against which - the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - minItems: 1 - type: array - sampleLimit: - description: sampleLimit defines per-scrape limit on number of scraped - samples that will be accepted. - format: int64 - type: integer - scalewaySDConfigs: - description: scalewaySDConfigs defines a list of Scaleway instances - and baremetal service discovery configurations. - items: - description: |- - ScalewaySDConfig configurations allow retrieving scrape targets from Scaleway instances and baremetal services. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scaleway_sd_config - properties: - accessKey: - description: accessKey defines the access key to use. https://console.scaleway.com/project/credentials - minLength: 1 - type: string - apiURL: - description: apiURL defines the API URL to use when doing the - server listing requests. - pattern: ^http(s)?://.+$ - type: string - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: followRedirects defines whether HTTP requests follow - HTTP 3xx redirects. - type: boolean - nameFilter: - description: nameFilter defines a name filter (works as a LIKE) - to apply on the server listing request. - minLength: 1 - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - port: - description: port defines the port to scrape metrics from. If - using the public IP address, this must - format: int32 - maximum: 65535 - minimum: 0 - type: integer - projectID: - description: projectID defines the Project ID of the targets. - minLength: 1 - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - refreshInterval: - description: |- - refreshInterval defines the time after which the provided names are refreshed. - If not set, Prometheus uses its default value. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - role: - description: role defines the service of the targets to retrieve. - Must be `Instance` or `Baremetal`. - enum: - - Instance - - Baremetal - type: string - secretKey: - description: secretKey defines the secret key to use when listing - targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tagsFilter: - description: tagsFilter defines a tag filter (a server needs - to have all defined tags to be listed) to apply on the server - listing request. - items: - minLength: 1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - tlsConfig: - description: tlsConfig defines the TLS configuration to connect - to the Consul API. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - zone: - description: zone defines the availability zone of your targets - (e.g. fr-par-1). - minLength: 1 - type: string - required: - - accessKey - - projectID - - role - - secretKey - type: object - type: array - scheme: - description: scheme defines the protocol scheme used for requests. - enum: - - http - - https - - HTTP - - HTTPS - type: string - scrapeClass: - description: scrapeClass defines the scrape class to apply. - minLength: 1 - type: string - scrapeClassicHistograms: - description: |- - scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. - It requires Prometheus >= v2.45.0. - - Notice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration. - type: boolean - scrapeInterval: - description: scrapeInterval defines the interval between consecutive - scrapes. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - scrapeProtocols: - description: |- - scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the - protocols supported by Prometheus in order of preference (from most to least preferred). - - If unset, Prometheus uses its default value. - - It requires Prometheus >= v2.49.0. - items: - description: |- - ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. - Supported values are: - * `OpenMetricsText0.0.1` - * `OpenMetricsText1.0.0` - * `PrometheusProto` - * `PrometheusText0.0.4` - * `PrometheusText1.0.0` - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - scrapeTimeout: - description: |- - scrapeTimeout defines the number of seconds to wait until a scrape request times out. - The value cannot be greater than the scrape interval otherwise the operator will reject the resource. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - staticConfigs: - description: staticConfigs defines a list of static targets with a - common label set. - items: - description: |- - StaticConfig defines a Prometheus static configuration. - See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config - properties: - labels: - additionalProperties: - type: string - description: labels defines labels assigned to all metrics scraped - from the targets. - type: object - x-kubernetes-map-type: atomic - targets: - description: targets defines the list of targets for this static - configuration. - items: - description: |- - Target represents a target for Prometheus to scrape - kubebuilder:validation:MinLength:=1 - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - required: - - targets - type: object - type: array - targetLimit: - description: targetLimit defines a limit on the number of scraped - targets that will be accepted. - format: int64 - type: integer - tlsConfig: - description: tlsConfig defines the TLS configuration to use on every - scrape request - properties: - ca: - description: ca defines the Certificate authority used when verifying - server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing data - to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to present when - doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing data - to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for the - targets. - type: string - type: object - trackTimestampsStaleness: - description: |- - trackTimestampsStaleness defines whether Prometheus tracks staleness of - the metrics that have an explicit timestamp present in scraped data. - Has no effect if `honorTimestamps` is false. - It requires Prometheus >= v2.48.0. - type: boolean - type: object - status: - description: |- - status defines the status subresource. It is under active development and is updated only when the - "StatusForConfigurationResources" feature gate is enabled. - - Most recent observed status of the ScrapeConfig. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - bindings: - description: bindings defines the list of workload resources (Prometheus, - PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration - resource. - items: - description: WorkloadBinding is a link between a configuration resource - and a workload resource. - properties: - conditions: - description: conditions defines the current state of the configuration - resource when bound to the referenced Workload object. - items: - description: ConfigResourceCondition describes the status - of configuration resources linked to Prometheus, PrometheusAgent, - Alertmanager or ThanosRuler. - properties: - lastTransitionTime: - description: lastTransitionTime defines the time of the - last update to the current status property. - format: date-time - type: string - message: - description: message defines the human-readable message - indicating details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the object. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: |- - type of the condition being reported. - Currently, only "Accepted" is supported. - enum: - - Accepted - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - group: - description: group defines the group of the referenced resource. - enum: - - monitoring.coreos.com - type: string - name: - description: name defines the name of the referenced object. - minLength: 1 - type: string - namespace: - description: namespace defines the namespace of the referenced - object. - minLength: 1 - type: string - resource: - description: resource defines the type of resource being referenced - (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager). - enum: - - prometheuses - - prometheusagents - - thanosrulers - - alertmanagers - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - name - - namespace - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-servicemonitors.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: servicemonitors.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: ServiceMonitor - listKind: ServiceMonitorList - plural: servicemonitors - shortNames: - - smon - singular: servicemonitor - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - The `ServiceMonitor` custom resource definition (CRD) defines how `Prometheus` and `PrometheusAgent` can scrape metrics from a group of services. - Among other things, it allows to specify: - * The services to scrape via label selectors. - * The container ports to scrape. - * Authentication credentials to use. - * Target and metric relabeling. - - `Prometheus` and `PrometheusAgent` objects select `ServiceMonitor` objects using label and namespace selectors. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec defines the specification of desired Service selection for target discovery by - Prometheus. - properties: - attachMetadata: - description: |- - attachMetadata defines additional metadata which is added to the - discovered targets. - - It requires Prometheus >= v2.37.0. - properties: - node: - description: |- - node when set to true, Prometheus attaches node metadata to the discovered - targets. - - The Prometheus service account must have the `list` and `watch` - permissions on the `Nodes` objects. - type: boolean - type: object - bodySizeLimit: - description: |- - bodySizeLimit when defined, bodySizeLimit specifies a job level limit on the size - of uncompressed response body that will be accepted by Prometheus. - - It requires Prometheus >= v2.28.0. - pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ - type: string - convertClassicHistogramsToNHCB: - description: |- - convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets. - It requires Prometheus >= v3.0.0. - type: boolean - endpoints: - description: |- - endpoints defines the list of endpoints part of this ServiceMonitor. - Defines how to scrape metrics from Kubernetes [Endpoints](https://kubernetes.io/docs/concepts/services-networking/service/#endpoints) objects. - In most cases, an Endpoints object is backed by a Kubernetes [Service](https://kubernetes.io/docs/concepts/services-networking/service/) object with the same name and labels. - items: - description: |- - Endpoint defines an endpoint serving Prometheus metrics to be scraped by - Prometheus. - properties: - authorization: - description: |- - authorization configures the Authorization header credentials to use when - scraping the target. - - Cannot be set at the same time as `basicAuth`, or `oauth2`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - basicAuth: - description: |- - basicAuth defines the Basic Authentication credentials to use when - scraping the target. - - Cannot be set at the same time as `authorization`, or `oauth2`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerTokenFile: - description: |- - bearerTokenFile defines the file to read bearer token for scraping the target. - - Deprecated: use `authorization` instead. - type: string - bearerTokenSecret: - description: |- - bearerTokenSecret defines a key of a Secret containing the bearer - token for scraping targets. The secret needs to be in the same namespace - as the ServiceMonitor object and readable by the Prometheus Operator. - - Deprecated: use `authorization` instead. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - enableHttp2: - description: enableHttp2 can be used to disable HTTP2 when scraping - the target. - type: boolean - filterRunning: - description: |- - filterRunning when true, the pods which are not running (e.g. either in Failed or - Succeeded state) are dropped during the target discovery. - - If unset, the filtering is enabled. - - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase - type: boolean - followRedirects: - description: |- - followRedirects defines whether the scrape requests should follow HTTP - 3xx redirects. - type: boolean - honorLabels: - description: |- - honorLabels defines when true the metric's labels when they collide - with the target's labels. - type: boolean - honorTimestamps: - description: |- - honorTimestamps defines whether Prometheus preserves the timestamps - when exposed by the target. - type: boolean - interval: - description: |- - interval at which Prometheus scrapes the metrics from the target. - - If empty, Prometheus uses the global scrape interval. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - metricRelabelings: - description: |- - metricRelabelings defines the relabeling rules to apply to the - samples before ingestion. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 defines the OAuth2 settings to use when scraping the target. - - It requires Prometheus >= 2.27.0. - - Cannot be set at the same time as `authorization`, or `basicAuth`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - params: - additionalProperties: - items: - type: string - type: array - description: params define optional HTTP URL parameters. - type: object - path: - description: |- - path defines the HTTP path from which to scrape for metrics. - - If empty, Prometheus uses the default value (e.g. `/metrics`). - type: string - port: - description: |- - port defines the name of the Service port which this endpoint refers to. - - It takes precedence over `targetPort`. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - relabelings: - description: |- - relabelings defines the relabeling rules to apply the target's - metadata labels. - - The Operator automatically adds relabelings for a few standard Kubernetes fields. - - The original scrape job's name is available via the `__tmp_prometheus_job_name` label. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - scheme: - description: scheme defines the HTTP scheme to use when scraping - the metrics. - enum: - - http - - https - - HTTP - - HTTPS - type: string - scrapeTimeout: - description: |- - scrapeTimeout defines the timeout after which Prometheus considers the scrape to be failed. - - If empty, Prometheus uses the global scrape timeout unless it is less - than the target's scrape interval value in which the latter is used. - The value cannot be greater than the scrape interval otherwise the operator will reject the resource. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - targetPort defines the name or number of the target port of the `Pod` object behind the - Service. The port must be specified with the container's port property. - x-kubernetes-int-or-string: true - tlsConfig: - description: tlsConfig defines the TLS configuration to use - when scraping the target. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key - file in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - trackTimestampsStaleness: - description: |- - trackTimestampsStaleness defines whether Prometheus tracks staleness of - the metrics that have an explicit timestamp present in scraped data. - Has no effect if `honorTimestamps` is false. - - It requires Prometheus >= v2.48.0. - type: boolean - type: object - type: array - fallbackScrapeProtocol: - description: |- - fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type. - - It requires Prometheus >= v3.0.0. - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - jobLabel: - description: |- - jobLabel selects the label from the associated Kubernetes `Service` - object which will be used as the `job` label for all metrics. - - For example if `jobLabel` is set to `foo` and the Kubernetes `Service` - object is labeled with `foo: bar`, then Prometheus adds the `job="bar"` - label to all ingested metrics. - - If the value of this field is empty or if the label doesn't exist for - the given Service, the `job` label of the metrics defaults to the name - of the associated Kubernetes `Service`. - type: string - keepDroppedTargets: - description: |- - keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling - that will be kept in memory. 0 means no limit. - - It requires Prometheus >= v2.47.0. - format: int64 - type: integer - labelLimit: - description: |- - labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample. - - It requires Prometheus >= v2.27.0. - format: int64 - type: integer - labelNameLengthLimit: - description: |- - labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. - - It requires Prometheus >= v2.27.0. - format: int64 - type: integer - labelValueLengthLimit: - description: |- - labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. - - It requires Prometheus >= v2.27.0. - format: int64 - type: integer - namespaceSelector: - description: |- - namespaceSelector defines in which namespace(s) Prometheus should discover the services. - By default, the services are discovered in the same namespace as the `ServiceMonitor` object but it is possible to select pods across different/all namespaces. - properties: - any: - description: |- - any defines the boolean describing whether all namespaces are selected in contrast to a - list restricting them. - type: boolean - matchNames: - description: matchNames defines the list of namespace names to - select from. - items: - type: string - type: array - type: object - nativeHistogramBucketLimit: - description: |- - nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram, - buckets will be merged to stay within the limit. - It requires Prometheus >= v2.45.0. - format: int64 - type: integer - nativeHistogramMinBucketFactor: - anyOf: - - type: integer - - type: string - description: |- - nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this, - buckets will be merged to increase the factor sufficiently. - It requires Prometheus >= v2.50.0. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - podTargetLabels: - description: |- - podTargetLabels defines the labels which are transferred from the - associated Kubernetes `Pod` object onto the ingested metrics. - items: - type: string - type: array - sampleLimit: - description: |- - sampleLimit defines a per-scrape limit on the number of scraped samples - that will be accepted. - format: int64 - type: integer - scrapeClass: - description: scrapeClass defines the scrape class to apply. - minLength: 1 - type: string - scrapeClassicHistograms: - description: |- - scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. - It requires Prometheus >= v2.45.0. - - Notice: `scrapeClassicHistograms` corresponds to the `always_scrape_classic_histograms` field in the Prometheus configuration. - type: boolean - scrapeProtocols: - description: |- - scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the - protocols supported by Prometheus in order of preference (from most to least preferred). - - If unset, Prometheus uses its default value. - - It requires Prometheus >= v2.49.0. - items: - description: |- - ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. - Supported values are: - * `OpenMetricsText0.0.1` - * `OpenMetricsText1.0.0` - * `PrometheusProto` - * `PrometheusText0.0.4` - * `PrometheusText1.0.0` - enum: - - PrometheusProto - - OpenMetricsText0.0.1 - - OpenMetricsText1.0.0 - - PrometheusText0.0.4 - - PrometheusText1.0.0 - type: string - type: array - x-kubernetes-list-type: set - selector: - description: selector defines the label selector to select the Kubernetes - `Endpoints` objects to scrape metrics from. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - selectorMechanism: - description: |- - selectorMechanism defines the mechanism used to select the endpoints to scrape. - By default, the selection process relies on relabel configurations to filter the discovered targets. - Alternatively, you can opt in for role selectors, which may offer better efficiency in large clusters. - Which strategy is best for your use case needs to be carefully evaluated. - - It requires Prometheus >= v2.17.0. - enum: - - RelabelConfig - - RoleSelector - type: string - serviceDiscoveryRole: - description: |- - serviceDiscoveryRole defines the service discovery role used to discover targets. - - If set, the value should be either "Endpoints" or "EndpointSlice". - Otherwise it defaults to the value defined in the - Prometheus/PrometheusAgent resource. - enum: - - Endpoints - - EndpointSlice - type: string - targetLabels: - description: |- - targetLabels defines the labels which are transferred from the - associated Kubernetes `Service` object onto the ingested metrics. - items: - type: string - type: array - targetLimit: - description: |- - targetLimit defines a limit on the number of scraped targets that will - be accepted. - format: int64 - type: integer - required: - - endpoints - - selector - type: object - status: - description: |- - status defines the status subresource. It is under active development and is updated only when the - "StatusForConfigurationResources" feature gate is enabled. - - Most recent observed status of the ServiceMonitor. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - bindings: - description: bindings defines the list of workload resources (Prometheus, - PrometheusAgent, ThanosRuler or Alertmanager) which select the configuration - resource. - items: - description: WorkloadBinding is a link between a configuration resource - and a workload resource. - properties: - conditions: - description: conditions defines the current state of the configuration - resource when bound to the referenced Workload object. - items: - description: ConfigResourceCondition describes the status - of configuration resources linked to Prometheus, PrometheusAgent, - Alertmanager or ThanosRuler. - properties: - lastTransitionTime: - description: lastTransitionTime defines the time of the - last update to the current status property. - format: date-time - type: string - message: - description: message defines the human-readable message - indicating details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the object. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: |- - type of the condition being reported. - Currently, only "Accepted" is supported. - enum: - - Accepted - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - group: - description: group defines the group of the referenced resource. - enum: - - monitoring.coreos.com - type: string - name: - description: name defines the name of the referenced object. - minLength: 1 - type: string - namespace: - description: namespace defines the namespace of the referenced - object. - minLength: 1 - type: string - resource: - description: resource defines the type of resource being referenced - (e.g. Prometheus, PrometheusAgent, ThanosRuler or Alertmanager). - enum: - - prometheuses - - prometheusagents - - thanosrulers - - alertmanagers - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - name - - namespace - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-thanosrulers.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - operator.prometheus.io/version: 0.87.0 - name: thanosrulers.monitoring.coreos.com -spec: - group: monitoring.coreos.com - names: - categories: - - prometheus-operator - kind: ThanosRuler - listKind: ThanosRulerList - plural: thanosrulers - shortNames: - - ruler - singular: thanosruler - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The version of Thanos Ruler - jsonPath: .spec.version - name: Version - type: string - - description: The number of desired replicas - jsonPath: .spec.replicas - name: Replicas - type: integer - - description: The number of ready replicas - jsonPath: .status.availableReplicas - name: Ready - type: integer - - jsonPath: .status.conditions[?(@.type == 'Reconciled')].status - name: Reconciled - type: string - - jsonPath: .status.conditions[?(@.type == 'Available')].status - name: Available - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Whether the resource reconciliation is paused or not - jsonPath: .status.paused - name: Paused - priority: 1 - type: boolean - name: v1 - schema: - openAPIV3Schema: - description: |- - The `ThanosRuler` custom resource definition (CRD) defines a desired [Thanos Ruler](https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md) setup to run in a Kubernetes cluster. - - A `ThanosRuler` instance requires at least one compatible Prometheus API endpoint (either Thanos Querier or Prometheus services). - - The resource defines via label and namespace selectors which `PrometheusRule` objects should be associated to the deployed Thanos Ruler instances. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec defines the specification of the desired behavior of the ThanosRuler cluster. More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - additionalArgs: - description: |- - additionalArgs defines how to add additional arguments for the ThanosRuler container. - It is intended for e.g. activating hidden flags which are not supported by - the dedicated configuration options yet. The arguments are passed as-is to the - ThanosRuler container which may cause issues if they are invalid or not supported - by the given ThanosRuler version. - In case of an argument conflict (e.g. an argument which is already set by the - operator itself) or when providing an invalid argument the reconciliation will - fail and an error will be logged. - items: - description: Argument as part of the AdditionalArgs list. - properties: - name: - description: name of the argument, e.g. "scrape.discovery-reload-interval". - minLength: 1 - type: string - value: - description: value defines the argument value, e.g. 30s. Can - be empty for name-only arguments (e.g. --storage.tsdb.no-lockfile) - type: string - required: - - name - type: object - type: array - affinity: - description: affinity defines when specified, the pod's scheduling - constraints. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - alertDropLabels: - description: |- - alertDropLabels defines the label names which should be dropped in Thanos Ruler - alerts. - - The replica label `thanos_ruler_replica` will always be dropped from the alerts. - items: - type: string - type: array - alertQueryUrl: - description: |- - alertQueryUrl defines how Thanos Ruler will set in the 'Source' field - of all alerts. - Maps to the '--alert.query-url' CLI arg. - type: string - alertRelabelConfigFile: - description: |- - alertRelabelConfigFile defines the path to the alert relabeling configuration file. - - Alert relabel configuration must have the form as specified in the - official Prometheus documentation: - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs - - The operator performs no validation of the configuration file. - - This field takes precedence over `alertRelabelConfig`. - type: string - alertRelabelConfigs: - description: |- - alertRelabelConfigs defines the alert relabeling in Thanos Ruler. - - Alert relabel configuration must have the form as specified in the - official Prometheus documentation: - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs - - The operator performs no validation of the configuration. - - `alertRelabelConfigFile` takes precedence over this field. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - alertmanagersConfig: - description: |- - alertmanagersConfig defines the list of Alertmanager endpoints to send alerts to. - - The configuration format is defined at https://thanos.io/tip/components/rule.md/#alertmanager. - - It requires Thanos >= v0.10.0. - - The operator performs no validation of the configuration. - - This field takes precedence over `alertmanagersUrl`. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - alertmanagersUrl: - description: |- - alertmanagersUrl defines the list of Alertmanager endpoints to send alerts to. - - For Thanos >= v0.10.0, it is recommended to use `alertmanagersConfig` instead. - - `alertmanagersConfig` takes precedence over this field. - items: - type: string - type: array - containers: - description: |- - containers allows injecting additional containers or modifying operator generated - containers. This can be used to allow adding an authentication proxy to a ThanosRuler pod or - to change the behavior of an operator generated container. Containers described here modify - an operator generated container if they share the same name and modifications are done via a - strategic merge patch. The current container names are: `thanos-ruler` and `config-reloader`. - Overriding containers is entirely outside the scope of what the maintainers will support and by doing - so, you accept that this behaviour may break at any time without notice. - items: - description: A single application container that you want to run - within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of a set - of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource resize - policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a container - exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check on container - exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be - used by the container. - items: - description: volumeDevice describes a mapping of a raw block - device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container - that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - dnsConfig: - description: dnsConfig defines Defines the DNS configuration for the - pods. - properties: - nameservers: - description: |- - nameservers defines the list of DNS name server IP addresses. - This will be appended to the base nameservers generated from DNSPolicy. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - options: - description: |- - options defines the list of DNS resolver options. - This will be merged with the base options generated from DNSPolicy. - Resolution options given in Options - will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver options - of a pod. - properties: - name: - description: name is required and must be unique. - minLength: 1 - type: string - value: - description: value is optional. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - searches: - description: |- - searches defines the list of DNS search domains for host-name lookup. - This will be appended to the base search paths generated from DNSPolicy. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - type: object - dnsPolicy: - description: dnsPolicy defines the DNS policy for the pods. - enum: - - ClusterFirstWithHostNet - - ClusterFirst - - Default - - None - type: string - enableFeatures: - description: |- - enableFeatures defines how to setup Thanos Ruler feature flags. By default, no features are enabled. - - Enabling features which are disabled by default is entirely outside the - scope of what the maintainers will support and by doing so, you accept - that this behaviour may break at any time without notice. - - For more information see https://thanos.io/tip/components/rule.md/ - - It requires Thanos >= 0.39.0. - items: - minLength: 1 - type: string - type: array - x-kubernetes-list-type: set - enableServiceLinks: - description: enableServiceLinks defines whether information about - services should be injected into pod's environment variables - type: boolean - enforcedNamespaceLabel: - description: |- - enforcedNamespaceLabel enforces adding a namespace label of origin for each alert - and metric that is user created. The label value will always be the namespace of the object that is - being created. - type: string - evaluationInterval: - default: 15s - description: evaluationInterval defines the interval between consecutive - evaluations. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - excludedFromEnforcement: - description: |- - excludedFromEnforcement defines the list of references to PrometheusRule objects - to be excluded from enforcing a namespace label of origin. - Applies only if enforcedNamespaceLabel set to true. - items: - description: ObjectReference references a PodMonitor, ServiceMonitor, - Probe or PrometheusRule object. - properties: - group: - default: monitoring.coreos.com - description: group of the referent. When not specified, it defaults - to `monitoring.coreos.com` - enum: - - monitoring.coreos.com - type: string - name: - description: name of the referent. When not set, all resources - in the namespace are matched. - type: string - namespace: - description: |- - namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - minLength: 1 - type: string - resource: - description: resource of the referent. - enum: - - prometheusrules - - servicemonitors - - podmonitors - - probes - - scrapeconfigs - type: string - required: - - namespace - - resource - type: object - type: array - externalPrefix: - description: |- - externalPrefix defines the Thanos Ruler instances will be available under. This is - necessary to generate correct URLs. This is necessary if Thanos Ruler is not - served from root of a DNS name. - type: string - grpcServerTlsConfig: - description: |- - grpcServerTlsConfig defines the gRPC server from which Thanos Querier reads - recorded rule data. - Note: Currently only the CAFile, CertFile, and KeyFile fields are supported. - Maps to the '--grpc-server-tls-*' CLI args. - properties: - ca: - description: ca defines the Certificate authority used when verifying - server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing data - to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the Prometheus - container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present when - doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing data - to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data to - use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert file - in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key file in - the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the client - key file for the targets. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for the - targets. - type: string - type: object - hostAliases: - description: hostAliases defines pods' hostAliases configuration - items: - description: |- - HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the - pod's hosts file. - properties: - hostnames: - description: hostnames defines hostnames for the above IP address. - items: - type: string - type: array - ip: - description: ip defines the IP address of the host file entry. - type: string - required: - - hostnames - - ip - type: object - type: array - x-kubernetes-list-map-keys: - - ip - x-kubernetes-list-type: map - hostUsers: - description: |- - hostUsers supports the user space in Kubernetes. - - More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/ - - The feature requires at least Kubernetes 1.28 with the `UserNamespacesSupport` feature gate enabled. - Starting Kubernetes 1.33, the feature is enabled by default. - type: boolean - image: - description: image defines Thanos container image URL. - type: string - imagePullPolicy: - description: |- - imagePullPolicy defines for the 'thanos', 'init-config-reloader' and 'config-reloader' containers. - See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details. - enum: - - "" - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: |- - imagePullSecrets defines an optional list of references to secrets in the same namespace - to use for pulling thanos images from registries - see http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - initContainers: - description: |- - initContainers allows adding initContainers to the pod definition. Those can be used to e.g. - fetch secrets for injection into the ThanosRuler configuration from external sources. Any - errors during the execution of an initContainer will lead to a restart of the Pod. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - Using initContainers for any use case other then secret fetching is entirely outside the scope - of what the maintainers will support and by doing so, you accept that this behaviour may break - at any time without notice. - items: - description: A single application container that you want to run - within a pod. - properties: - args: - description: |- - Arguments to the entrypoint. - The container image's CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - command: - description: |- - Entrypoint array. Not executed within a shell. - The container image's ENTRYPOINT is used if this is not provided. - Variable references $(VAR_NAME) are expanded using the container's environment. If a variable - cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell - items: - type: string - type: array - x-kubernetes-list-type: atomic - env: - description: |- - List of environment variables to set in the container. - Cannot be updated. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - envFrom: - description: |- - List of sources to populate environment variables in the container. - The keys defined within a source may consist of any printable ASCII characters except '='. - When a key exists in multiple - sources, the value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of a set - of ConfigMaps or Secrets - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: |- - Optional text to prepend to the name of each environment variable. - May consist of any printable ASCII characters except '='. - type: string - secretRef: - description: The Secret to select from - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - image: - description: |- - Container image name. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - imagePullPolicy: - description: |- - Image pull policy. - One of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - type: string - lifecycle: - description: |- - Actions that the management system should take in response to container lifecycle events. - Cannot be updated. - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies a command to execute in - the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents a duration that the container - should sleep. - properties: - seconds: - description: Seconds is the number of seconds to - sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for backward compatibility. There is no validation of this field and - lifecycle hooks will fail at runtime when it is specified. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - stopSignal: - description: |- - StopSignal defines which signal will be sent to a container when it is being stopped. - If not specified, the default is defined by the container runtime in use. - StopSignal can only be set for Pods with a non-empty .spec.os.name - type: string - type: object - livenessProbe: - description: |- - Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - name: - description: |- - Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: |- - List of ports to expose from the container. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port which is - listening on the default "0.0.0.0" address inside a container will be - accessible from the network. - Modifying this array with strategic merge patch may corrupt the data. - For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: |- - Periodic probe of container service readiness. - Container will be removed from service endpoints if the probe fails. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents resource resize - policy for the container. - properties: - resourceName: - description: |- - Name of the resource to which this resource resize policy applies. - Supported values: cpu, memory. - type: string - restartPolicy: - description: |- - Restart policy to apply when specified resource is resized. - If not specified, it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - Compute Resources required by this container. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - restartPolicy: - description: |- - RestartPolicy defines the restart behavior of individual containers in a pod. - This overrides the pod-level restart policy. When this field is not specified, - the restart behavior is defined by the Pod's restart policy and the container type. - Additionally, setting the RestartPolicy as "Always" for the init container will - have the following effect: - this init container will be continually restarted on - exit until all regular containers have terminated. Once all regular - containers have completed, all init containers with restartPolicy "Always" - will be shut down. This lifecycle differs from normal init containers and - is often referred to as a "sidecar" container. Although this init - container still starts in the init container sequence, it does not wait - for the container to complete before proceeding to the next init - container. Instead, the next init container starts immediately after this - init container is started, or after any startupProbe has successfully - completed. - type: string - restartPolicyRules: - description: |- - Represents a list of rules to be checked to determine if the - container should be restarted on exit. The rules are evaluated in - order. Once a rule matches a container exit condition, the remaining - rules are ignored. If no rule matches the container exit condition, - the Container-level restart policy determines the whether the container - is restarted or not. Constraints on the rules: - - At most 20 rules are allowed. - - Rules can have the same action. - - Identical rules are not forbidden in validations. - When rules are specified, container MUST set RestartPolicy explicitly - even it if matches the Pod's RestartPolicy. - items: - description: ContainerRestartRule describes how a container - exit is handled. - properties: - action: - description: |- - Specifies the action taken on a container exit if the requirements - are satisfied. The only possible value is "Restart" to restart the - container. - type: string - exitCodes: - description: Represents the exit codes to check on container - exits. - properties: - operator: - description: |- - Represents the relationship between the container exit code(s) and the - specified values. Possible values are: - - In: the requirement is satisfied if the container exit code is in the - set of specified values. - - NotIn: the requirement is satisfied if the container exit code is - not in the set of specified values. - type: string - values: - description: |- - Specifies the set of values to check for container exit codes. - At most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - type: object - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - securityContext: - description: |- - SecurityContext defines the security options the container should be run with. - If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - startupProbe: - description: |- - StartupProbe indicates that the Pod has successfully initialized. - If specified, no other probes are executed until this completes successfully. - If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, - when it might take a long time to load data or warm a cache, than during steady-state operation. - This cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - properties: - exec: - description: Exec specifies a command to execute in the - container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number - must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - stdin: - description: |- - Whether this container should allocate a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will always result in EOF. - Default is false. - type: boolean - stdinOnce: - description: |- - Whether the container runtime should close the stdin channel after it has been opened by - a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the - first client attaches to stdin, and then remains open and accepts data until the client disconnects, - at which time stdin is closed and remains closed until the container is restarted. If this - flag is false, a container processes that reads from stdin will never receive an EOF. - Default is false - type: boolean - terminationMessagePath: - description: |- - Optional: Path at which the file to which the container's termination message - will be written is mounted into the container's filesystem. - Message written is intended to be brief final status, such as an assertion failure message. - Will be truncated by the node if greater than 4096 bytes. The total message length across - all containers will be limited to 12kb. - Defaults to /dev/termination-log. - Cannot be updated. - type: string - terminationMessagePolicy: - description: |- - Indicate how the termination message should be populated. File will use the contents of - terminationMessagePath to populate the container status message on both success and failure. - FallbackToLogsOnError will use the last chunk of container log output if the termination - message file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, whichever is smaller. - Defaults to File. - Cannot be updated. - type: string - tty: - description: |- - Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. - Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be - used by the container. - items: - description: volumeDevice describes a mapping of a raw block - device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container - that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - devicePath - x-kubernetes-list-type: map - volumeMounts: - description: |- - Pod volumes to mount into the container's filesystem. - Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - x-kubernetes-list-map-keys: - - mountPath - x-kubernetes-list-type: map - workingDir: - description: |- - Container's working directory. - If not specified, the container runtime's default will be used, which - might be configured in the container image. - Cannot be updated. - type: string - required: - - name - type: object - type: array - labels: - additionalProperties: - type: string - description: |- - labels defines the external label pairs of the ThanosRuler resource. - - A default replica label `thanos_ruler_replica` will be always added as a - label with the value of the pod's name. - type: object - listenLocal: - description: |- - listenLocal defines the Thanos ruler listen on loopback, so that it - does not bind against the Pod IP. - type: boolean - logFormat: - description: logFormat for ThanosRuler to be configured with. - enum: - - "" - - logfmt - - json - type: string - logLevel: - description: logLevel for ThanosRuler to be configured with. - enum: - - "" - - debug - - info - - warn - - error - type: string - minReadySeconds: - description: |- - minReadySeconds defines the minimum number of seconds for which a newly created pod should be ready - without any of its container crashing for it to be considered available. - - If unset, pods will be considered available as soon as they are ready. - format: int32 - minimum: 0 - type: integer - nodeSelector: - additionalProperties: - type: string - description: nodeSelector defines which Nodes the Pods are scheduled - on. - type: object - objectStorageConfig: - description: |- - objectStorageConfig defines the configuration format is defined at https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage - - The operator performs no validation of the configuration. - - `objectStorageConfigFile` takes precedence over this field. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - objectStorageConfigFile: - description: |- - objectStorageConfigFile defines the path of the object storage configuration file. - - The configuration format is defined at https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage - - The operator performs no validation of the configuration file. - - This field takes precedence over `objectStorageConfig`. - type: string - paused: - description: |- - paused defines when a ThanosRuler deployment is paused, no actions except for deletion - will be performed on the underlying objects. - type: boolean - podMetadata: - description: |- - podMetadata defines labels and annotations which are propagated to the ThanosRuler pods. - - The following items are reserved and cannot be overridden: - * "app.kubernetes.io/name" label, set to "thanos-ruler". - * "app.kubernetes.io/managed-by" label, set to "prometheus-operator". - * "app.kubernetes.io/instance" label, set to the name of the ThanosRuler instance. - * "thanos-ruler" label, set to the name of the ThanosRuler instance. - * "kubectl.kubernetes.io/default-container" annotation, set to "thanos-ruler". - properties: - annotations: - additionalProperties: - type: string - description: |- - annotations defines an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - labels: - additionalProperties: - type: string - description: |- - labels define the map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - name: - description: |- - name must be unique within a namespace. Is required when creating resources, although - some resources may allow a client to request the generation of an appropriate name - automatically. Name is primarily intended for creation idempotence and configuration - definition. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - type: string - type: object - portName: - default: web - description: |- - portName defines the port name used for the pods and governing service. - Defaults to `web`. - type: string - priorityClassName: - description: priorityClassName defines the priority class assigned - to the Pods - type: string - prometheusRulesExcludedFromEnforce: - description: |- - prometheusRulesExcludedFromEnforce defines a list of Prometheus rules to be excluded from enforcing - of adding namespace labels. Works only if enforcedNamespaceLabel set to true. - Make sure both ruleNamespace and ruleName are set for each pair - Deprecated: use excludedFromEnforcement instead. - items: - description: |- - PrometheusRuleExcludeConfig enables users to configure excluded - PrometheusRule names and their namespaces to be ignored while enforcing - namespace label for alerts and metrics. - properties: - ruleName: - description: ruleName defines the name of the excluded PrometheusRule - object. - type: string - ruleNamespace: - description: ruleNamespace defines the namespace of the excluded - PrometheusRule object. - type: string - required: - - ruleName - - ruleNamespace - type: object - type: array - queryConfig: - description: |- - queryConfig defines the list of Thanos Query endpoints from which to query metrics. - - The configuration format is defined at https://thanos.io/tip/components/rule.md/#query-api - - It requires Thanos >= v0.11.0. - - The operator performs no validation of the configuration. - - This field takes precedence over `queryEndpoints`. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - queryEndpoints: - description: |- - queryEndpoints defines the list of Thanos Query endpoints from which to query metrics. - - For Thanos >= v0.11.0, it is recommended to use `queryConfig` instead. - - `queryConfig` takes precedence over this field. - items: - type: string - type: array - remoteWrite: - description: |- - remoteWrite defines the list of remote write configurations. - - When the list isn't empty, the ruler is configured with stateless mode. - - It requires Thanos >= 0.24.0. - items: - description: |- - RemoteWriteSpec defines the configuration to write samples from Prometheus - to a remote endpoint. - properties: - authorization: - description: |- - authorization section for the URL. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`. - properties: - credentials: - description: credentials defines a key of a Secret in the - namespace that contains the credentials for authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - credentialsFile: - description: credentialsFile defines the file to read a - secret from, mutually exclusive with `credentials`. - type: string - type: - description: |- - type defines the authentication type. The value is case-insensitive. - - "Basic" is not a supported value. - - Default: "Bearer" - type: string - type: object - azureAd: - description: |- - azureAd for the URL. - - It requires Prometheus >= v2.45.0 or Thanos >= v0.31.0. - - Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`. - properties: - cloud: - description: cloud defines the Azure Cloud. Options are - 'AzurePublic', 'AzureChina', or 'AzureGovernment'. - enum: - - AzureChina - - AzureGovernment - - AzurePublic - type: string - managedIdentity: - description: |- - managedIdentity defines the Azure User-assigned Managed identity. - Cannot be set at the same time as `oauth` or `sdk`. - properties: - clientId: - description: |- - clientId defines the Azure User-assigned Managed identity. - - For Prometheus >= 3.5.0 and Thanos >= 0.40.0, this field is allowed to be empty to support system-assigned managed identities. - minLength: 1 - type: string - type: object - oauth: - description: |- - oauth defines the oauth config that is being used to authenticate. - Cannot be set at the same time as `managedIdentity` or `sdk`. - - It requires Prometheus >= v2.48.0 or Thanos >= v0.31.0. - properties: - clientId: - description: clientId defines the clientId of the Azure - Active Directory application that is being used to - authenticate. - minLength: 1 - type: string - clientSecret: - description: clientSecret specifies a key of a Secret - containing the client secret of the Azure Active Directory - application that is being used to authenticate. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tenantId: - description: tenantId is the tenant ID of the Azure - Active Directory application that is being used to - authenticate. - minLength: 1 - pattern: ^[0-9a-zA-Z-.]+$ - type: string - required: - - clientId - - clientSecret - - tenantId - type: object - sdk: - description: |- - sdk defines the Azure SDK config that is being used to authenticate. - See https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication - Cannot be set at the same time as `oauth` or `managedIdentity`. - - It requires Prometheus >= v2.52.0 or Thanos >= v0.36.0. - properties: - tenantId: - description: tenantId defines the tenant ID of the azure - active directory application that is being used to - authenticate. - pattern: ^[0-9a-zA-Z-.]+$ - type: string - type: object - type: object - basicAuth: - description: |- - basicAuth configuration for the URL. - - Cannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`. - properties: - password: - description: |- - password defines a key of a Secret containing the password for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - username: - description: |- - username defines a key of a Secret containing the username for - authentication. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - bearerToken: - description: |- - bearerToken is deprecated: this will be removed in a future release. - *Warning: this field shouldn't be used because the token value appears - in clear-text. Prefer using `authorization`.* - type: string - bearerTokenFile: - description: |- - bearerTokenFile defines the file from which to read bearer token for the URL. - - Deprecated: this will be removed in a future release. Prefer using `authorization`. - type: string - enableHTTP2: - description: enableHTTP2 defines whether to enable HTTP2. - type: boolean - followRedirects: - description: |- - followRedirects defines whether HTTP requests follow HTTP 3xx redirects. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - type: boolean - headers: - additionalProperties: - type: string - description: |- - headers defines the custom HTTP headers to be sent along with each remote write request. - Be aware that headers that are set by Prometheus itself can't be overwritten. - - It requires Prometheus >= v2.25.0 or Thanos >= v0.24.0. - type: object - messageVersion: - description: |- - messageVersion defines the Remote Write message's version to use when writing to the endpoint. - - `Version1.0` corresponds to the `prometheus.WriteRequest` protobuf message introduced in Remote Write 1.0. - `Version2.0` corresponds to the `io.prometheus.write.v2.Request` protobuf message introduced in Remote Write 2.0. - - When `Version2.0` is selected, Prometheus will automatically be - configured to append the metadata of scraped metrics to the WAL. - - Before setting this field, consult with your remote storage provider - what message version it supports. - - It requires Prometheus >= v2.54.0 or Thanos >= v0.37.0. - enum: - - V1.0 - - V2.0 - type: string - metadataConfig: - description: |- - metadataConfig defines how to send a series metadata to the remote storage. - - When the field is empty, **no metadata** is sent. But when the field is - null, metadata is sent. - properties: - maxSamplesPerSend: - description: |- - maxSamplesPerSend defines the maximum number of metadata samples per send. - - It requires Prometheus >= v2.29.0. - format: int32 - minimum: -1 - type: integer - send: - description: send defines whether metric metadata is sent - to the remote storage or not. - type: boolean - sendInterval: - description: sendInterval defines how frequently metric - metadata is sent to the remote storage. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - name: - description: |- - name of the remote write queue, it must be unique if specified. The - name is used in metrics and logging in order to differentiate queues. - - It requires Prometheus >= v2.15.0 or Thanos >= 0.24.0. - type: string - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - oauth2: - description: |- - oauth2 configuration for the URL. - - It requires Prometheus >= v2.27.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`. - properties: - clientId: - description: |- - clientId defines a key of a Secret or ConfigMap containing the - OAuth2 client's ID. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientSecret: - description: |- - clientSecret defines a key of a Secret containing the OAuth2 - client's secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - endpointParams: - additionalProperties: - type: string - description: |- - endpointParams configures the HTTP parameters to append to the token - URL. - type: object - noProxy: - description: |- - noProxy defines a comma-separated string that can contain IPs, CIDR notation, domain names - that should be excluded from proxying. IP and domain names can - contain port numbers. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: string - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - scopes: - description: scopes defines the OAuth2 scopes used for the - token request. - items: - type: string - type: array - tlsConfig: - description: |- - tlsConfig defines the TLS configuration to use when connecting to the OAuth2 server. - It requires Prometheus >= v2.43.0. - properties: - ca: - description: ca defines the Certificate authority used - when verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - cert: - description: cert defines the Client certificate to - present when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing - data to use for the targets. - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - insecureSkipVerify: - description: insecureSkipVerify defines how to disable - target certificate validation. - type: boolean - keySecret: - description: keySecret defines the Secret containing - the client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname - for the targets. - type: string - type: object - tokenUrl: - description: tokenUrl defines the URL to fetch the token - from. - minLength: 1 - type: string - required: - - clientId - - clientSecret - - tokenUrl - type: object - proxyConnectHeader: - additionalProperties: - items: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: array - description: |- - proxyConnectHeader optionally specifies headers to send to - proxies during CONNECT requests. - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: object - x-kubernetes-map-type: atomic - proxyFromEnvironment: - description: |- - proxyFromEnvironment defines whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY). - - It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. - type: boolean - proxyUrl: - description: proxyUrl defines the HTTP proxy server to use. - pattern: ^(http|https|socks5)://.+$ - type: string - queueConfig: - description: queueConfig allows tuning of the remote write queue - parameters. - properties: - batchSendDeadline: - description: batchSendDeadline defines the maximum time - a sample will wait in buffer. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - capacity: - description: |- - capacity defines the number of samples to buffer per shard before we start - dropping them. - type: integer - maxBackoff: - description: maxBackoff defines the maximum retry delay. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - maxRetries: - description: maxRetries defines the maximum number of times - to retry a batch on recoverable errors. - type: integer - maxSamplesPerSend: - description: maxSamplesPerSend defines the maximum number - of samples per send. - type: integer - maxShards: - description: maxShards defines the maximum number of shards, - i.e. amount of concurrency. - type: integer - minBackoff: - description: minBackoff defines the initial retry delay. - Gets doubled for every retry. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - minShards: - description: minShards defines the minimum number of shards, - i.e. amount of concurrency. - type: integer - retryOnRateLimit: - description: |- - retryOnRateLimit defines the retry upon receiving a 429 status code from the remote-write storage. - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - type: boolean - sampleAgeLimit: - description: |- - sampleAgeLimit drops samples older than the limit. - It requires Prometheus >= v2.50.0 or Thanos >= v0.32.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - type: object - remoteTimeout: - description: remoteTimeout defines the timeout for requests - to the remote write endpoint. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - roundRobinDNS: - description: "roundRobinDNS controls the DNS resolution behavior - for remote-write connections.\nWhen enabled:\n - The remote-write - mechanism will resolve the hostname via DNS.\n - It will - randomly select one of the resolved IP addresses and connect - to it.\n\nWhen disabled (default behavior):\n - The Go standard - library will handle hostname resolution.\n - It will attempt - connections to each resolved IP address sequentially.\n\nNote: - The connection timeout applies to the entire resolution and - connection process.\n\n\tIf disabled, the timeout is distributed - across all connection attempts.\n\nIt requires Prometheus - >= v3.1.0 or Thanos >= v0.38.0." - type: boolean - sendExemplars: - description: |- - sendExemplars enables sending of exemplars over remote write. Note that - exemplar-storage itself must be enabled using the `spec.enableFeatures` - option for exemplars to be scraped in the first place. - - It requires Prometheus >= v2.27.0 or Thanos >= v0.24.0. - type: boolean - sendNativeHistograms: - description: |- - sendNativeHistograms enables sending of native histograms, also known as sparse histograms - over remote write. - - It requires Prometheus >= v2.40.0 or Thanos >= v0.30.0. - type: boolean - sigv4: - description: |- - sigv4 defines the AWS's Signature Verification 4 for the URL. - - It requires Prometheus >= v2.26.0 or Thanos >= v0.24.0. - - Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`. - properties: - accessKey: - description: |- - accessKey defines the AWS API key. If not specified, the environment variable - `AWS_ACCESS_KEY_ID` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - profile: - description: profile defines the named AWS profile used - to authenticate. - type: string - region: - description: region defines the AWS region. If blank, the - region from the default credentials chain used. - type: string - roleArn: - description: roleArn defines the named AWS profile used - to authenticate. - type: string - secretKey: - description: |- - secretKey defines the AWS API secret. If not specified, the environment - variable `AWS_SECRET_ACCESS_KEY` is used. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - useFIPSSTSEndpoint: - description: |- - useFIPSSTSEndpoint defines the FIPS mode for the AWS STS endpoint. - It requires Prometheus >= v2.54.0. - type: boolean - type: object - tlsConfig: - description: tlsConfig to use for the URL. - properties: - ca: - description: ca defines the Certificate authority used when - verifying server certificates. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - caFile: - description: caFile defines the path to the CA cert in the - Prometheus container to use for the targets. - type: string - cert: - description: cert defines the Client certificate to present - when doing client-authentication. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: certFile defines the path to the client cert - file in the Prometheus container for the targets. - type: string - insecureSkipVerify: - description: insecureSkipVerify defines how to disable target - certificate validation. - type: boolean - keyFile: - description: keyFile defines the path to the client key - file in the Prometheus container for the targets. - type: string - keySecret: - description: keySecret defines the Secret containing the - client key file for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: |- - maxVersion defines the maximum acceptable TLS version. - - It requires Prometheus >= v2.41.0 or Thanos >= v0.31.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - minVersion: - description: |- - minVersion defines the minimum acceptable TLS version. - - It requires Prometheus >= v2.35.0 or Thanos >= v0.28.0. - enum: - - TLS10 - - TLS11 - - TLS12 - - TLS13 - type: string - serverName: - description: serverName is used to verify the hostname for - the targets. - type: string - type: object - url: - description: url defines the URL of the endpoint to send samples - to. - minLength: 1 - type: string - writeRelabelConfigs: - description: writeRelabelConfigs defines the list of remote - write relabel configurations. - items: - description: |- - RelabelConfig allows dynamic rewriting of the label set for targets, alerts, - scraped samples and remote write samples. - - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config - properties: - action: - default: replace - description: |- - action to perform based on the regex matching. - - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. - `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - - Default: "Replace" - enum: - - replace - - Replace - - keep - - Keep - - drop - - Drop - - hashmod - - HashMod - - labelmap - - LabelMap - - labeldrop - - LabelDrop - - labelkeep - - LabelKeep - - lowercase - - Lowercase - - uppercase - - Uppercase - - keepequal - - KeepEqual - - dropequal - - DropEqual - type: string - modulus: - description: |- - modulus to take of the hash of the source label values. - - Only applicable when the action is `HashMod`. - format: int64 - type: integer - regex: - description: regex defines the regular expression against - which the extracted value is matched. - type: string - replacement: - description: |- - replacement value against which a Replace action is performed if the - regular expression matches. - - Regex capture groups are available. - type: string - separator: - description: separator defines the string between concatenated - SourceLabels. - type: string - sourceLabels: - description: |- - sourceLabels defines the source labels select values from existing labels. Their content is - concatenated using the configured Separator and matched against the - configured regular expression. - items: - description: |- - LabelName is a valid Prometheus label name. - For Prometheus 3.x, a label name is valid if it contains UTF-8 characters. - For Prometheus 2.x, a label name is only valid if it contains ASCII characters, letters, numbers, as well as underscores. - type: string - type: array - targetLabel: - description: |- - targetLabel defines the label to which the resulting string is written in a replacement. - - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, - `KeepEqual` and `DropEqual` actions. - - Regex capture groups are available. - type: string - type: object - type: array - required: - - url - type: object - type: array - replicas: - description: replicas defines the number of thanos ruler instances - to deploy. - format: int32 - type: integer - resendDelay: - description: resendDelay defines the minimum amount of time to wait - before resending an alert to Alertmanager. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - resources: - description: |- - resources defines the resource requirements for single Pods. - If not provided, no requests/limits will be set - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - retention: - default: 24h - description: |- - retention defines the time duration ThanosRuler shall retain data for. Default is '24h', and - must match the regular expression `[0-9]+(ms|s|m|h|d|w|y)` (milliseconds - seconds minutes hours days weeks years). - - The field has no effect when remote-write is configured since the Ruler - operates in stateless mode. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - routePrefix: - description: routePrefix defines the route prefix ThanosRuler registers - HTTP handlers for. This allows thanos UI to be served on a sub-path. - type: string - ruleConcurrentEval: - description: |- - ruleConcurrentEval defines how many rules can be evaluated concurrently. - It requires Thanos >= v0.37.0. - format: int32 - minimum: 1 - type: integer - ruleGracePeriod: - description: |- - ruleGracePeriod defines the minimum duration between alert and restored "for" state. - This is maintained only for alerts with configured "for" time greater than grace period. - It requires Thanos >= v0.30.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - ruleNamespaceSelector: - description: |- - ruleNamespaceSelector defines the namespaces to be selected for Rules discovery. If unspecified, only - the same namespace as the ThanosRuler object is in is used. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - ruleOutageTolerance: - description: |- - ruleOutageTolerance defines the max time to tolerate prometheus outage for restoring "for" state of alert. - It requires Thanos >= v0.30.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - ruleQueryOffset: - description: |- - ruleQueryOffset defines the default rule group's query offset duration to use. - It requires Thanos >= v0.38.0. - pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ - type: string - ruleSelector: - description: |- - ruleSelector defines the PrometheusRule objects to be selected for rule evaluation. An empty - label selector matches all objects. A null label selector matches no - objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - securityContext: - description: |- - securityContext defines the pod-level security attributes and common container settings. - This defaults to the default PodSecurityContext. - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccountName: - description: |- - serviceAccountName defines the name of the ServiceAccount to use to run the - Thanos Ruler Pods. - type: string - serviceName: - description: |- - serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service. - If defined, the Service must be created before the ThanosRuler resource in the same namespace and it must define a selector that matches the pod labels. - If empty, the operator will create and manage a headless service named `thanos-ruler-operated` for ThanosRuler resources. - When deploying multiple ThanosRuler resources in the same namespace, it is recommended to specify a different value for each. - See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details. - minLength: 1 - type: string - storage: - description: storage defines the specification of how storage shall - be used. - properties: - disableMountSubPath: - description: 'disableMountSubPath deprecated: subPath usage will - be removed in a future release.' - type: boolean - emptyDir: - description: |- - emptyDir to be used by the StatefulSet. - If specified, it takes precedence over `ephemeral` and `volumeClaimTemplate`. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral to be used by the StatefulSet. - This is a beta field in k8s 1.21 and GA in 1.15. - For lower versions, starting with k8s 1.19, it requires enabling the GenericEphemeralVolume feature gate. - More info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - volumeClaimTemplate: - description: |- - volumeClaimTemplate defines the PVC spec to be used by the Prometheus StatefulSets. - The easiest way to use a volume that cannot be automatically provisioned - is to use a label selector alongside manually created PersistentVolumes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: metadata defines EmbeddedMetadata contains metadata - relevant to an EmbeddedResource. - properties: - annotations: - additionalProperties: - type: string - description: |- - annotations defines an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - labels: - additionalProperties: - type: string - description: |- - labels define the map of string keys and values that can be used to organize and categorize - (scope and select) objects. May match selectors of replication controllers - and services. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - name: - description: |- - name must be unique within a namespace. Is required when creating resources, although - some resources may allow a client to request the generation of an appropriate name - automatically. Name is primarily intended for creation idempotence and configuration - definition. - Cannot be updated. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ - type: string - type: object - spec: - description: |- - spec defines the specification of the characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: 'status is deprecated: this field is never set.' - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status - of resource being resized for the given PVC.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nClaimResourceStatus can be in any - of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with - a terminal error.\n\t- NodeResizePending:\n\t\tState - set when resize controller has finished resizing the - volume but further resizing of\n\t\tvolume is needed - on the node.\n\t- NodeResizeInProgress:\n\t\tState set - when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this - field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, - it means that no resize operation is in progress for - the given PVC.\n\nA controller that receives PVC update - with previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources - allocated to a PVC including its capacity.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nCapacity reported here may be larger - than the actual capacity when a volume expansion operation\nis - requested.\nFor storage quota, the larger value from - allocatedResources and PVC.spec.resources is used.\nIf - allocatedResources is not set, PVC.spec.resources alone - is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and - if the actual volume capacity\nis equal or lower than - the requested capacity.\n\nA controller that receives - PVC update with previously unknown resourceName\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources - of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'Resizing'. - items: - description: PersistentVolumeClaimCondition contains - details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed - the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the - condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "Resizing" that means the underlying - persistent volume is being resized. - type: string - status: - description: |- - Status is the status of the condition. - Can be True, False, Unknown. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required - type: string - type: - description: |- - Type is the type of the condition. - More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible - indicates that the request has been rejected as - invalid by the CSI driver. To\n\t resolve the error, - a valid VolumeAttributesClass needs to be specified.\nNote: - New statuses can be added in the future. Consumers - should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: object - terminationGracePeriodSeconds: - description: |- - terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down) which may lead to data corruption. - - Defaults to 120 seconds. - format: int64 - minimum: 0 - type: integer - tolerations: - description: tolerations defines when specified, the pod's tolerations. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: topologySpreadConstraints defines the pod's topology - spread constraints. - items: - description: TopologySpreadConstraint specifies how to spread matching - pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - tracingConfig: - description: |- - tracingConfig defines the tracing configuration. - - The configuration format is defined at https://thanos.io/tip/thanos/tracing.md/#configuration - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - - The operator performs no validation of the configuration. - - `tracingConfigFile` takes precedence over this field. - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - tracingConfigFile: - description: |- - tracingConfigFile defines the path of the tracing configuration file. - - The configuration format is defined at https://thanos.io/tip/thanos/tracing.md/#configuration - - This is an *experimental feature*, it may change in any upcoming release - in a breaking way. - - The operator performs no validation of the configuration file. - - This field takes precedence over `tracingConfig`. - type: string - version: - description: version of Thanos to be deployed. - type: string - volumeMounts: - description: |- - volumeMounts defines how the configuration of additional VolumeMounts on the output StatefulSet definition. - VolumeMounts specified will be appended to other VolumeMounts in the ruler container, - that are generated as a result of StorageSpec objects. - items: - description: VolumeMount describes a mounting of a Volume within - a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: |- - volumes defines how configuration of additional volumes on the output StatefulSet definition. Volumes specified will - be appended to other volumes that are generated as a result of StorageSpec objects. - items: - description: Volume represents a named volume in a pod that may - be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: None, - Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk in the - blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the blob - storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed data - disk (only in managed availability set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that contains - Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted root, - rather than the full Ceph tree, default is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should populate - this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap or its - keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents ephemeral - storage that is handled by certain external CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about the pod - that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the pod: - only annotations, labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative path - name of the file to be created. Must not be absolute - or contain the ''..'' path. Must be utf-8 encoded. - The first item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes - to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that is - attached to a kubelet's host machine and then exposed to the - pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to use for - this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds extra - command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. This - is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that details - Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support iSCSI - Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support iSCSI - Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI target - and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon Controller - persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources secrets, - configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume root - to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the configMap - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the downwardAPI - data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name, namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will be - addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret data - to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether the - Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information about - the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an already - created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool associated - with the protection domain. - type: string - system: - description: system is the name of the storage system as - configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy Based - Management (SPBM) profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy Based - Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies vSphere - volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - web: - description: web defines the configuration of the ThanosRuler web - server. - properties: - httpConfig: - description: httpConfig defines HTTP parameters for web server. - properties: - headers: - description: headers defines a list of headers that can be - added to HTTP responses. - properties: - contentSecurityPolicy: - description: |- - contentSecurityPolicy defines the Content-Security-Policy header to HTTP responses. - Unset if blank. - type: string - strictTransportSecurity: - description: |- - strictTransportSecurity defines the Strict-Transport-Security header to HTTP responses. - Unset if blank. - Please make sure that you use this with care as this header might force - browsers to load Prometheus and the other applications hosted on the same - domain and subdomains over HTTPS. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - type: string - xContentTypeOptions: - description: |- - xContentTypeOptions defines the X-Content-Type-Options header to HTTP responses. - Unset if blank. Accepted value is nosniff. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options - enum: - - "" - - NoSniff - type: string - xFrameOptions: - description: |- - xFrameOptions defines the X-Frame-Options header to HTTP responses. - Unset if blank. Accepted values are deny and sameorigin. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options - enum: - - "" - - Deny - - SameOrigin - type: string - xXSSProtection: - description: |- - xXSSProtection defines the X-XSS-Protection header to all responses. - Unset if blank. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection - type: string - type: object - http2: - description: |- - http2 enable HTTP/2 support. Note that HTTP/2 is only supported with TLS. - When TLSConfig is not configured, HTTP/2 will be disabled. - Whenever the value of the field changes, a rolling update will be triggered. - type: boolean - type: object - tlsConfig: - description: tlsConfig defines the TLS parameters for HTTPS. - properties: - cert: - description: |- - cert defines the Secret or ConfigMap containing the TLS certificate for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `certFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - certFile: - description: |- - certFile defines the path to the TLS certificate file in the container for the web server. - - Either `keySecret` or `keyFile` must be defined. - - It is mutually exclusive with `cert`. - type: string - cipherSuites: - description: |- - cipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. - - If not defined, the Go default cipher suites are used. - Available cipher suites are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#pkg-constants - items: - type: string - type: array - client_ca: - description: |- - client_ca defines the Secret or ConfigMap containing the CA certificate for client certificate - authentication to the server. - - It is mutually exclusive with `clientCAFile`. - properties: - configMap: - description: configMap defines the ConfigMap containing - data to use for the targets. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secret: - description: secret defines the Secret containing data - to use for the targets. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - clientAuthType: - description: |- - clientAuthType defines the server policy for client TLS authentication. - - For more detail on clientAuth options: - https://golang.org/pkg/crypto/tls/#ClientAuthType - type: string - clientCAFile: - description: |- - clientCAFile defines the path to the CA certificate file for client certificate authentication to - the server. - - It is mutually exclusive with `client_ca`. - type: string - curvePreferences: - description: |- - curvePreferences defines elliptic curves that will be used in an ECDHE handshake, in preference - order. - - Available curves are documented in the Go documentation: - https://golang.org/pkg/crypto/tls/#CurveID - items: - type: string - type: array - keyFile: - description: |- - keyFile defines the path to the TLS private key file in the container for the web server. - - If defined, either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keySecret`. - type: string - keySecret: - description: |- - keySecret defines the secret containing the TLS private key for the web server. - - Either `cert` or `certFile` must be defined. - - It is mutually exclusive with `keyFile`. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - maxVersion: - description: maxVersion defines the Maximum TLS version that - is acceptable. - type: string - minVersion: - description: minVersion defines the minimum TLS version that - is acceptable. - type: string - preferServerCipherSuites: - description: |- - preferServerCipherSuites defines whether the server selects the client's most preferred cipher - suite, or the server's most preferred cipher suite. - - If true then the server's preference, as expressed in - the order of elements in cipherSuites, is used. - type: boolean - type: object - type: object - type: object - status: - description: |- - status defines the most recent observed status of the ThanosRuler cluster. Read-only. - More info: - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - properties: - availableReplicas: - description: |- - availableReplicas defines the total number of available pods (ready for at least minReadySeconds) - targeted by this ThanosRuler deployment. - format: int32 - type: integer - conditions: - description: conditions defines the current state of the ThanosRuler - object. - items: - description: |- - Condition represents the state of the resources associated with the - Prometheus, Alertmanager or ThanosRuler resource. - properties: - lastTransitionTime: - description: lastTransitionTime is the time of the last update - to the current status property. - format: date-time - type: string - message: - description: message defines human-readable message indicating - details for the condition's last transition. - type: string - observedGeneration: - description: |- - observedGeneration defines the .metadata.generation that the - condition was set based upon. For instance, if `.metadata.generation` is - currently 12, but the `.status.conditions[].observedGeneration` is 9, the - condition is out of date with respect to the current state of the - instance. - format: int64 - type: integer - reason: - description: reason for the condition's last transition. - type: string - status: - description: status of the condition. - minLength: 1 - type: string - type: - description: type of the condition being reported. - minLength: 1 - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - paused: - description: |- - paused defines whether any actions on the underlying managed objects are - being performed. Only delete actions will be performed. - type: boolean - replicas: - description: |- - replicas defines the total number of non-terminated pods targeted by this ThanosRuler deployment - (their labels match the selector). - format: int32 - type: integer - unavailableReplicas: - description: unavailableReplicas defines the total number of unavailable - pods targeted by this ThanosRuler deployment. - format: int32 - type: integer - updatedReplicas: - description: |- - updatedReplicas defines the total number of non-terminated pods targeted by this ThanosRuler deployment - that have the desired version spec. - format: int32 - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-alertmanagerconfigs.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-alertmanagers.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-podmonitors.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-probes.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheusagents.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheuses.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-prometheusrules.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-scrapeconfigs.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-servicemonitors.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml ---- -# Source: prometheus-operator-crds/charts/prometheus-operator-crds/charts/crds/templates/crd-thanosrulers.yaml -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.87.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml diff --git a/clusters/cl01tl/manifests/prowlarr/prowlarr.yaml b/clusters/cl01tl/manifests/prowlarr/prowlarr.yaml deleted file mode 100644 index a080129ea..000000000 --- a/clusters/cl01tl/manifests/prowlarr/prowlarr.yaml +++ /dev/null @@ -1,235 +0,0 @@ ---- -# Source: prowlarr/charts/prowlarr/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: prowlarr-config - labels: - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: prowlarr - helm.sh/chart: prowlarr-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: prowlarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: prowlarr/charts/prowlarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: prowlarr - labels: - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: prowlarr - app.kubernetes.io/service: prowlarr - helm.sh/chart: prowlarr-4.4.0 - namespace: prowlarr -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 9696 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/name: prowlarr ---- -# Source: prowlarr/charts/prowlarr/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: prowlarr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: prowlarr - helm.sh/chart: prowlarr-4.4.0 - namespace: prowlarr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: prowlarr - app.kubernetes.io/instance: prowlarr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/name: prowlarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 568 - runAsUser: 568 - supplementalGroups: - - 44 - - 100 - - 109 - - 65539 - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - image: ghcr.io/linuxserver/prowlarr:2.3.0@sha256:475853535de3de8441b87c1457c30f2e695f4831228b12b6b7274e9da409d874 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - volumes: - - name: config - persistentVolumeClaim: - claimName: prowlarr-config ---- -# Source: prowlarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: prowlarr-config-backup-secret - namespace: prowlarr - labels: - app.kubernetes.io/name: prowlarr-config-backup-secret - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/part-of: prowlarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/prowlarr/prowlarr-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: prowlarr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-prowlarr - namespace: prowlarr - labels: - app.kubernetes.io/name: http-route-prowlarr - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/part-of: prowlarr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - prowlarr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: prowlarr - port: 80 - weight: 100 ---- -# Source: prowlarr/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: prowlarr-config-backup-source - namespace: prowlarr - labels: - app.kubernetes.io/name: prowlarr-config-backup-source - app.kubernetes.io/instance: prowlarr - app.kubernetes.io/part-of: prowlarr -spec: - sourcePVC: prowlarr-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: prowlarr-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: - - 44 - - 100 - - 109 - - 65539 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/manifests/qbittorrent/qbittorrent.yaml b/clusters/cl01tl/manifests/qbittorrent/qbittorrent.yaml deleted file mode 100644 index 22a2d8794..000000000 --- a/clusters/cl01tl/manifests/qbittorrent/qbittorrent.yaml +++ /dev/null @@ -1,1009 +0,0 @@ ---- -# Source: qbittorrent/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: qbittorrent/templates/config-map.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: glutun-update-script - namespace: qbittorrent - labels: - app.kubernetes.io/name: glutun-update-script - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -data: - update.sh: | - if ! command -v curl 2>&1 >/dev/null - then - echo "curl could not be found, installing"; - apk add curl; - fi; - echo "updating port with $1"; - curl -i -X POST -d "json={\"listen_port\": \"${1}\"}" "http://localhost:8080/api/v2/app/setPreferences"; ---- -# Source: qbittorrent/templates/config-map.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: qbit-manage-config - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbit-manage-config - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -data: - config.yml: | - # Please refer to the link below for more details on how to set up the configuration file - # https://github.com/StuffAnThings/qbit_manage/wiki/Config-Setup - - commands: - dry_run: false - recheck: true - cat_update: true - tag_update: true - rem_unregistered: true - tag_tracker_error: true - rem_orphaned: true - tag_nohardlinks: false - share_limits: true - skip_qb_version_check: true - skip_cleanup: false - - qbt: - host: qbittorrent.qbittorrent:8080 - user: - pass: - - settings: - force_auto_tmm: true - tracker_error_tag: tracker-error - share_limits_tag: share-limit - share_limits_min_seeding_time_tag: seed-time-not-reached - cat_filter_completed: false - share_limits_filter_completed: false - rem_unregistered_filter_completed: false - cat_update_all: true - disable_qbt_default_share_limits: true - tag_stalled_torrents: true - nohardlinks_tag: no-hardlinks - stalled_tag: stalled - share_limits_min_num_seeds_tag: min-seeds-not-reached - share_limits_last_active_tag: last-active-not-reached - tag_nohardlinks_filter_completed: true - force_auto_tmm_ignore_tags: [] - rem_unregistered_ignore_list: [] - - directory: - root_dir: /mnt/store/Torrent/ - recycle_bin: /qbittorrent/Trash - torrents_dir: /qbittorrent/qBittorrent/BT_backup - orphaned_dir: /qbittorrent/Orphaned - - cat: - lidarr: /mnt/store/Torrent/FINISHED/LIDARR - prowlarr: /mnt/store/Torrent/FINISHED/SAVE - radarr: /mnt/store/Torrent/FINISHED/RADARR - radarr-4k: /mnt/store/Torrent/FINISHED/RADARR4K - radarr-anime: /mnt/store/Torrent/FINISHED/RADARRANIME - radarr-standup: /mnt/store/Torrent/FINISHED/RADARRSTANDUP - sonarr: /mnt/store/Torrent/FINISHED/SONARR - sonarr-4k: /mnt/store/Torrent/FINISHED/SONARR4K - sonarr-anime: /mnt/store/Torrent/FINISHED/SONARRANIME - -< ZIM: /mnt/store/Kiwix - -< SAVE: /mnt/store/Torrent/FINISHED/SAVE - -< IMPORT: /mnt/store/Torrent/FINISHED/IMPORT - -< COMPLETED: /mnt/store/Torrent/FINISHED/COMPLETED - - tracker: - alpharatio.cc: - tag: AlphaRatio - avistaz: - tag: Avistaz - cathode-ray.tube: - tag: CathodeRayTube - mvgroup.org: - tag: MVGroup - torrentleech|tleechreload: - tag: TorrentLeech - archive.org: - tag: InternetArchive - openzim.org: - tag: Zim - coppersurfer.tk|arenabg.com|explodie.org|tfile.co|1337x.org|zer0day.to|i2p.rocks|ccc.de|nwps.ws|opentrackr.org: - tag: Other - - share_limits: - private: - priority: 1 - include_any_tags: - - AlphaRatio - - TorrentLeech - categories: - - -< COMPLETED - max_ratio: 2.0 - min_seeding_time: 14d - max_seeding_time: 30d - min_num_seeds: 2 - last_active: 3d - cleanup: true - # save: - # priority: 2 - # categories: - # - -< SAVE - # max_ratio: 2.0 - # min_seeding_time: 14d - # max_seeding_time: 30d - # min_num_seeds: 2 - # last_active: 30d - # cleanup: false - # zim: - # priority: 3 - # categories: - # - -< ZIM - # max_ratio: 2.0 - # min_seeding_time: 14d - # max_seeding_time: 30d - # min_num_seeds: 2 - # last_active: 30d - # cleanup: false - default: - priority: 999 - include_any_tags: - - Other - categories: - - -< COMPLETED - max_seeding_time: 3d - limit_upload_speed: 100 - cleanup: true - - recyclebin: - enabled: true - empty_after_x_days: 7 - save_torrents: true - split_by_category: true - - orphaned: - empty_after_x_days: 30 - exclude_patterns: - - /mnt/store/Torrent/QBITTORRENT/* - - /mnt/store/Torrent/TORRENT/* - - /mnt/store/Torrent/DOWNLOADING/* - - '**/.DS_Store' - - '**/Thumbs.db' - - '**/@eaDir' - - '**/*.!qB' - - '**/*_unpackerred' - max_orphaned_files_to_delete: 50 - - # apprise: - # api_url: http://localhost:8000/notify - # notify_url: "" - # - # webhooks: - # error: apprise - # run_start: apprise - # run_end: apprise - # function: - # rem_orphaned: apprise - # cleanup_dirs: apprise - # tag_tracker_error: - # share_limits: ---- -# Source: qbittorrent/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: qbittorrent-config - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-config - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/Torrent/QBITTORRENT - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: qbittorrent/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: qbittorrent-nfs-storage - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-nfs-storage - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: qbittorrent-qui-config-data - labels: - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - helm.sh/chart: qbittorrent-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: qbittorrent -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "1Gi" - storageClassName: "ceph-block" ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: qbittorrent-theme-data - labels: - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - helm.sh/chart: qbittorrent-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: qbittorrent -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "1Gi" - storageClassName: "ceph-block" ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: qbittorrent-qbit-manage-config-data - labels: - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - helm.sh/chart: qbittorrent-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: qbittorrent -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "1Gi" - storageClassName: "ceph-block" ---- -# Source: qbittorrent/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: qbittorrent-config - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-config - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - volumeName: qbittorrent-config - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: qbittorrent/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: qbittorrent-nfs-storage - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-nfs-storage - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - volumeName: qbittorrent-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: qbittorrent - labels: - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/service: qbittorrent - helm.sh/chart: qbittorrent-4.4.0 - namespace: qbittorrent -spec: - type: ClusterIP - ports: - - port: 9999 - targetPort: 9999 - protocol: TCP - name: health - - port: 8080 - targetPort: 8080 - protocol: TCP - name: http - - port: 9022 - targetPort: 9022 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/name: qbittorrent ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: qbittorrent-qbit-manage - labels: - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/service: qbittorrent-qbit-manage - helm.sh/chart: qbittorrent-4.4.0 - namespace: qbittorrent -spec: - type: ClusterIP - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: apprise - selector: - app.kubernetes.io/controller: qbit-manage - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/name: qbittorrent ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: qbittorrent-qui - labels: - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/service: qbittorrent-qui - helm.sh/chart: qbittorrent-4.4.0 - namespace: qbittorrent -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 7476 - protocol: TCP - name: http - - port: 9074 - targetPort: 9074 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: qui - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/name: qbittorrent ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: qbittorrent-qui - labels: - app.kubernetes.io/controller: qui - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - helm.sh/chart: qbittorrent-4.4.0 - namespace: qbittorrent -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: qui - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/instance: qbittorrent - template: - metadata: - labels: - app.kubernetes.io/controller: qui - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/name: qbittorrent - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: QUI__METRICS_ENABLED - value: "true" - - name: QUI__METRICS_HOST - value: 0.0.0.0 - - name: QUI__METRICS_PORT - value: "9074" - - name: QUI__OIDC_ENABLED - value: "true" - - name: QUI__OIDC_ISSUER - value: https://auth.alexlebens.dev/application/o/qui/ - - name: QUI__OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - key: client - name: qui-oidc-secret - - name: QUI__OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: secret - name: qui-oidc-secret - - name: QUI__OIDC_REDIRECT_URL - value: https://qui.alexlebens.net/api/auth/oidc/callback - - name: QUI__OIDC_DISABLE_BUILT_IN_LOGIN - value: "false" - image: ghcr.io/autobrr/qui:v1.8.1 - imagePullPolicy: IfNotPresent - name: qui - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: qui-config-data - volumes: - - name: qui-config-data - persistentVolumeClaim: - claimName: qbittorrent-qui-config-data ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: qbittorrent-main - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - helm.sh/chart: qbittorrent-4.4.0 - namespace: qbittorrent -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/instance: qbittorrent - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/name: qbittorrent - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - initContainers: - - args: - - -ec - - | - sysctl -w net.ipv4.ip_forward=1; - sysctl -w net.ipv6.conf.all.disable_ipv6=1 - command: - - /bin/sh - image: busybox:1.37.0 - imagePullPolicy: IfNotPresent - name: init-sysctl - resources: - requests: - cpu: 10m - memory: 128Mi - securityContext: - privileged: true - containers: - - env: - - name: QBITTORRENT_HOST - value: localhost - - name: QBITTORRENT_PORT - value: "8080" - - name: EXPORTER_PORT - value: "9022" - - name: EXPORTER_LOG_LEVEL - value: INFO - image: esanchezm/prometheus-qbittorrent-exporter:v1.6.0 - imagePullPolicy: IfNotPresent - name: exporter - resources: - requests: - cpu: 10m - memory: 64Mi - - env: - - name: VPN_SERVICE_PROVIDER - value: protonvpn - - name: VPN_TYPE - value: wireguard - - name: WIREGUARD_PRIVATE_KEY - valueFrom: - secretKeyRef: - key: private-key - name: qbittorrent-wireguard-conf - - name: VPN_PORT_FORWARDING - value: "on" - - name: VPN_PORT_FORWARDING_UP_COMMAND - value: /bin/sh -c "/gluetun/update.sh {{PORTS}}" - - name: PORT_FORWARD_ONLY - value: "on" - - name: FIREWALL_OUTBOUND_SUBNETS - value: 192.168.1.0/24,10.244.0.0/16 - - name: FIREWALL_INPUT_PORTS - value: 8080,9022 - - name: DOT - value: "off" - image: ghcr.io/qdm12/gluetun:v3.40.3@sha256:ef4a44819a60469682c7b5e69183e6401171891feaa60186652d292c59e41b30 - imagePullPolicy: IfNotPresent - name: gluetun - resources: - limits: - devic.es/tun: "1" - requests: - cpu: 10m - devic.es/tun: "1" - memory: 64Mi - securityContext: - capabilities: - add: - - NET_ADMIN - - SYS_MODULE - privileged: true - volumeMounts: - - mountPath: /gluetun/update.sh - name: update-script - subPath: update.sh - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - - name: UMASK_SET - value: "002" - - name: WEBUI_PORT - value: "8080" - - name: DOCKER_MODS - value: ghcr.io/themepark-dev/theme.park:qbittorrent - - name: TP_COMMUNITY_THEME - value: "true" - - name: TP_THEME - value: catppuccin-mocha - image: ghcr.io/linuxserver/qbittorrent:5.1.4@sha256:a2eedc99b4876916943bd33e7c415efc448f6b514aa39b4f98c1e6472a717301 - imagePullPolicy: IfNotPresent - name: qbittorrent - resources: - requests: - cpu: 500m - memory: 1Gi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: storage - - mountPath: /themepark - name: theme-data - volumes: - - name: config - persistentVolumeClaim: - claimName: qbittorrent-config - - name: storage - persistentVolumeClaim: - claimName: qbittorrent-nfs-storage - - name: theme-data - persistentVolumeClaim: - claimName: qbittorrent-theme-data - - configMap: - defaultMode: 493 - name: glutun-update-script - name: update-script ---- -# Source: qbittorrent/charts/qbittorrent/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: qbittorrent-qbit-manage - labels: - app.kubernetes.io/controller: qbit-manage - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: qbittorrent - helm.sh/chart: qbittorrent-4.4.0 - annotations: - reloader.stakater.com/auto: "true" - namespace: qbittorrent -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: qbit-manage - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/instance: qbittorrent - template: - metadata: - labels: - app.kubernetes.io/controller: qbit-manage - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/name: qbittorrent - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - initContainers: - - command: - - /bin/sh - - -ec - - | - cp /config/config.yml /app/config/config.yml - image: busybox:1.37.0 - imagePullPolicy: IfNotPresent - name: init-copy-config - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config/config.yml - mountPropagation: None - name: qbit-manage-config - readOnly: true - subPath: config.yml - - mountPath: /app/config - name: qbit-manage-config-data - containers: - - env: - - name: TZ - value: US/Central - - name: PGID - value: "1000" - - name: PUID - value: "1000" - - name: APPRISE_STORAGE_MODE - value: memory - - name: APPRISE_STATEFUL_MODE - value: disabled - - name: APPRISE_WORKER_COUNT - value: "1" - - name: APPRISE_STATELESS_URLS - valueFrom: - secretKeyRef: - key: ntfy-url - name: qbittorrent-qbit-manage-config - image: caronc/apprise:1.2.6 - imagePullPolicy: IfNotPresent - name: apprise-api - resources: - requests: - cpu: 10m - memory: 128Mi - - env: - - name: TZ - value: US/Central - - name: QBT_SCHEDULE - value: 0 * * * * - - name: QBT_STARTUP_DELAY - value: "360" - - name: QBT_CONFIG_DIR - value: /app/config/ - - name: QBT_LOGFILE - value: /app/var/activity.log - - name: QBT_LOG_LEVEL - value: INFO - image: ghcr.io/stuffanthings/qbit_manage:v4.6.5 - imagePullPolicy: IfNotPresent - name: qbit-manage - resources: - requests: - cpu: 10m - memory: 64Mi - volumeMounts: - - mountPath: /qbittorrent - name: config - - mountPath: /config/config.yml - mountPropagation: None - name: qbit-manage-config - readOnly: true - subPath: config.yml - - mountPath: /app/config - name: qbit-manage-config-data - - mountPath: /app/var - name: qbit-manage-config-var - - mountPath: /mnt/store - name: storage - volumes: - - name: config - persistentVolumeClaim: - claimName: qbittorrent-config - - configMap: - name: qbit-manage-config - name: qbit-manage-config - - name: qbit-manage-config-data - persistentVolumeClaim: - claimName: qbittorrent-qbit-manage-config-data - - emptyDir: {} - name: qbit-manage-config-var - - name: storage - persistentVolumeClaim: - claimName: qbittorrent-nfs-storage ---- -# Source: qbittorrent/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: qbittorrent-wireguard-conf - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-wireguard-conf - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: private-key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /protonvpn/conf/cl01tl - metadataPolicy: None - property: private-key ---- -# Source: qbittorrent/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: qbittorrent-qbit-manage-config - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-qbit-manage-config - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ntfy-url - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/qbittorrent/qbit-manage - metadataPolicy: None - property: ntfy-url ---- -# Source: qbittorrent/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: qui-oidc-secret - namespace: qbittorrent - labels: - app.kubernetes.io/name: qui-oidc-secret - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/qui - metadataPolicy: None - property: secret - - secretKey: client - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/qui - metadataPolicy: None - property: client ---- -# Source: qbittorrent/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-qbittorrent - namespace: qbittorrent - labels: - app.kubernetes.io/name: http-route-qbittorrent - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - qbittorrent.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: qbittorrent - port: 8080 - weight: 100 ---- -# Source: qbittorrent/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-qui - namespace: qbittorrent - labels: - app.kubernetes.io/name: http-route-qui - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - qui.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: qbittorrent-qui - port: 80 - weight: 100 ---- -# Source: qbittorrent/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: qbittorrent - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 15s - path: /metrics - selector: - matchLabels: - app.kubernetes.io/service: qbittorrent - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/instance: qbittorrent ---- -# Source: qbittorrent/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: qbittorrent-apprise - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-apprise - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - endpoints: - - port: apprise - interval: 30s - scrapeTimeout: 15s - path: /metrics - selector: - matchLabels: - app.kubernetes.io/service: qbittorrent-qbit-manage - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/instance: qbittorrent ---- -# Source: qbittorrent/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: qbittorrent-qui - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-qui - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 15s - path: /metrics - selector: - matchLabels: - app.kubernetes.io/service: qbittorrent-qui - app.kubernetes.io/name: qbittorrent - app.kubernetes.io/instance: qbittorrent diff --git a/clusters/cl01tl/manifests/radarr-4k/radarr-4k.yaml b/clusters/cl01tl/manifests/radarr-4k/radarr-4k.yaml deleted file mode 100644 index 0e6fdd9be..000000000 --- a/clusters/cl01tl/manifests/radarr-4k/radarr-4k.yaml +++ /dev/null @@ -1,930 +0,0 @@ ---- -# Source: radarr-4k/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: radarr-4k-nfs-storage - namespace: radarr-4k - labels: - app.kubernetes.io/name: radarr-4k-nfs-storage - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: radarr-4k/charts/radarr-4k/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: radarr-4k-config - labels: - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-4k - helm.sh/chart: radarr-4k-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: radarr-4k -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "20Gi" - storageClassName: "ceph-block" ---- -# Source: radarr-4k/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: radarr-4k-nfs-storage - namespace: radarr-4k - labels: - app.kubernetes.io/name: radarr-4k-nfs-storage - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - volumeName: radarr-4k-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: radarr-4k/charts/radarr-4k/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: radarr-4k - labels: - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-4k - app.kubernetes.io/service: radarr-4k - helm.sh/chart: radarr-4k-4.4.0 - namespace: radarr-4k -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 7878 - protocol: TCP - name: http - - port: 9793 - targetPort: 9793 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/name: radarr-4k ---- -# Source: radarr-4k/charts/radarr-4k/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: radarr-4k - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-4k - helm.sh/chart: radarr-4k-4.4.0 - namespace: radarr-4k -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: radarr-4k - app.kubernetes.io/instance: radarr-4k - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/name: radarr-4k - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/radarr:6.0.4@sha256:06ac318ecb95a34c7b229568dcb4271f02cb5007bb189a0dd67a2032864187ca - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - args: - - radarr - env: - - name: URL - value: http://localhost - - name: CONFIG - value: /config/config.xml - - name: PORT - value: "9793" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "false" - image: ghcr.io/onedr0p/exportarr:v2.3.0 - imagePullPolicy: IfNotPresent - name: metrics - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - readOnly: true - volumes: - - name: config - persistentVolumeClaim: - claimName: radarr-4k-config - - name: media - persistentVolumeClaim: - claimName: radarr-4k-nfs-storage ---- -# Source: radarr-4k/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: radarr5-4k-postgresql-17-cluster - namespace: radarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-4k-postgresql-17 - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "radarr5-4k-postgresql-17-external-backup" - serverName: "radarr5-4k-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "radarr5-4k-postgresql-17-garage-local-backup" - serverName: "radarr5-4k-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-4k-postgresql-17-recovery" - serverName: radarr5-4k-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 200m - memory: 1Gi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: radarr5-4k-postgresql-17-backup-1 - - externalClusters: - - name: radarr5-4k-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "radarr5-4k-postgresql-17-recovery" - serverName: radarr5-4k-postgresql-17-backup-1 ---- -# Source: radarr-4k/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-4k-config-backup-secret - namespace: radarr-4k - labels: - app.kubernetes.io/name: radarr-4k-config-backup-secret - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/radarr5-4k/radarr5-4k-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: radarr-4k/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-4k-postgresql-17-cluster-backup-secret - namespace: radarr-4k - labels: - app.kubernetes.io/name: radarr-4k-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: radarr-4k/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-4k-postgresql-17-cluster-backup-secret-garage - namespace: radarr-4k - labels: - app.kubernetes.io/name: radarr-4k-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: radarr-4k/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-radarr-4k - namespace: radarr-4k - labels: - app.kubernetes.io/name: http-route-radarr-4k - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - radarr-4k.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: radarr-4k - port: 80 - weight: 100 ---- -# Source: radarr-4k/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-4k-postgresql-17-external-backup" - namespace: radarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-4k-postgresql-17 - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/radarr5-4k/radarr5-4k-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: radarr-4k-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-4k-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: radarr-4k/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-4k-postgresql-17-garage-local-backup" - namespace: radarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-4k-postgresql-17 - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/radarr-4k/radarr5-4k-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: radarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: radarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: radarr-4k/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-4k-postgresql-17-recovery" - namespace: radarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-4k-postgresql-17 - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/radarr5-4k/radarr5-4k-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: radarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: radarr-4k/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: radarr5-4k-postgresql-17-alert-rules - namespace: radarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-4k-postgresql-17 - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/radarr5-4k-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="radarr-4k"} - cnpg_pg_replication_is_wal_receiver_up{namespace="radarr-4k"}) < 1 - for: 5m - labels: - severity: critical - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="radarr-4k"} - cnpg_pg_replication_is_wal_receiver_up{namespace="radarr-4k"}) < 2 - for: 5m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "radarr-4k/radarr5-4k-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="radarr-4k", pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="radarr-4k", pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "radarr-4k/radarr5-4k-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="radarr-4k", pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="radarr-4k", pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "radarr-4k/radarr5-4k-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="radarr-4k",pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "radarr-4k/radarr5-4k-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="radarr-4k", pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "radarr-4k/radarr5-4k-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "radarr-4k/radarr5-4k-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="radarr-4k", persistentvolumeclaim=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "radarr-4k/radarr5-4k-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="radarr-4k",pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "radarr-4k/radarr5-4k-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="radarr-4k", pod=~"radarr5-4k-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: radarr-4k - cnpg_cluster: radarr5-4k-postgresql-17-cluster ---- -# Source: radarr-4k/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: radarr-4k - namespace: radarr-4k - labels: - app.kubernetes.io/name: radarr-4k - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - groups: - - name: radarr-4k - rules: - - alert: ExportarrAbsent - annotations: - description: Radarr 4K Exportarr has disappeared from Prometheus - service discovery. - summary: Exportarr is down. - expr: | - absent(up{job=~".*radarr-4k.*"} == 1) - for: 5m - labels: - severity: critical - - alert: Radarr4kDown - annotations: - description: Radarr 4K service is down. - summary: Radarr 4K is down. - expr: | - radarr_4k_system_status{job=~".*radarr-4k.*"} == 0 - for: 5m - labels: - severity: critical ---- -# Source: radarr-4k/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: radarr-4k-config-backup-source - namespace: radarr-4k - labels: - app.kubernetes.io/name: radarr-4k-config-backup-source - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - sourcePVC: radarr-4k-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: radarr-4k-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: radarr-4k/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "radarr5-4k-postgresql-17-daily-backup-scheduled-backup" - namespace: radarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-4k-postgresql-17 - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: radarr5-4k-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-4k-postgresql-17-external-backup" ---- -# Source: radarr-4k/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "radarr5-4k-postgresql-17-live-backup-scheduled-backup" - namespace: radarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-4k-postgresql-17 - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: radarr5-4k-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-4k-postgresql-17-garage-local-backup" ---- -# Source: radarr-4k/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: radarr-4k - namespace: radarr-4k - labels: - app.kubernetes.io/name: radarr-4k - app.kubernetes.io/instance: radarr-4k - app.kubernetes.io/part-of: radarr-4k -spec: - selector: - matchLabels: - app.kubernetes.io/name: radarr-4k - app.kubernetes.io/instance: radarr-4k - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/radarr-anime/radarr-anime.yaml b/clusters/cl01tl/manifests/radarr-anime/radarr-anime.yaml deleted file mode 100644 index 51a86cf41..000000000 --- a/clusters/cl01tl/manifests/radarr-anime/radarr-anime.yaml +++ /dev/null @@ -1,928 +0,0 @@ ---- -# Source: radarr-anime/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: radarr-anime-nfs-storage - namespace: radarr-anime - labels: - app.kubernetes.io/name: radarr-anime-nfs-storage - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: radarr-anime/charts/radarr-anime/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: radarr-anime-config - labels: - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-anime - helm.sh/chart: radarr-anime-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: radarr-anime -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "20Gi" - storageClassName: "ceph-block" ---- -# Source: radarr-anime/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: radarr-anime-nfs-storage - namespace: radarr-anime - labels: - app.kubernetes.io/name: radarr-anime-nfs-storage - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - volumeName: radarr-anime-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: radarr-anime/charts/radarr-anime/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: radarr-anime - labels: - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-anime - app.kubernetes.io/service: radarr-anime - helm.sh/chart: radarr-anime-4.4.0 - namespace: radarr-anime -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 7878 - protocol: TCP - name: http - - port: 9793 - targetPort: 9793 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/name: radarr-anime ---- -# Source: radarr-anime/charts/radarr-anime/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: radarr-anime - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-anime - helm.sh/chart: radarr-anime-4.4.0 - namespace: radarr-anime -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: radarr-anime - app.kubernetes.io/instance: radarr-anime - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/name: radarr-anime - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/radarr:6.0.4@sha256:06ac318ecb95a34c7b229568dcb4271f02cb5007bb189a0dd67a2032864187ca - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - args: - - radarr - env: - - name: URL - value: http://localhost - - name: CONFIG - value: /config/config.xml - - name: PORT - value: "9793" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "false" - image: ghcr.io/onedr0p/exportarr:v2.3.0 - imagePullPolicy: IfNotPresent - name: metrics - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - readOnly: true - volumes: - - name: config - persistentVolumeClaim: - claimName: radarr-anime-config - - name: media - persistentVolumeClaim: - claimName: radarr-anime-nfs-storage ---- -# Source: radarr-anime/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: radarr5-anime-postgresql-17-cluster - namespace: radarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-anime-postgresql-17 - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "radarr5-anime-postgresql-17-external-backup" - serverName: "radarr5-anime-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "radarr5-anime-postgresql-17-garage-local-backup" - serverName: "radarr5-anime-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-anime-postgresql-17-recovery" - serverName: radarr5-anime-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: radarr5-anime-postgresql-17-backup-1 - - externalClusters: - - name: radarr5-anime-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "radarr5-anime-postgresql-17-recovery" - serverName: radarr5-anime-postgresql-17-backup-1 ---- -# Source: radarr-anime/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-anime-config-backup-secret - namespace: radarr-anime - labels: - app.kubernetes.io/name: radarr-anime-config-backup-secret - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/radarr5-anime/radarr5-anime-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: radarr-anime/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-anime-postgresql-17-cluster-backup-secret - namespace: radarr-anime - labels: - app.kubernetes.io/name: radarr-anime-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: radarr-anime/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-anime-postgresql-17-cluster-backup-secret-garage - namespace: radarr-anime - labels: - app.kubernetes.io/name: radarr-anime-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: radarr-anime/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-radarr-anime - namespace: radarr-anime - labels: - app.kubernetes.io/name: http-route-radarr-anime - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - radarr-anime.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: radarr-anime - port: 80 - weight: 100 ---- -# Source: radarr-anime/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-anime-postgresql-17-external-backup" - namespace: radarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-anime-postgresql-17 - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/radarr5-anime/radarr5-anime-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: radarr-anime-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-anime-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: radarr-anime/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-anime-postgresql-17-garage-local-backup" - namespace: radarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-anime-postgresql-17 - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/radarr-anime/radarr5-anime-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: radarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: radarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: radarr-anime/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-anime-postgresql-17-recovery" - namespace: radarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-anime-postgresql-17 - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/radarr5-anime/radarr5-anime-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: radarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: radarr-anime/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: radarr5-anime-postgresql-17-alert-rules - namespace: radarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-anime-postgresql-17 - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/radarr5-anime-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="radarr-anime"} - cnpg_pg_replication_is_wal_receiver_up{namespace="radarr-anime"}) < 1 - for: 5m - labels: - severity: critical - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="radarr-anime"} - cnpg_pg_replication_is_wal_receiver_up{namespace="radarr-anime"}) < 2 - for: 5m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "radarr-anime/radarr5-anime-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="radarr-anime", pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="radarr-anime", pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "radarr-anime/radarr5-anime-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="radarr-anime", pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="radarr-anime", pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "radarr-anime/radarr5-anime-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="radarr-anime",pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "radarr-anime/radarr5-anime-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="radarr-anime", pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "radarr-anime/radarr5-anime-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "radarr-anime/radarr5-anime-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="radarr-anime", persistentvolumeclaim=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "radarr-anime/radarr5-anime-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="radarr-anime",pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "radarr-anime/radarr5-anime-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="radarr-anime", pod=~"radarr5-anime-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: radarr-anime - cnpg_cluster: radarr5-anime-postgresql-17-cluster ---- -# Source: radarr-anime/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: radarr-anime - namespace: radarr-anime - labels: - app.kubernetes.io/name: radarr-anime - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - groups: - - name: radarr-anime - rules: - - alert: ExportarrAbsent - annotations: - description: Radarr Anime Exportarr has disappeared from Prometheus - service discovery. - summary: Exportarr is down. - expr: | - absent(up{job=~".*radarr-anime.*"} == 1) - for: 5m - labels: - severity: critical - - alert: RadarrAnimeDown - annotations: - description: Radarr Anime service is down. - summary: Radarr Anime is down. - expr: | - radarr_anime_system_status{job=~".*radarr-anime.*"} == 0 - for: 5m - labels: - severity: critical ---- -# Source: radarr-anime/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: radarr-anime-config-backup-source - namespace: radarr-anime - labels: - app.kubernetes.io/name: radarr-anime-config-backup-source - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - sourcePVC: radarr-anime-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: radarr-anime-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: radarr-anime/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "radarr5-anime-postgresql-17-daily-backup-scheduled-backup" - namespace: radarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-anime-postgresql-17 - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: radarr5-anime-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-anime-postgresql-17-external-backup" ---- -# Source: radarr-anime/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "radarr5-anime-postgresql-17-live-backup-scheduled-backup" - namespace: radarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-anime-postgresql-17 - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: radarr5-anime-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-anime-postgresql-17-garage-local-backup" ---- -# Source: radarr-anime/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: radarr-anime - namespace: radarr-anime - labels: - app.kubernetes.io/name: radarr-anime - app.kubernetes.io/instance: radarr-anime - app.kubernetes.io/part-of: radarr-anime -spec: - selector: - matchLabels: - app.kubernetes.io/name: radarr-anime - app.kubernetes.io/instance: radarr-anime - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/radarr-standup/radarr-standup.yaml b/clusters/cl01tl/manifests/radarr-standup/radarr-standup.yaml deleted file mode 100644 index 3fbe98c64..000000000 --- a/clusters/cl01tl/manifests/radarr-standup/radarr-standup.yaml +++ /dev/null @@ -1,928 +0,0 @@ ---- -# Source: radarr-standup/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: radarr-standup-nfs-storage - namespace: radarr-standup - labels: - app.kubernetes.io/name: radarr-standup-nfs-storage - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: radarr-standup/charts/radarr-standup/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: radarr-standup-config - labels: - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-standup - helm.sh/chart: radarr-standup-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: radarr-standup -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "20Gi" - storageClassName: "ceph-block" ---- -# Source: radarr-standup/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: radarr-standup-nfs-storage - namespace: radarr-standup - labels: - app.kubernetes.io/name: radarr-standup-nfs-storage - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - volumeName: radarr-standup-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: radarr-standup/charts/radarr-standup/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: radarr-standup - labels: - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-standup - app.kubernetes.io/service: radarr-standup - helm.sh/chart: radarr-standup-4.4.0 - namespace: radarr-standup -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 7878 - protocol: TCP - name: http - - port: 9793 - targetPort: 9793 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/name: radarr-standup ---- -# Source: radarr-standup/charts/radarr-standup/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: radarr-standup - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr-standup - helm.sh/chart: radarr-standup-4.4.0 - namespace: radarr-standup -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: radarr-standup - app.kubernetes.io/instance: radarr-standup - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/name: radarr-standup - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/radarr:6.0.4@sha256:06ac318ecb95a34c7b229568dcb4271f02cb5007bb189a0dd67a2032864187ca - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - args: - - radarr - env: - - name: URL - value: http://localhost - - name: CONFIG - value: /config/config.xml - - name: PORT - value: "9793" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "false" - image: ghcr.io/onedr0p/exportarr:v2.3.0 - imagePullPolicy: IfNotPresent - name: metrics - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - readOnly: true - volumes: - - name: config - persistentVolumeClaim: - claimName: radarr-standup-config - - name: media - persistentVolumeClaim: - claimName: radarr-standup-nfs-storage ---- -# Source: radarr-standup/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: radarr5-standup-postgresql-17-cluster - namespace: radarr-standup - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-standup-postgresql-17 - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "radarr5-standup-postgresql-17-external-backup" - serverName: "radarr5-standup-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "radarr5-standup-postgresql-17-garage-local-backup" - serverName: "radarr5-standup-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-standup-postgresql-17-recovery" - serverName: radarr5-standup-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: radarr5-standup-postgresql-17-backup-1 - - externalClusters: - - name: radarr5-standup-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "radarr5-standup-postgresql-17-recovery" - serverName: radarr5-standup-postgresql-17-backup-1 ---- -# Source: radarr-standup/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-standup-config-backup-secret - namespace: radarr-standup - labels: - app.kubernetes.io/name: radarr-standup-config-backup-secret - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/radarr5-standup/radarr5-standup-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: radarr-standup/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-standup-postgresql-17-cluster-backup-secret - namespace: radarr-standup - labels: - app.kubernetes.io/name: radarr-standup-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: radarr-standup/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-standup-postgresql-17-cluster-backup-secret-garage - namespace: radarr-standup - labels: - app.kubernetes.io/name: radarr-standup-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: radarr-standup/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-radarr-standup - namespace: radarr-standup - labels: - app.kubernetes.io/name: http-route-radarr-standup - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - radarr-standup.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: radarr-standup - port: 80 - weight: 100 ---- -# Source: radarr-standup/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-standup-postgresql-17-external-backup" - namespace: radarr-standup - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-standup-postgresql-17 - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/radarr5-standup/radarr5-standup-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: radarr-standup-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-standup-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: radarr-standup/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-standup-postgresql-17-garage-local-backup" - namespace: radarr-standup - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-standup-postgresql-17 - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/radarr-standup/radarr5-standup-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: radarr-standup-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-standup-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: radarr-standup-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: radarr-standup/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-standup-postgresql-17-recovery" - namespace: radarr-standup - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-standup-postgresql-17 - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/radarr5-standup/radarr5-standup-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: radarr-standup-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-standup-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: radarr-standup/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: radarr5-standup-postgresql-17-alert-rules - namespace: radarr-standup - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-standup-postgresql-17 - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/radarr5-standup-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="radarr-standup"} - cnpg_pg_replication_is_wal_receiver_up{namespace="radarr-standup"}) < 1 - for: 5m - labels: - severity: critical - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="radarr-standup"} - cnpg_pg_replication_is_wal_receiver_up{namespace="radarr-standup"}) < 2 - for: 5m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "radarr-standup/radarr5-standup-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="radarr-standup", pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="radarr-standup", pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "radarr-standup/radarr5-standup-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="radarr-standup", pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="radarr-standup", pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "radarr-standup/radarr5-standup-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="radarr-standup",pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "radarr-standup/radarr5-standup-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="radarr-standup", pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "radarr-standup/radarr5-standup-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "radarr-standup/radarr5-standup-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="radarr-standup", persistentvolumeclaim=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "radarr-standup/radarr5-standup-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="radarr-standup",pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "radarr-standup/radarr5-standup-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="radarr-standup", pod=~"radarr5-standup-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: radarr-standup - cnpg_cluster: radarr5-standup-postgresql-17-cluster ---- -# Source: radarr-standup/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: radarr-standup - namespace: radarr-standup - labels: - app.kubernetes.io/name: radarr-standup - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - groups: - - name: radarr-standup - rules: - - alert: ExportarrAbsent - annotations: - description: Radarr Stand Up Exportarr has disappeared from Prometheus - service discovery. - summary: Exportarr is down. - expr: | - absent(up{job=~".*radarr-standup.*"} == 1) - for: 5m - labels: - severity: critical - - alert: RadarrStandUpDown - annotations: - description: Radarr Stand Up service is down. - summary: Radarr Stand Up is down. - expr: | - radarr_standup_system_status{job=~".*radarr-standup.*"} == 0 - for: 5m - labels: - severity: critical ---- -# Source: radarr-standup/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: radarr-standup-config-backup-source - namespace: radarr-standup - labels: - app.kubernetes.io/name: radarr-standup-config-backup-source - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - sourcePVC: radarr-standup-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: radarr-standup-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: radarr-standup/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "radarr5-standup-postgresql-17-daily-backup-scheduled-backup" - namespace: radarr-standup - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-standup-postgresql-17 - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: radarr5-standup-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-standup-postgresql-17-external-backup" ---- -# Source: radarr-standup/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "radarr5-standup-postgresql-17-live-backup-scheduled-backup" - namespace: radarr-standup - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-standup-postgresql-17 - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: radarr5-standup-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-standup-postgresql-17-garage-local-backup" ---- -# Source: radarr-standup/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: radarr-standup - namespace: radarr-standup - labels: - app.kubernetes.io/name: radarr-standup - app.kubernetes.io/instance: radarr-standup - app.kubernetes.io/part-of: radarr-standup -spec: - selector: - matchLabels: - app.kubernetes.io/name: radarr-standup - app.kubernetes.io/instance: radarr-standup - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/radarr/radarr.yaml b/clusters/cl01tl/manifests/radarr/radarr.yaml deleted file mode 100644 index 3f0688071..000000000 --- a/clusters/cl01tl/manifests/radarr/radarr.yaml +++ /dev/null @@ -1,930 +0,0 @@ ---- -# Source: radarr/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: radarr-nfs-storage - namespace: radarr - labels: - app.kubernetes.io/name: radarr-nfs-storage - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: radarr/charts/radarr/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: radarr-config - labels: - app.kubernetes.io/instance: radarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr - helm.sh/chart: radarr-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: radarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "20Gi" - storageClassName: "ceph-block" ---- -# Source: radarr/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: radarr-nfs-storage - namespace: radarr - labels: - app.kubernetes.io/name: radarr-nfs-storage - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - volumeName: radarr-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: radarr/charts/radarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: radarr - labels: - app.kubernetes.io/instance: radarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr - app.kubernetes.io/service: radarr - helm.sh/chart: radarr-4.4.0 - namespace: radarr -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 7878 - protocol: TCP - name: http - - port: 9793 - targetPort: 9793 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr - app.kubernetes.io/name: radarr ---- -# Source: radarr/charts/radarr/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: radarr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: radarr - helm.sh/chart: radarr-4.4.0 - namespace: radarr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: radarr - app.kubernetes.io/instance: radarr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: radarr - app.kubernetes.io/name: radarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 1000 - runAsUser: 1000 - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/radarr:6.0.4@sha256:06ac318ecb95a34c7b229568dcb4271f02cb5007bb189a0dd67a2032864187ca - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - args: - - radarr - env: - - name: URL - value: http://localhost - - name: CONFIG - value: /config/config.xml - - name: PORT - value: "9793" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "false" - image: ghcr.io/onedr0p/exportarr:v2.3.0 - imagePullPolicy: IfNotPresent - name: metrics - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - readOnly: true - volumes: - - name: config - persistentVolumeClaim: - claimName: radarr-config - - name: media - persistentVolumeClaim: - claimName: radarr-nfs-storage ---- -# Source: radarr/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: radarr5-postgresql-17-cluster - namespace: radarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-postgresql-17 - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "radarr5-postgresql-17-external-backup" - serverName: "radarr5-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "radarr5-postgresql-17-garage-local-backup" - serverName: "radarr5-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-postgresql-17-recovery" - serverName: radarr5-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 200m - memory: 1Gi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: radarr5-postgresql-17-backup-1 - - externalClusters: - - name: radarr5-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "radarr5-postgresql-17-recovery" - serverName: radarr5-postgresql-17-backup-1 ---- -# Source: radarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-config-backup-secret - namespace: radarr - labels: - app.kubernetes.io/name: radarr-config-backup-secret - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/radarr5/radarr5-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: radarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-postgresql-17-cluster-backup-secret - namespace: radarr - labels: - app.kubernetes.io/name: radarr-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: radarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: radarr-postgresql-17-cluster-backup-secret-garage - namespace: radarr - labels: - app.kubernetes.io/name: radarr-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: radarr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-radarr - namespace: radarr - labels: - app.kubernetes.io/name: http-route-radarr - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - radarr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: radarr - port: 80 - weight: 100 ---- -# Source: radarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-postgresql-17-external-backup" - namespace: radarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-postgresql-17 - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/radarr5/radarr5-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: radarr-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: radarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-postgresql-17-garage-local-backup" - namespace: radarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-postgresql-17 - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/radarr/radarr5-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: radarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: radarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: radarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "radarr5-postgresql-17-recovery" - namespace: radarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-postgresql-17 - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/radarr5/radarr5-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: radarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: radarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: radarr/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: radarr5-postgresql-17-alert-rules - namespace: radarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-postgresql-17 - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/radarr5-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="radarr"} - cnpg_pg_replication_is_wal_receiver_up{namespace="radarr"}) < 1 - for: 5m - labels: - severity: critical - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="radarr"} - cnpg_pg_replication_is_wal_receiver_up{namespace="radarr"}) < 2 - for: 5m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "radarr/radarr5-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="radarr", pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="radarr", pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "radarr/radarr5-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="radarr", pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="radarr", pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "radarr/radarr5-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="radarr",pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "radarr/radarr5-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="radarr", pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "radarr/radarr5-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "radarr/radarr5-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="radarr", persistentvolumeclaim=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "radarr/radarr5-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="radarr",pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "radarr/radarr5-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="radarr", pod=~"radarr5-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: radarr - cnpg_cluster: radarr5-postgresql-17-cluster ---- -# Source: radarr/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: radarr - namespace: radarr - labels: - app.kubernetes.io/name: radarr - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - groups: - - name: radarr - rules: - - alert: ExportarrAbsent - annotations: - description: Radarr Exportarr has disappeared from Prometheus - service discovery. - summary: Exportarr is down. - expr: | - absent(up{job=~".*radarr.*"} == 1) - for: 5m - labels: - severity: critical - - alert: RadarrDown - annotations: - description: Radarr service is down. - summary: Radarr is down. - expr: | - radarr_system_status{job=~".*radarr.*"} == 0 - for: 5m - labels: - severity: critical ---- -# Source: radarr/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: radarr-config-backup-source - namespace: radarr - labels: - app.kubernetes.io/name: radarr-config-backup-source - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - sourcePVC: radarr-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: radarr-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: radarr/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "radarr5-postgresql-17-daily-backup-scheduled-backup" - namespace: radarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-postgresql-17 - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: radarr5-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-postgresql-17-external-backup" ---- -# Source: radarr/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "radarr5-postgresql-17-live-backup-scheduled-backup" - namespace: radarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: radarr5-postgresql-17 - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: radarr5-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "radarr5-postgresql-17-garage-local-backup" ---- -# Source: radarr/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: radarr - namespace: radarr - labels: - app.kubernetes.io/name: radarr - app.kubernetes.io/instance: radarr - app.kubernetes.io/part-of: radarr -spec: - selector: - matchLabels: - app.kubernetes.io/name: radarr - app.kubernetes.io/instance: radarr - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/redis-operator/redis-operator.yaml b/clusters/cl01tl/manifests/redis-operator/redis-operator.yaml deleted file mode 100644 index fbc69d25d..000000000 --- a/clusters/cl01tl/manifests/redis-operator/redis-operator.yaml +++ /dev/null @@ -1,24288 +0,0 @@ ---- -# Source: redis-operator/charts/redis-operator/crds/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - name: redis.redis.redis.opstreelabs.in -spec: - group: redis.redis.opstreelabs.in - names: - kind: Redis - listKind: RedisList - plural: redis - singular: redis - scope: Namespaced - versions: - - name: v1beta2 - schema: - openAPIV3Schema: - description: Redis is the Schema for the redis API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: RedisSpec defines the desired state of Redis - properties: - TLS: - description: TLS Configuration for redis instances - properties: - ca: - type: string - cert: - type: string - key: - type: string - secret: - description: Reference to secret which contains the certificates - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - required: - - secret - type: object - acl: - properties: - secret: - description: |- - Adapts a Secret into a volume. - - The contents of the target Secret's Data field will be presented in a volume - as files using the keys in the Data field as the file names. - Secret volumes support ownership management and SELinux relabeling. - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - affinity: - description: Affinity is a group of affinity scheduling rules. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - env: - items: - description: EnvVar represents an environment variable present in - a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. Cannot - be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath is - written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - hostPort: - type: integer - initContainer: - description: InitContainer for each Redis pods - properties: - args: - items: - type: string - type: array - command: - items: - type: string - type: array - enabled: - type: boolean - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - type: object - kubernetesConfig: - description: KubernetesConfig will be the JSON struct for Basic Redis - Config - properties: - ignoreAnnotations: - items: - type: string - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - imagePullSecrets: - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - minReadySeconds: - format: int32 - type: integer - persistentVolumeClaimRetentionPolicy: - description: |- - StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs - created from the StatefulSet VolumeClaimTemplates. - properties: - whenDeleted: - description: |- - WhenDeleted specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is deleted. The default policy - of `Retain` causes PVCs to not be affected by StatefulSet deletion. The - `Delete` policy causes those PVCs to be deleted. - type: string - whenScaled: - description: |- - WhenScaled specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is scaled down. The default - policy of `Retain` causes PVCs to not be affected by a scaledown. The - `Delete` policy causes the associated PVCs for any excess pods above - the replica count to be deleted. - type: string - type: object - redisSecret: - description: ExistingPasswordSecret is the struct to access the - existing secret - properties: - key: - type: string - name: - type: string - type: object - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - service: - description: ServiceConfig define the type of service to be created - and its annotations - properties: - additional: - description: Additional config for which suffix is -additional - service - properties: - additionalAnnotations: - additionalProperties: - type: string - type: object - enabled: - default: true - type: boolean - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - type: - default: ClusterIP - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - annotations: - additionalProperties: - type: string - type: object - headless: - description: Headless config for which suffix is -headless - service - properties: - additionalAnnotations: - additionalProperties: - type: string - type: object - enabled: - default: true - type: boolean - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - type: - default: ClusterIP - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - serviceType: - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - updateStrategy: - description: |- - StatefulSetUpdateStrategy indicates the strategy that the StatefulSet - controller will use to perform updates. It includes any additional parameters - necessary to perform the update for the indicated strategy. - properties: - rollingUpdate: - description: RollingUpdate is used to communicate parameters - when Type is RollingUpdateStatefulSetStrategyType. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - description: |- - Type indicates the type of the StatefulSetUpdateStrategy. - Default is RollingUpdate. - type: string - type: object - required: - - image - type: object - livenessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows - repeated headers. - items: - description: HTTPHeader describes a custom header to be - used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - nodeSelector: - additionalProperties: - type: string - type: object - podSecurityContext: - description: |- - PodSecurityContext holds pod-level security attributes and common container settings. - Some fields are also present in container.securityContext. Field values of - container.securityContext take precedence over field values of PodSecurityContext. - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - priorityClassName: - type: string - readinessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows - repeated headers. - items: - description: HTTPHeader describes a custom header to be - used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - redisConfig: - description: RedisConfig defines the external configuration of Redis - properties: - additionalRedisConfig: - type: string - dynamicConfig: - items: - type: string - type: array - maxMemoryPercentOfLimit: - description: MaxMemoryPercentOfLimit is the percentage of redis - container memory limit to be used as maxmemory. - maximum: 100 - minimum: 1 - type: integer - type: object - redisExporter: - description: RedisExporter interface will have the information for - redis exporter related stuff - properties: - enabled: - type: boolean - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - port: - default: 9121 - type: integer - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccountName: - type: string - sidecars: - items: - description: Sidecar for each Redis pods - properties: - command: - items: - type: string - type: array - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - mountPath: - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - name: - type: string - ports: - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - - name - type: object - type: array - storage: - description: Storage is the inteface to add pvc and pv support in - redis - properties: - keepAfterDelete: - type: boolean - volumeClaimTemplate: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: |- - status represents the current information/status of a persistent volume claim. - Read-only. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status - of resource being resized for the given PVC.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nClaimResourceStatus can be in any - of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with - a terminal error.\n\t- NodeResizePending:\n\t\tState - set when resize controller has finished resizing the - volume but further resizing of\n\t\tvolume is needed - on the node.\n\t- NodeResizeInProgress:\n\t\tState set - when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this - field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, - it means that no resize operation is in progress for - the given PVC.\n\nA controller that receives PVC update - with previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources - allocated to a PVC including its capacity.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nCapacity reported here may be larger - than the actual capacity when a volume expansion operation\nis - requested.\nFor storage quota, the larger value from - allocatedResources and PVC.spec.resources is used.\nIf - allocatedResources is not set, PVC.spec.resources alone - is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and - if the actual volume capacity\nis equal or lower than - the requested capacity.\n\nA controller that receives - PVC update with previously unknown resourceName\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources - of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'ResizeStarted'. - items: - description: PersistentVolumeClaimCondition contains - details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed - the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the - condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "ResizeStarted" that means the underlying - persistent volume is being resized. - type: string - status: - type: string - type: - description: PersistentVolumeClaimConditionType - is a valid value of PersistentVolumeClaimCondition.Type - type: string - required: - - status - - type - type: object - type: array - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - This is an alpha field and requires enabling VolumeAttributesClass feature. - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - This is an alpha field and requires enabling VolumeAttributesClass feature. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible - indicates that the request has been rejected as - invalid by the CSI driver. To\n\t resolve the error, - a valid VolumeAttributesClass needs to be specified.\nNote: - New statuses can be added in the future. Consumers - should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - volumeMount: - description: Additional Volume is provided by user that is mounted - on the pods - properties: - mountPath: - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volume: - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: azureDisk represents an Azure Data Disk - mount on the host and bind mount to the pod. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure - managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: azureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: cephFS represents a Ceph FS mount on the - host that shares a pod's lifetime - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field - properties: - fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name - and namespace are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - properties: - driver: - description: driver is the name of the driver to - use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/glusterfs/README.md - properties: - endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: portworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: sources is the list of volume projections - items: - description: Projection that may be projected - along with other supported volume types - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name and namespace are - supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - type: object - quobyte: - description: quobyte represents a Quobyte mount on the - host that shares a pod's lifetime - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/rbd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - pool: - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: scaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: storageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: vsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - required: - - kubernetesConfig - type: object - status: - description: RedisStatus defines the observed state of Redis - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - name: redisclusters.redis.redis.opstreelabs.in -spec: - group: redis.redis.opstreelabs.in - names: - kind: RedisCluster - listKind: RedisClusterList - plural: redisclusters - singular: rediscluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Current cluster node count - jsonPath: .spec.clusterSize - name: ClusterSize - type: integer - - description: Number of ready leader replicas - jsonPath: .status.readyLeaderReplicas - name: ReadyLeaderReplicas - type: integer - - description: Number of ready follower replicas - jsonPath: .status.readyFollowerReplicas - name: ReadyFollowerReplicas - type: integer - - description: The current state of the Redis Cluster - jsonPath: .status.state - name: State - priority: 1 - type: string - - description: Age of Cluster - jsonPath: .metadata.creationTimestamp - name: Age - priority: 1 - type: date - - description: The reason for the current state - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: RedisCluster is the Schema for the redisclusters API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: RedisClusterSpec defines the desired state of RedisCluster - properties: - TLS: - description: TLS Configuration for redis instances - properties: - ca: - type: string - cert: - type: string - key: - type: string - secret: - description: Reference to secret which contains the certificates - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - required: - - secret - type: object - acl: - properties: - secret: - description: |- - Adapts a Secret into a volume. - - The contents of the target Secret's Data field will be presented in a volume - as files using the keys in the Data field as the file names. - Secret volumes support ownership management and SELinux relabeling. - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - clusterSize: - description: ClusterSize defines the default number of replicas for - both leader and follower when not explicitly set - format: int32 - type: integer - clusterVersion: - default: v7 - type: string - env: - items: - description: EnvVar represents an environment variable present in - a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. Cannot - be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath is - written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - hostNetwork: - type: boolean - hostPort: - type: integer - initContainer: - description: InitContainer for each Redis pods - properties: - args: - items: - type: string - type: array - command: - items: - type: string - type: array - enabled: - type: boolean - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - type: object - kubernetesConfig: - description: KubernetesConfig will be the JSON struct for Basic Redis - Config - properties: - ignoreAnnotations: - items: - type: string - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - imagePullSecrets: - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - minReadySeconds: - format: int32 - type: integer - persistentVolumeClaimRetentionPolicy: - description: |- - StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs - created from the StatefulSet VolumeClaimTemplates. - properties: - whenDeleted: - description: |- - WhenDeleted specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is deleted. The default policy - of `Retain` causes PVCs to not be affected by StatefulSet deletion. The - `Delete` policy causes those PVCs to be deleted. - type: string - whenScaled: - description: |- - WhenScaled specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is scaled down. The default - policy of `Retain` causes PVCs to not be affected by a scaledown. The - `Delete` policy causes the associated PVCs for any excess pods above - the replica count to be deleted. - type: string - type: object - redisSecret: - description: ExistingPasswordSecret is the struct to access the - existing secret - properties: - key: - type: string - name: - type: string - type: object - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - service: - description: ServiceConfig define the type of service to be created - and its annotations - properties: - additional: - description: Additional config for which suffix is -additional - service - properties: - additionalAnnotations: - additionalProperties: - type: string - type: object - enabled: - default: true - type: boolean - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - type: - default: ClusterIP - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - annotations: - additionalProperties: - type: string - type: object - headless: - description: Headless config for which suffix is -headless - service - properties: - additionalAnnotations: - additionalProperties: - type: string - type: object - enabled: - default: true - type: boolean - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - type: - default: ClusterIP - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - serviceType: - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - updateStrategy: - description: |- - StatefulSetUpdateStrategy indicates the strategy that the StatefulSet - controller will use to perform updates. It includes any additional parameters - necessary to perform the update for the indicated strategy. - properties: - rollingUpdate: - description: RollingUpdate is used to communicate parameters - when Type is RollingUpdateStatefulSetStrategyType. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - description: |- - Type indicates the type of the StatefulSetUpdateStrategy. - Default is RollingUpdate. - type: string - type: object - required: - - image - type: object - persistenceEnabled: - type: boolean - podSecurityContext: - description: |- - PodSecurityContext holds pod-level security attributes and common container settings. - Some fields are also present in container.securityContext. Field values of - container.securityContext take precedence over field values of PodSecurityContext. - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - port: - default: 6379 - type: integer - priorityClassName: - type: string - redisConfig: - description: RedisConfig defines the external configuration of Redis - properties: - additionalRedisConfig: - type: string - dynamicConfig: - items: - type: string - type: array - maxMemoryPercentOfLimit: - description: MaxMemoryPercentOfLimit is the percentage of redis - container memory limit to be used as maxmemory. - maximum: 100 - minimum: 1 - type: integer - type: object - redisExporter: - description: RedisExporter interface will have the information for - redis exporter related stuff - properties: - enabled: - type: boolean - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - port: - default: 9121 - type: integer - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - type: object - redisFollower: - description: RedisFollower interface will have the redis follower - configuration - properties: - affinity: - description: Affinity is a group of affinity scheduling rules. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with - the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - livenessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header to - be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP - port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - nodeSelector: - additionalProperties: - type: string - type: object - pdb: - description: RedisPodDisruptionBudget configure a PodDisruptionBudget - on the resource (leader/follower) - properties: - enabled: - type: boolean - maxUnavailable: - format: int32 - type: integer - minAvailable: - format: int32 - type: integer - type: object - readinessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header to - be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP - port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - redisConfig: - description: RedisConfig defines the external configuration of - Redis - properties: - additionalRedisConfig: - type: string - dynamicConfig: - items: - type: string - type: array - maxMemoryPercentOfLimit: - description: MaxMemoryPercentOfLimit is the percentage of - redis container memory limit to be used as maxmemory. - maximum: 100 - minimum: 1 - type: integer - type: object - replicas: - description: Replicas overrides clusterSize for follower nodes - count. If not set, uses clusterSize value - format: int32 - type: integer - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - - This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - redisLeader: - description: RedisLeader interface will have the redis leader configuration - properties: - affinity: - description: Affinity is a group of affinity scheduling rules. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with - the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - livenessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header to - be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP - port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - nodeSelector: - additionalProperties: - type: string - type: object - pdb: - description: RedisPodDisruptionBudget configure a PodDisruptionBudget - on the resource (leader/follower) - properties: - enabled: - type: boolean - maxUnavailable: - format: int32 - type: integer - minAvailable: - format: int32 - type: integer - type: object - readinessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: HTTPHeader describes a custom header to - be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP - port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - redisConfig: - description: RedisConfig defines the external configuration of - Redis - properties: - additionalRedisConfig: - type: string - dynamicConfig: - items: - type: string - type: array - maxMemoryPercentOfLimit: - description: MaxMemoryPercentOfLimit is the percentage of - redis container memory limit to be used as maxmemory. - maximum: 100 - minimum: 1 - type: integer - type: object - replicas: - description: Replicas overrides clusterSize for leader nodes count. - If not set, uses clusterSize value - format: int32 - type: integer - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - - This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - resources: - description: ResourceRequirements describes the compute resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - serviceAccountName: - type: string - sidecars: - items: - description: Sidecar for each Redis pods - properties: - command: - items: - type: string - type: array - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - mountPath: - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - name: - type: string - ports: - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - - name - type: object - type: array - storage: - description: Node-conf needs to be added only in redis cluster - properties: - keepAfterDelete: - type: boolean - nodeConfVolume: - default: false - type: boolean - nodeConfVolumeClaimTemplate: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: |- - status represents the current information/status of a persistent volume claim. - Read-only. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status - of resource being resized for the given PVC.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nClaimResourceStatus can be in any - of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with - a terminal error.\n\t- NodeResizePending:\n\t\tState - set when resize controller has finished resizing the - volume but further resizing of\n\t\tvolume is needed - on the node.\n\t- NodeResizeInProgress:\n\t\tState set - when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this - field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, - it means that no resize operation is in progress for - the given PVC.\n\nA controller that receives PVC update - with previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources - allocated to a PVC including its capacity.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nCapacity reported here may be larger - than the actual capacity when a volume expansion operation\nis - requested.\nFor storage quota, the larger value from - allocatedResources and PVC.spec.resources is used.\nIf - allocatedResources is not set, PVC.spec.resources alone - is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and - if the actual volume capacity\nis equal or lower than - the requested capacity.\n\nA controller that receives - PVC update with previously unknown resourceName\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources - of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'ResizeStarted'. - items: - description: PersistentVolumeClaimCondition contains - details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed - the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the - condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "ResizeStarted" that means the underlying - persistent volume is being resized. - type: string - status: - type: string - type: - description: PersistentVolumeClaimConditionType - is a valid value of PersistentVolumeClaimCondition.Type - type: string - required: - - status - - type - type: object - type: array - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - This is an alpha field and requires enabling VolumeAttributesClass feature. - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - This is an alpha field and requires enabling VolumeAttributesClass feature. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible - indicates that the request has been rejected as - invalid by the CSI driver. To\n\t resolve the error, - a valid VolumeAttributesClass needs to be specified.\nNote: - New statuses can be added in the future. Consumers - should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - volumeClaimTemplate: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: |- - status represents the current information/status of a persistent volume claim. - Read-only. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status - of resource being resized for the given PVC.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nClaimResourceStatus can be in any - of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with - a terminal error.\n\t- NodeResizePending:\n\t\tState - set when resize controller has finished resizing the - volume but further resizing of\n\t\tvolume is needed - on the node.\n\t- NodeResizeInProgress:\n\t\tState set - when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this - field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, - it means that no resize operation is in progress for - the given PVC.\n\nA controller that receives PVC update - with previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources - allocated to a PVC including its capacity.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nCapacity reported here may be larger - than the actual capacity when a volume expansion operation\nis - requested.\nFor storage quota, the larger value from - allocatedResources and PVC.spec.resources is used.\nIf - allocatedResources is not set, PVC.spec.resources alone - is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and - if the actual volume capacity\nis equal or lower than - the requested capacity.\n\nA controller that receives - PVC update with previously unknown resourceName\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources - of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'ResizeStarted'. - items: - description: PersistentVolumeClaimCondition contains - details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed - the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the - condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "ResizeStarted" that means the underlying - persistent volume is being resized. - type: string - status: - type: string - type: - description: PersistentVolumeClaimConditionType - is a valid value of PersistentVolumeClaimCondition.Type - type: string - required: - - status - - type - type: object - type: array - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - This is an alpha field and requires enabling VolumeAttributesClass feature. - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - This is an alpha field and requires enabling VolumeAttributesClass feature. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible - indicates that the request has been rejected as - invalid by the CSI driver. To\n\t resolve the error, - a valid VolumeAttributesClass needs to be specified.\nNote: - New statuses can be added in the future. Consumers - should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - volumeMount: - description: Additional Volume is provided by user that is mounted - on the pods - properties: - mountPath: - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volume: - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: azureDisk represents an Azure Data Disk - mount on the host and bind mount to the pod. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure - managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: azureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: cephFS represents a Ceph FS mount on the - host that shares a pod's lifetime - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field - properties: - fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name - and namespace are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - properties: - driver: - description: driver is the name of the driver to - use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/glusterfs/README.md - properties: - endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: portworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: sources is the list of volume projections - items: - description: Projection that may be projected - along with other supported volume types - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name and namespace are - supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - type: object - quobyte: - description: quobyte represents a Quobyte mount on the - host that shares a pod's lifetime - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/rbd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - pool: - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: scaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: storageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: vsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - type: object - required: - - clusterSize - - kubernetesConfig - type: object - status: - description: RedisClusterStatus defines the observed state of RedisCluster - properties: - readyFollowerReplicas: - default: 0 - format: int32 - type: integer - readyLeaderReplicas: - default: 0 - format: int32 - type: integer - reason: - type: string - state: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - name: redisreplications.redis.redis.opstreelabs.in -spec: - group: redis.redis.opstreelabs.in - names: - kind: RedisReplication - listKind: RedisReplicationList - plural: redisreplications - singular: redisreplication - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.masterNode - name: Master - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: Redis is the Schema for the redis API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - TLS: - description: TLS Configuration for redis instances - properties: - ca: - type: string - cert: - type: string - key: - type: string - secret: - description: Reference to secret which contains the certificates - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - required: - - secret - type: object - acl: - properties: - secret: - description: |- - Adapts a Secret into a volume. - - The contents of the target Secret's Data field will be presented in a volume - as files using the keys in the Data field as the file names. - Secret volumes support ownership management and SELinux relabeling. - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - affinity: - description: Affinity is a group of affinity scheduling rules. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - clusterSize: - format: int32 - type: integer - env: - items: - description: EnvVar represents an environment variable present in - a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. Cannot - be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath is - written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - hostPort: - type: integer - initContainer: - description: InitContainer for each Redis pods - properties: - args: - items: - type: string - type: array - command: - items: - type: string - type: array - enabled: - type: boolean - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - type: object - kubernetesConfig: - description: KubernetesConfig will be the JSON struct for Basic Redis - Config - properties: - ignoreAnnotations: - items: - type: string - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - imagePullSecrets: - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - minReadySeconds: - format: int32 - type: integer - persistentVolumeClaimRetentionPolicy: - description: |- - StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs - created from the StatefulSet VolumeClaimTemplates. - properties: - whenDeleted: - description: |- - WhenDeleted specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is deleted. The default policy - of `Retain` causes PVCs to not be affected by StatefulSet deletion. The - `Delete` policy causes those PVCs to be deleted. - type: string - whenScaled: - description: |- - WhenScaled specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is scaled down. The default - policy of `Retain` causes PVCs to not be affected by a scaledown. The - `Delete` policy causes the associated PVCs for any excess pods above - the replica count to be deleted. - type: string - type: object - redisSecret: - description: ExistingPasswordSecret is the struct to access the - existing secret - properties: - key: - type: string - name: - type: string - type: object - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - service: - description: ServiceConfig define the type of service to be created - and its annotations - properties: - additional: - description: Additional config for which suffix is -additional - service - properties: - additionalAnnotations: - additionalProperties: - type: string - type: object - enabled: - default: true - type: boolean - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - type: - default: ClusterIP - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - annotations: - additionalProperties: - type: string - type: object - headless: - description: Headless config for which suffix is -headless - service - properties: - additionalAnnotations: - additionalProperties: - type: string - type: object - enabled: - default: true - type: boolean - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - type: - default: ClusterIP - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - serviceType: - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - updateStrategy: - description: |- - StatefulSetUpdateStrategy indicates the strategy that the StatefulSet - controller will use to perform updates. It includes any additional parameters - necessary to perform the update for the indicated strategy. - properties: - rollingUpdate: - description: RollingUpdate is used to communicate parameters - when Type is RollingUpdateStatefulSetStrategyType. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - description: |- - Type indicates the type of the StatefulSetUpdateStrategy. - Default is RollingUpdate. - type: string - type: object - required: - - image - type: object - livenessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows - repeated headers. - items: - description: HTTPHeader describes a custom header to be - used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - nodeSelector: - additionalProperties: - type: string - type: object - pdb: - description: RedisPodDisruptionBudget configure a PodDisruptionBudget - on the resource (leader/follower) - properties: - enabled: - type: boolean - maxUnavailable: - format: int32 - type: integer - minAvailable: - format: int32 - type: integer - type: object - podSecurityContext: - description: |- - PodSecurityContext holds pod-level security attributes and common container settings. - Some fields are also present in container.securityContext. Field values of - container.securityContext take precedence over field values of PodSecurityContext. - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - priorityClassName: - type: string - readinessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows - repeated headers. - items: - description: HTTPHeader describes a custom header to be - used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - redisConfig: - description: RedisConfig defines the external configuration of Redis - properties: - additionalRedisConfig: - type: string - dynamicConfig: - items: - type: string - type: array - maxMemoryPercentOfLimit: - description: MaxMemoryPercentOfLimit is the percentage of redis - container memory limit to be used as maxmemory. - maximum: 100 - minimum: 1 - type: integer - type: object - redisExporter: - description: RedisExporter interface will have the information for - redis exporter related stuff - properties: - enabled: - type: boolean - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - port: - default: 9121 - type: integer - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccountName: - type: string - sidecars: - items: - description: Sidecar for each Redis pods - properties: - command: - items: - type: string - type: array - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - mountPath: - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - name: - type: string - ports: - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - - name - type: object - type: array - storage: - description: Storage is the inteface to add pvc and pv support in - redis - properties: - keepAfterDelete: - type: boolean - volumeClaimTemplate: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to - consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the - PersistentVolume backing this claim. - type: string - type: object - status: - description: |- - status represents the current information/status of a persistent volume claim. - Read-only. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status - of resource being resized for the given PVC.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nClaimResourceStatus can be in any - of following states:\n\t- ControllerResizeInProgress:\n\t\tState - set when resize controller starts resizing the volume - in control-plane.\n\t- ControllerResizeFailed:\n\t\tState - set when resize has failed in resize controller with - a terminal error.\n\t- NodeResizePending:\n\t\tState - set when resize controller has finished resizing the - volume but further resizing of\n\t\tvolume is needed - on the node.\n\t- NodeResizeInProgress:\n\t\tState set - when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState - set when resizing has failed in kubelet with a terminal - error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor - example: if expanding a PVC for more capacity - this - field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] - = \"NodeResizeFailed\"\nWhen this field is not set, - it means that no resize operation is in progress for - the given PVC.\n\nA controller that receives PVC update - with previously unknown resourceName or ClaimResourceStatus\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources - allocated to a PVC including its capacity.\nKey names - follow standard Kubernetes label syntax. Valid values - are either:\n\t* Un-prefixed keys:\n\t\t- storage - - the capacity of the volume.\n\t* Custom resources must - use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart - from above values - keys that are unprefixed or have - kubernetes.io prefix are considered\nreserved and hence - may not be used.\n\nCapacity reported here may be larger - than the actual capacity when a volume expansion operation\nis - requested.\nFor storage quota, the larger value from - allocatedResources and PVC.spec.resources is used.\nIf - allocatedResources is not set, PVC.spec.resources alone - is used for quota calculation.\nIf a volume expansion - capacity request is lowered, allocatedResources is only\nlowered - if there are no expansion operations in progress and - if the actual volume capacity\nis equal or lower than - the requested capacity.\n\nA controller that receives - PVC update with previously unknown resourceName\nshould - ignore the update for the purpose it was designed. For - example - a controller that\nonly is responsible for - resizing capacity of the volume, should ignore PVC updates - that change other valid\nresources associated with PVC.\n\nThis - is an alpha field and requires enabling RecoverVolumeExpansionFailure - feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources - of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'ResizeStarted'. - items: - description: PersistentVolumeClaimCondition contains - details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed - the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the - condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message - indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "ResizeStarted" that means the underlying - persistent volume is being resized. - type: string - status: - type: string - type: - description: PersistentVolumeClaimConditionType - is a valid value of PersistentVolumeClaimCondition.Type - type: string - required: - - status - - type - type: object - type: array - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - This is an alpha field and requires enabling VolumeAttributesClass feature. - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - This is an alpha field and requires enabling VolumeAttributesClass feature. - properties: - status: - description: "status is the status of the ControllerModifyVolume - operation. It can be in any of following states:\n - - Pending\n Pending indicates that the PersistentVolumeClaim - cannot be modified due to unmet requirements, such - as\n the specified VolumeAttributesClass not existing.\n - - InProgress\n InProgress indicates that the volume - is being modified.\n - Infeasible\n Infeasible - indicates that the request has been rejected as - invalid by the CSI driver. To\n\t resolve the error, - a valid VolumeAttributesClass needs to be specified.\nNote: - New statuses can be added in the future. Consumers - should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the - name of the VolumeAttributesClass the PVC currently - being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - volumeMount: - description: Additional Volume is provided by user that is mounted - on the pods - properties: - mountPath: - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volume: - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: azureDisk represents an Azure Data Disk - mount on the host and bind mount to the pod. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure - managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: azureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: cephFS represents a Ceph FS mount on the - host that shares a pod's lifetime - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field - properties: - fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name - and namespace are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - properties: - driver: - description: driver is the name of the driver to - use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/glusterfs/README.md - properties: - endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: portworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: sources is the list of volume projections - items: - description: Projection that may be projected - along with other supported volume types - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name and namespace are - supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - type: object - quobyte: - description: quobyte represents a Quobyte mount on the - host that shares a pod's lifetime - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/rbd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - pool: - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: scaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: storageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: vsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - items: - description: TopologySpreadConstraint specifies how to spread matching - pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - - This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - required: - - clusterSize - - kubernetesConfig - type: object - status: - description: RedisStatus defines the observed state of Redis - properties: - masterNode: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - name: redissentinels.redis.redis.opstreelabs.in -spec: - group: redis.redis.opstreelabs.in - names: - kind: RedisSentinel - listKind: RedisSentinelList - plural: redissentinels - singular: redissentinel - scope: Namespaced - versions: - - name: v1beta2 - schema: - openAPIV3Schema: - description: Redis is the Schema for the redis API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - TLS: - description: TLS Configuration for redis instances - properties: - ca: - type: string - cert: - type: string - key: - type: string - secret: - description: Reference to secret which contains the certificates - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the Secret or - its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - required: - - secret - type: object - affinity: - description: Affinity is a group of affinity scheduling rules. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - Also, MatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. - Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - clusterSize: - default: 3 - format: int32 - minimum: 1 - type: integer - env: - items: - description: EnvVar represents an environment variable present in - a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. Cannot - be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath is - written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - hostPort: - type: integer - initContainer: - description: InitContainer for each Redis pods - properties: - args: - items: - type: string - type: array - command: - items: - type: string - type: array - enabled: - type: boolean - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - type: object - kubernetesConfig: - description: KubernetesConfig will be the JSON struct for Basic Redis - Config - properties: - ignoreAnnotations: - items: - type: string - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - imagePullSecrets: - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - minReadySeconds: - format: int32 - type: integer - persistentVolumeClaimRetentionPolicy: - description: |- - StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs - created from the StatefulSet VolumeClaimTemplates. - properties: - whenDeleted: - description: |- - WhenDeleted specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is deleted. The default policy - of `Retain` causes PVCs to not be affected by StatefulSet deletion. The - `Delete` policy causes those PVCs to be deleted. - type: string - whenScaled: - description: |- - WhenScaled specifies what happens to PVCs created from StatefulSet - VolumeClaimTemplates when the StatefulSet is scaled down. The default - policy of `Retain` causes PVCs to not be affected by a scaledown. The - `Delete` policy causes the associated PVCs for any excess pods above - the replica count to be deleted. - type: string - type: object - redisSecret: - description: ExistingPasswordSecret is the struct to access the - existing secret - properties: - key: - type: string - name: - type: string - type: object - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - service: - description: ServiceConfig define the type of service to be created - and its annotations - properties: - additional: - description: Additional config for which suffix is -additional - service - properties: - additionalAnnotations: - additionalProperties: - type: string - type: object - enabled: - default: true - type: boolean - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - type: - default: ClusterIP - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - annotations: - additionalProperties: - type: string - type: object - headless: - description: Headless config for which suffix is -headless - service - properties: - additionalAnnotations: - additionalProperties: - type: string - type: object - enabled: - default: true - type: boolean - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - type: - default: ClusterIP - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - includeBusPort: - description: |- - IncludeBusPort when set to true, it will add bus port to the service, such as 16379. - This field is only used for Redis cluster mode. - type: boolean - serviceType: - enum: - - LoadBalancer - - NodePort - - ClusterIP - type: string - type: object - updateStrategy: - description: |- - StatefulSetUpdateStrategy indicates the strategy that the StatefulSet - controller will use to perform updates. It includes any additional parameters - necessary to perform the update for the indicated strategy. - properties: - rollingUpdate: - description: RollingUpdate is used to communicate parameters - when Type is RollingUpdateStatefulSetStrategyType. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - description: |- - Type indicates the type of the StatefulSetUpdateStrategy. - Default is RollingUpdate. - type: string - type: object - required: - - image - type: object - livenessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows - repeated headers. - items: - description: HTTPHeader describes a custom header to be - used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - nodeSelector: - additionalProperties: - type: string - type: object - pdb: - description: RedisPodDisruptionBudget configure a PodDisruptionBudget - on the resource (leader/follower) - properties: - enabled: - type: boolean - maxUnavailable: - format: int32 - type: integer - minAvailable: - format: int32 - type: integer - type: object - podSecurityContext: - description: |- - PodSecurityContext holds pod-level security attributes and common container settings. - Some fields are also present in container.securityContext. Field values of - container.securityContext take precedence over field values of PodSecurityContext. - properties: - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - priorityClassName: - type: string - readinessProbe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a GRPC port. - properties: - port: - description: Port number of the gRPC service. Number must - be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows - repeated headers. - items: - description: HTTPHeader describes a custom header to be - used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults - to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - redisExporter: - description: RedisExporter interface will have the information for - redis exporter related stuff - properties: - enabled: - type: boolean - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - port: - default: 9121 - type: integer - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - type: object - redisSentinelConfig: - properties: - additionalSentinelConfig: - type: string - announceHostnames: - default: "no" - type: string - downAfterMilliseconds: - default: "30000" - type: string - failoverTimeout: - default: "180000" - type: string - masterGroupName: - default: myMaster - type: string - parallelSyncs: - default: "1" - type: string - quorum: - default: "2" - type: string - redisPort: - default: "6379" - type: string - redisReplicationName: - type: string - redisReplicationPassword: - description: EnvVarSource represents a source for the value of - an EnvVar. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - resolveHostnames: - default: "no" - type: string - required: - - redisReplicationName - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - serviceAccountName: - type: string - sidecars: - items: - description: Sidecar for each Redis pods - properties: - command: - items: - type: string - type: array - env: - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be - a C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: PullPolicy describes a policy for if/when to pull - a container image - type: string - mountPath: - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - name: - type: string - ports: - items: - description: ContainerPort represents a network port in a - single container. - properties: - containerPort: - description: |- - Number of port to expose on the pod's IP address. - This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: |- - Number of port to expose on the host. - If specified, this must be a valid port number, 0 < x < 65536. - If HostNetwork is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: |- - If specified, this must be an IANA_SVC_NAME and unique within the pod. Each - named port in a pod must have a unique name. Name for the port that can be - referred to by services. - type: string - protocol: - default: TCP - description: |- - Protocol for port. Must be UDP, TCP, or SCTP. - Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - resources: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - securityContext: - description: |- - SecurityContext holds security configuration that will be applied to a container. - Some fields are present in both SecurityContext and PodSecurityContext. When both - are set, the values in SecurityContext take precedence. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - required: - - image - - name - type: object - type: array - terminationGracePeriodSeconds: - format: int64 - type: integer - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - items: - description: TopologySpreadConstraint specifies how to spread matching - pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - - This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - volumeMount: - description: Additional Volume is provided by user that is mounted - on the pods - properties: - mountPath: - items: - description: VolumeMount describes a mounting of a Volume within - a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volume: - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: azureDisk represents an Azure Data Disk mount - on the host and bind mount to the pod. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk in - the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the - blob storage - type: string - fsType: - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure managed - data disk (only in managed availability set). defaults - to shared' - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: azureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: cephFS represents a Ceph FS mount on the host - that shares a pod's lifetime - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a - volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about the - pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name and namespace - are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in - the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must not - be absolute or contain the ''..'' path. Must - be utf-8 encoded. The first item of the relative - path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of - the exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that - is attached to a kubelet's host machine and then exposed - to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - properties: - driver: - description: driver is the name of the driver to use - for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/glusterfs/README.md - properties: - endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon Controller - persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: portworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources secrets, - configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: sources is the list of volume projections - items: - description: Projection that may be projected along - with other supported volume types - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the configMap - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the - ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the - downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name and namespace are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in terms - of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to - select in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file to - be created. Must not be absolute or - contain the ''..'' path. Must be utf-8 - encoded. The first item of the relative - path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env - vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - secret: - description: secret information about the secret - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - type: object - quobyte: - description: quobyte represents a Quobyte mount on the host - that shares a pod's lifetime - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an already - created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/rbd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - pool: - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: scaleIO represents a ScaleIO persistent volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool - associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a - volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether the Secret - or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: storageOS represents a StorageOS volume attached - and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: vsphereVolume represents a vSphere volume attached - and mounted on kubelets host machine - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy Based - Management (SPBM) profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - required: - - clusterSize - - kubernetesConfig - type: object - status: - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: redis-operator/charts/redis-operator/templates/service-account.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: redis-operator - namespace: redis-operator - labels: - app.kubernetes.io/name : redis-operator - helm.sh/chart : redis-operator-0.22.2 - app.kubernetes.io/managed-by : Helm - app.kubernetes.io/instance : redis-operator - app.kubernetes.io/version : 0.22.2 - app.kubernetes.io/component: service-account - app.kubernetes.io/part-of : redis-operator ---- -# Source: redis-operator/charts/redis-operator/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: redis-operator - labels: - app.kubernetes.io/name : redis-operator - helm.sh/chart : redis-operator-0.22.2 - app.kubernetes.io/managed-by : Helm - app.kubernetes.io/instance : redis-operator - app.kubernetes.io/version : 0.22.2 - app.kubernetes.io/component: role - app.kubernetes.io/part-of : redis-operator -rules: -- apiGroups: - - redis.redis.opstreelabs.in - resources: - - rediss - - redisclusters - - redisreplications - - redis - - rediscluster - - redissentinel - - redissentinels - - redisreplication - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- nonResourceURLs: - - '*' - verbs: - - get -- apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" -- apiGroups: - - redis.redis.opstreelabs.in - resources: - - redis/finalizers - - rediscluster/finalizers - - redisclusters/finalizers - - redissentinel/finalizers - - redissentinels/finalizers - - redisreplication/finalizers - - redisreplications/finalizers - verbs: - - update -- apiGroups: - - redis.redis.opstreelabs.in - resources: - - redis/status - - rediscluster/status - - redisclusters/status - - redissentinel/status - - redissentinels/status - - redisreplication/status - - redisreplications/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - secrets - - pods/exec - - pods - - services - - configmaps - - events - - persistentvolumeclaims - - namespace - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "coordination.k8s.io" - resources: - - leases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "policy" - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -# Source: redis-operator/charts/redis-operator/templates/role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: redis-operator - labels: - app.kubernetes.io/name : redis-operator - helm.sh/chart : redis-operator-0.22.2 - app.kubernetes.io/managed-by : Helm - app.kubernetes.io/instance : redis-operator - app.kubernetes.io/version : 0.22.2 - app.kubernetes.io/component: role-binding - app.kubernetes.io/part-of : redis-operator -subjects: -- kind: ServiceAccount - name: redis-operator - namespace: redis-operator -roleRef: - kind: ClusterRole - name: redis-operator - apiGroup: rbac.authorization.k8s.io ---- -# Source: redis-operator/charts/redis-operator/templates/operator-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-operator - namespace: redis-operator - labels: - app.kubernetes.io/name: redis-operator - helm.sh/chart: redis-operator-0.22.2 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/instance: redis-operator - app.kubernetes.io/version: 0.22.2 - app.kubernetes.io/component: operator - app.kubernetes.io/part-of: redis-operator -spec: - replicas: 2 - selector: - matchLabels: - name: redis-operator - template: - metadata: - annotations: - cert-manager.io/inject-ca-from: redis-operator/serving-cert - labels: - name: redis-operator - spec: - automountServiceAccountToken: true - securityContext: - {} - containers: - - name: "redis-operator" - securityContext: - {} - image: "ghcr.io/ot-container-kit/redis-operator/redis-operator:v0.21.0" - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: probe - readinessProbe: - httpGet: - path: /readyz - port: probe - command: - - /operator - - manager - args: - - --leader-elect - - --metrics-bind-address=:8080 - ports: - - containerPort: 8081 - name: probe - protocol: TCP - - containerPort: 8080 - name: metrics - protocol: TCP - env: - - name: OPERATOR_IMAGE - value: ghcr.io/ot-container-kit/redis-operator/redis-operator:v0.21.0 - - name: ENABLE_WEBHOOKS - value: "false" - - name: FEATURE_GATES - value: "GenerateConfigInInitContainer=false" - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 50m - memory: 128Mi - serviceAccountName: "redis-operator" - serviceAccount: "redis-operator" diff --git a/clusters/cl01tl/manifests/reloader/reloader.yaml b/clusters/cl01tl/manifests/reloader/reloader.yaml deleted file mode 100644 index fbb59ea4f..000000000 --- a/clusters/cl01tl/manifests/reloader/reloader.yaml +++ /dev/null @@ -1,303 +0,0 @@ ---- -# Source: reloader/charts/reloader/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - meta.helm.sh/release-namespace: "reloader" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - release: "reloader" - app.kubernetes.io/name: reloader - app.kubernetes.io/instance: "reloader" - helm.sh/chart: "reloader-2.2.5" - chart: "reloader-2.2.5" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/version: "v1.4.10" - name: reloader-reloader - namespace: reloader ---- -# Source: reloader/charts/reloader/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 - -kind: ClusterRole -metadata: - annotations: - meta.helm.sh/release-namespace: "reloader" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - release: "reloader" - app.kubernetes.io/name: reloader - app.kubernetes.io/instance: "reloader" - helm.sh/chart: "reloader-2.2.5" - chart: "reloader-2.2.5" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/version: "v1.4.10" - name: reloader-reloader-role -rules: - - apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - list - - get - - watch - - apiGroups: - - "apps" - resources: - - deployments - - daemonsets - - statefulsets - verbs: - - list - - get - - update - - patch - - apiGroups: - - "batch" - resources: - - cronjobs - verbs: - - list - - get - - apiGroups: - - "batch" - resources: - - jobs - verbs: - - create - - delete - - list - - get - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -# Source: reloader/charts/reloader/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 - -kind: ClusterRoleBinding -metadata: - annotations: - meta.helm.sh/release-namespace: "reloader" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - release: "reloader" - app.kubernetes.io/name: reloader - app.kubernetes.io/instance: "reloader" - helm.sh/chart: "reloader-2.2.5" - chart: "reloader-2.2.5" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/version: "v1.4.10" - name: reloader-reloader-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: reloader-reloader-role -subjects: - - kind: ServiceAccount - name: reloader-reloader - namespace: reloader ---- -# Source: reloader/charts/reloader/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - meta.helm.sh/release-namespace: "reloader" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - release: "reloader" - app.kubernetes.io/name: reloader - app.kubernetes.io/instance: "reloader" - helm.sh/chart: "reloader-2.2.5" - chart: "reloader-2.2.5" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/version: "v1.4.10" - name: reloader-reloader-metadata-role - namespace: reloader -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - list - - get - - watch - - create - - update ---- -# Source: reloader/charts/reloader/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - meta.helm.sh/release-namespace: "reloader" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - release: "reloader" - app.kubernetes.io/name: reloader - app.kubernetes.io/instance: "reloader" - helm.sh/chart: "reloader-2.2.5" - chart: "reloader-2.2.5" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/version: "v1.4.10" - name: reloader-reloader-metadata-role-binding - namespace: reloader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: reloader-reloader-metadata-role -subjects: - - kind: ServiceAccount - name: reloader-reloader - namespace: reloader ---- -# Source: reloader/charts/reloader/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - meta.helm.sh/release-namespace: "reloader" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - release: "reloader" - app.kubernetes.io/name: reloader - app.kubernetes.io/instance: "reloader" - helm.sh/chart: "reloader-2.2.5" - chart: "reloader-2.2.5" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/version: "v1.4.10" - group: com.stakater.platform - provider: stakater - version: v1.4.10 - name: reloader-reloader - namespace: reloader -spec: - replicas: 1 - revisionHistoryLimit: 2 - selector: - matchLabels: - app: reloader-reloader - release: "reloader" - template: - metadata: - labels: - app: reloader-reloader - release: "reloader" - app.kubernetes.io/name: reloader - app.kubernetes.io/instance: "reloader" - helm.sh/chart: "reloader-2.2.5" - chart: "reloader-2.2.5" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/version: "v1.4.10" - group: com.stakater.platform - provider: stakater - version: v1.4.10 - spec: - containers: - - image: "ghcr.io/stakater/reloader:v1.4.10" - imagePullPolicy: IfNotPresent - name: reloader-reloader - env: - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - - name: RELOADER_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - - name: RELOADER_DEPLOYMENT_NAME - value: reloader-reloader - ports: - - name: http - containerPort: 9090 - livenessProbe: - httpGet: - path: /live - port: http - timeoutSeconds: 5 - failureThreshold: 5 - periodSeconds: 10 - successThreshold: 1 - initialDelaySeconds: 10 - readinessProbe: - httpGet: - path: /metrics - port: http - timeoutSeconds: 5 - failureThreshold: 5 - periodSeconds: 10 - successThreshold: 1 - initialDelaySeconds: 10 - - securityContext: - {} - args: - - "--log-level=info" - securityContext: - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - serviceAccountName: reloader-reloader ---- -# Source: reloader/charts/reloader/templates/podmonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - labels: - app: reloader-reloader - release: "reloader" - app.kubernetes.io/name: reloader - app.kubernetes.io/instance: "reloader" - helm.sh/chart: "reloader-2.2.5" - chart: "reloader-2.2.5" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/version: "v1.4.10" - name: reloader-reloader - namespace: reloader -spec: - podMetricsEndpoints: - - port: http - path: "/metrics" - honorLabels: true - jobLabel: reloader-reloader - namespaceSelector: - matchNames: - - reloader - selector: - matchLabels: - - app: reloader-reloader - release: "reloader" diff --git a/clusters/cl01tl/manifests/rook-ceph/rook-ceph.yaml b/clusters/cl01tl/manifests/rook-ceph/rook-ceph.yaml deleted file mode 100644 index 81626014d..000000000 --- a/clusters/cl01tl/manifests/rook-ceph/rook-ceph.yaml +++ /dev/null @@ -1,50315 +0,0 @@ ---- -# Source: rook-ceph/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: rook-ceph - labels: - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/part-of: rook-ceph - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ceph-csi-cephfs-ctrlplugin-sa - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ceph-csi-cephfs-nodeplugin-sa - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ceph-csi-controller-manager - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ceph-csi-nfs-ctrlplugin-sa - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ceph-csi-nfs-nodeplugin-sa - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ceph-csi-rbd-ctrlplugin-sa - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ceph-csi-rbd-nodeplugin-sa - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Service account for Ceph OSDs -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-ceph-osd - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Service account for Ceph mgrs -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-ceph-mgr - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Service account for the job that reports the Ceph version in an image -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-ceph-cmd-reporter - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Service account for job that purges OSDs from a Rook-Ceph cluster -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-ceph-purge-osd - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Service account for RGW server -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-ceph-rgw - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Service account for other components -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-ceph-default - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/serviceaccount.yaml -# Service account for the Rook-Ceph operator -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-ceph-system - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/serviceaccount.yaml -# Service account for the CephFS CSI driver -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-csi-cephfs-plugin-sa - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/serviceaccount.yaml -# Service account for the CephFS CSI provisioner -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-csi-cephfs-provisioner-sa - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/serviceaccount.yaml -# Service account for the RBD CSI driver -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-csi-rbd-plugin-sa - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/serviceaccount.yaml -# Service account for the RBD CSI provisioner -kind: ServiceAccount -apiVersion: v1 -metadata: - name: rook-csi-rbd-provisioner-sa - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/serviceaccount.yaml -# Service account for Ceph COSI driver -kind: ServiceAccount -apiVersion: v1 -metadata: - name: objectstorage-provisioner - namespace: rook-ceph # namespace:operator - labels: - app.kubernetes.io/part-of: container-object-storage-interface - app.kubernetes.io/component: driver-ceph - app.kubernetes.io/name: cosi-driver-ceph -# imagePullSecrets: -# - name: my-registry-secret ---- -# Source: rook-ceph/charts/rook-ceph/templates/configmap.yaml -# Operator settings that can be updated without an operator restart -# Operator settings that require an operator restart are found in the operator env vars -kind: ConfigMap -apiVersion: v1 -metadata: - name: rook-ceph-operator-config - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -data: - ROOK_LOG_LEVEL: "INFO" - ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15" - ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true" - ROOK_OBC_ALLOW_ADDITIONAL_CONFIG_FIELDS: "maxObjects,maxSize" - ROOK_CEPH_ALLOW_LOOP_DEVICES: "false" - ROOK_ENABLE_DISCOVERY_DAEMON: "true" - ROOK_USE_CSI_OPERATOR: "true" - ROOK_CSI_ENABLE_RBD: "true" - ROOK_CSI_ENABLE_CEPHFS: "true" - ROOK_CSI_DISABLE_DRIVER: "false" - CSI_ENABLE_CEPHFS_SNAPSHOTTER: "true" - CSI_ENABLE_NFS_SNAPSHOTTER: "true" - CSI_ENABLE_RBD_SNAPSHOTTER: "true" - CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false" - CSI_ENABLE_ENCRYPTION: "false" - CSI_ENABLE_OMAP_GENERATOR: "false" - CSI_ENABLE_HOST_NETWORK: "true" - CSI_ENABLE_METADATA: "true" - CSI_ENABLE_VOLUME_GROUP_SNAPSHOT: "true" - CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical" - CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical" - CSI_RBD_FSGROUPPOLICY: "File" - CSI_CEPHFS_FSGROUPPOLICY: "File" - CSI_NFS_FSGROUPPOLICY: "File" - CSI_CEPHFS_KERNEL_MOUNT_OPTIONS: "ms_mode=secure" - ROOK_CSI_CEPH_IMAGE: "quay.io/cephcsi/cephcsi:v3.15.0" - ROOK_CSI_REGISTRAR_IMAGE: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.13.0" - ROOK_CSI_PROVISIONER_IMAGE: "registry.k8s.io/sig-storage/csi-provisioner:v5.2.0" - ROOK_CSI_SNAPSHOTTER_IMAGE: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1" - ROOK_CSI_ATTACHER_IMAGE: "registry.k8s.io/sig-storage/csi-attacher:v4.8.1" - ROOK_CSI_RESIZER_IMAGE: "registry.k8s.io/sig-storage/csi-resizer:v1.13.2" - ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent" - CSI_ENABLE_CSIADDONS: "false" - ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.13.0" - CSI_ENABLE_CROSS_NAMESPACE_VOLUME_DATA_SOURCE: "false" - CSI_ENABLE_TOPOLOGY: "false" - ROOK_CSI_ENABLE_NFS: "false" - CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true" - CSI_GRPC_TIMEOUT_SECONDS: "150" - CSI_PROVISIONER_REPLICAS: "3" - CSI_RBD_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n limits:\n memory: 1Gi\n- name : csi-omap-generator\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n" - CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n" - CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n" - CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n" - CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n" - CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n" - CSI_CEPHFS_ATTACH_REQUIRED: "true" - CSI_RBD_ATTACH_REQUIRED: "true" - CSI_NFS_ATTACH_REQUIRED: "true" ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/cephblockpool.yaml -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: "ceph-block" - annotations: - storageclass.kubernetes.io/is-default-class: "true" -provisioner: rook-ceph.rbd.csi.ceph.com -parameters: - pool: "ceph-blockpool" - clusterID: "rook-ceph" - csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner - csi.storage.k8s.io/controller-expand-secret-namespace: 'rook-ceph' - csi.storage.k8s.io/fstype: ext4 - csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node - csi.storage.k8s.io/node-stage-secret-namespace: 'rook-ceph' - csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner - csi.storage.k8s.io/provisioner-secret-namespace: 'rook-ceph' - imageFeatures: layering,exclusive-lock,object-map,fast-diff - imageFormat: "2" -reclaimPolicy: Delete -allowVolumeExpansion: true -volumeBindingMode: Immediate ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/cephfilesystem.yaml -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: ceph-filesystem - annotations: - storageclass.kubernetes.io/is-default-class: "false" -provisioner: rook-ceph.cephfs.csi.ceph.com -parameters: - fsName: ceph-filesystem - pool: ceph-filesystem-data0 - clusterID: rook-ceph - csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner - csi.storage.k8s.io/controller-expand-secret-namespace: 'rook-ceph' - csi.storage.k8s.io/fstype: ext4 - csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node - csi.storage.k8s.io/node-stage-secret-namespace: 'rook-ceph' - csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner - csi.storage.k8s.io/provisioner-secret-namespace: 'rook-ceph' -reclaimPolicy: Delete -allowVolumeExpansion: true -volumeBindingMode: Immediate ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/cephobjectstore.yaml -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: ceph-bucket -provisioner: rook-ceph.ceph.rook.io/bucket -reclaimPolicy: Delete -volumeBindingMode: Immediate -parameters: - objectStoreName: ceph-objectstore - objectStoreNamespace: rook-ceph - region: us-east-1 ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephconnection-crd.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: cephconnections.csi.ceph.io - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -spec: - group: csi.ceph.io - names: - kind: CephConnection - listKind: CephConnectionList - plural: cephconnections - singular: cephconnection - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: CephConnection is the Schema for the cephconnections API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CephConnectionSpec defines the desired state of CephConnection - properties: - monitors: - items: - type: string - minItems: 1 - type: array - rbdMirrorDaemonCount: - minimum: 1 - type: integer - readAffinity: - description: ReadAffinitySpec capture Ceph CSI read affinity settings - properties: - crushLocationLabels: - items: - type: string - minItems: 1 - type: array - required: - - crushLocationLabels - type: object - required: - - monitors - type: object - status: - description: CephConnectionStatus defines the observed state of CephConnection - type: object - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: v1alpha1 is deprecated, please use v1 - name: v1alpha1 - schema: - openAPIV3Schema: - description: CephConnection is the Schema for the cephconnections API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CephConnectionSpec defines the desired state of CephConnection - properties: - monitors: - items: - type: string - minItems: 1 - type: array - rbdMirrorDaemonCount: - minimum: 1 - type: integer - readAffinity: - description: ReadAffinitySpec capture Ceph CSI read affinity settings - properties: - crushLocationLabels: - items: - type: string - minItems: 1 - type: array - required: - - crushLocationLabels - type: object - required: - - monitors - type: object - status: - description: CephConnectionStatus defines the observed state of CephConnection - type: object - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/clientprofile-crd.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clientprofiles.csi.ceph.io - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -spec: - group: csi.ceph.io - names: - kind: ClientProfile - listKind: ClientProfileList - plural: clientprofiles - singular: clientprofile - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClientProfile is the Schema for the clientprofiles API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ClientProfileSpec defines the desired state of Ceph CSI - configuration for volumes and snapshots configured to use - this profile - properties: - cephConnectionRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - cephFs: - description: CephFsConfigSpec defines the desired CephFs configuration - properties: - cephCsiSecrets: - description: |- - CephCsiSecretsSpec defines the secrets used by the client profile - to access the Ceph cluster and perform operations - on volumes. - properties: - controllerPublishSecret: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - type: object - fuseMountOptions: - additionalProperties: - type: string - type: object - kernelMountOptions: - additionalProperties: - type: string - type: object - radosNamespace: - type: string - x-kubernetes-validations: - - message: field is immutable - rule: self == oldSelf - subVolumeGroup: - type: string - type: object - nfs: - description: NfsConfigSpec cdefines the desired NFS configuration - type: object - rbd: - description: RbdConfigSpec defines the desired RBD configuration - properties: - cephCsiSecrets: - description: |- - CephCsiSecretsSpec defines the secrets used by the client profile - to access the Ceph cluster and perform operations - on volumes. - properties: - controllerPublishSecret: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - type: object - radosNamespace: - type: string - x-kubernetes-validations: - - message: field is immutable - rule: self == oldSelf - type: object - required: - - cephConnectionRef - type: object - status: - description: |- - ClientProfileStatus defines the observed state of Ceph CSI - configuration for volumes and snapshots configured to use - this profile - type: object - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: v1alpha1 is deprecated, please use v1 - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClientProfile is the Schema for the clientprofiles API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ClientProfileSpec defines the desired state of Ceph CSI - configuration for volumes and snapshots configured to use - this profile - properties: - cephConnectionRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - cephFs: - description: CephFsConfigSpec defines the desired CephFs configuration - properties: - fuseMountOptions: - additionalProperties: - type: string - type: object - kernelMountOptions: - additionalProperties: - type: string - type: object - radosNamespace: - type: string - x-kubernetes-validations: - - message: field is immutable - rule: self == oldSelf - subVolumeGroup: - type: string - type: object - nfs: - description: NfsConfigSpec cdefines the desired NFS configuration - type: object - rbd: - description: RbdConfigSpec defines the desired RBD configuration - properties: - radosNamespace: - type: string - x-kubernetes-validations: - - message: field is immutable - rule: self == oldSelf - type: object - required: - - cephConnectionRef - type: object - status: - description: |- - ClientProfileStatus defines the observed state of Ceph CSI - configuration for volumes and snapshots configured to use - this profile - type: object - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/clientprofilemapping-crd.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clientprofilemappings.csi.ceph.io - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -spec: - group: csi.ceph.io - names: - kind: ClientProfileMapping - listKind: ClientProfileMappingList - plural: clientprofilemappings - singular: clientprofilemapping - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClientProfileMapping is the Schema for the clientprofilemappings - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClientProfileMappingSpec defines the desired state of ClientProfileMapping - properties: - mappings: - items: - description: MappingsSpec define a mapping between a local and remote - profiles - properties: - blockPoolIdMapping: - items: - items: - type: string - maxItems: 2 - minItems: 2 - type: array - type: array - localClientProfile: - type: string - remoteClientProfile: - type: string - required: - - localClientProfile - - remoteClientProfile - type: object - type: array - required: - - mappings - type: object - status: - description: ClientProfileMappingStatus defines the observed state of ClientProfileMapping - type: object - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: v1alpha1 is deprecated, please use v1 - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClientProfileMapping is the Schema for the clientprofilemappings - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClientProfileMappingSpec defines the desired state of ClientProfileMapping - properties: - mappings: - items: - description: MappingsSpec define a mapping between a local and remote - profiles - properties: - blockPoolIdMapping: - items: - items: - type: string - maxItems: 2 - minItems: 2 - type: array - type: array - localClientProfile: - type: string - remoteClientProfile: - type: string - required: - - localClientProfile - - remoteClientProfile - type: object - type: array - required: - - mappings - type: object - status: - description: ClientProfileMappingStatus defines the observed state of ClientProfileMapping - type: object - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/driver-crd.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: drivers.csi.ceph.io - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -spec: - group: csi.ceph.io - names: - kind: Driver - listKind: DriverList - plural: drivers - singular: driver - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: Driver is the Schema for the drivers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DriverSpec defines the desired state of Driver - properties: - attachRequired: - description: |- - Whether to skip any attach operation altogether for CephCsi PVCs. - See more details [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object). - If set to false it skips the volume attachments and makes the creation of pods using the CephCsi PVC fast. - **WARNING** It's highly discouraged to use this for RWO volumes. for RBD PVC it can cause data corruption, - csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set to false - since we'll have no VolumeAttachments to determine which node the PVC is mounted on. - Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details. - type: boolean - cephFsClientType: - description: |- - Select between between cephfs kernel driver and ceph-fuse - If you select a non-kernel client, your application may be disrupted during upgrade. - See the upgrade guide: https://rook.io/docs/rook/latest/ceph-upgrade.html - NOTE! cephfs quota is not supported in kernel version < 4.17 - enum: - - autodetect - - kernel - type: string - clusterName: - description: |- - Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful in cases - when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster. - type: string - controllerPlugin: - description: Driver's controller plugin configuration - properties: - affinity: - description: Pod's affinity settings - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with - the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: Pod's annotations - type: object - deploymentStrategy: - description: |- - DeploymentStrategy describes how to replace existing pods with new ones - Default value is RollingUpdate with MaxUnavailable and MaxSurege as 25% (kubernetes default) - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". - Default is RollingUpdate. - type: string - type: object - hostNetwork: - description: hostNetwork setting to be propagated to CSI controller - plugin pods - type: boolean - imagePullPolicy: - description: To indicate the image pull policy to be applied to - all the containers in the csi driver pods. - type: string - labels: - additionalProperties: - type: string - description: Pod's labels - type: object - priorityClassName: - description: Pod's user defined priority class name - type: string - privileged: - description: |- - To enable logrotation for csi pods, - Some platforms require controller plugin to run privileged, - For example, OpenShift with SELinux restrictions requires the pod to be privileged to write to hostPath. - type: boolean - replicas: - description: Set replicas for controller plugin's deployment. Defaults - to 2 - format: int32 - minimum: 1 - type: integer - resources: - description: Resource requirements for controller plugin's containers - properties: - addons: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - attacher: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - liveness: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - logRotator: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - omapGenerator: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - plugin: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - provisioner: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - resizer: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - snapshotter: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - serviceAccountName: - description: Service account name to be used for driver's pods - type: string - tolerations: - description: Pod's tolerations list - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - volumes: - description: Volume and volume mount definitions to attach to the - pod - items: - properties: - mount: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - volume: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the - blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure managed - data disk (only in managed availability set). defaults - to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default is - /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name, namespace - and uid are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of the - relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that - is attached to a kubelet's host machine and then exposed - to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to use - for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that details - Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the - ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the - downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a - field of the pod: only annotations, - labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in - terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified API - version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file to - be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will - be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an - already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool - associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret - or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated with - the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: object - type: array - type: object - deployCsiAddons: - description: a list of additional sidecars? - type: boolean - enableFencing: - description: |- - Set to true to enable fencing for the driver. - Fencing is a feature that allows the driver to fence a node when it is tainted with node.kubernetes.io/out-of-service. - type: boolean - enableMetadata: - description: |- - Set to true to enable adding volume metadata on the CephFS subvolumes and RBD images. - Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images. - Hence enable metadata is false by default. - type: boolean - encryption: - description: Driver's encryption settings - properties: - configMapName: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - required: - - configMapName - type: object - fsGroupPolicy: - description: |- - Policy for modifying a volume's ownership or permissions when the PVC is being mounted. - supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html - type: string - fuseMountOptions: - additionalProperties: - type: string - description: Set mount options to use when using the Fuse client - type: object - generateOMapInfo: - description: |- - OMAP generator will generate the omap mapping between the PV name and the RBD image. - Need to be enabled when we are using rbd mirroring feature. - By default OMAP generator sidecar is not deployed with Csi controller plugin pod, to enable - it set it to true. - type: boolean - grpcTimeout: - description: Set the gRPC timeout for gRPC call issued by the driver - components - minimum: 0 - type: integer - imageSet: - description: |- - A reference to a ConfigMap resource holding image overwrite for deployed - containers - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - kernelMountOptions: - additionalProperties: - type: string - description: |- - Set mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options - Set to "ms_mode=secure" when connections.encrypted is enabled in Ceph - type: object - leaderElection: - description: Leader election setting - properties: - leaseDuration: - description: |- - Duration in seconds that non-leader candidates will wait to force acquire leadership. - Default to 137 seconds. - minimum: 0 - type: integer - renewDeadline: - description: |- - Deadline in seconds that the acting leader will retry refreshing leadership before giving up. - Defaults to 107 seconds. - minimum: 0 - type: integer - retryPeriod: - description: |- - Retry Period in seconds the LeaderElector clients should wait between tries of actions. - Defaults to 26 seconds. - minimum: 0 - type: integer - type: object - liveness: - description: |- - Liveness metrics configuration. - disabled by default. - properties: - metricsPort: - description: Port to expose liveness metrics - maximum: 65535 - minimum: 1024 - type: integer - required: - - metricsPort - type: object - log: - description: Logging configuration for driver's pods - properties: - rotation: - description: log rotation for csi pods - properties: - logHostPath: - description: |- - LogHostPath is the prefix directory path for the csi log files - Default to /var/lib/cephcsi - type: string - maxFiles: - description: |- - MaxFiles is the number of logrtoate files - Default to 7 - type: integer - maxLogSize: - anyOf: - - type: integer - - type: string - description: MaxLogSize is the maximum size of the log file - per csi pods - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - periodicity: - description: Periodicity is the periodicity of the log rotation. - enum: - - hourly - - daily - - weekly - - monthly - type: string - type: object - x-kubernetes-validations: - - message: Either maxLogSize or periodicity must be set - rule: (has(self.maxLogSize)) || (has(self.periodicity)) - verbosity: - description: |- - Log verbosity level for driver pods, - Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity. - Default to 0 - maximum: 5 - minimum: 0 - type: integer - type: object - nodePlugin: - description: Driver's plugin configuration - properties: - affinity: - description: Pod's affinity settings - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with - the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: Pod's annotations - type: object - enableSeLinuxHostMount: - description: Control the host mount of /etc/selinux for csi plugin - pods. Defaults to false - type: boolean - imagePullPolicy: - description: To indicate the image pull policy to be applied to - all the containers in the csi driver pods. - type: string - kubeletDirPath: - description: kubelet directory path, if kubelet configured to use - other than /var/lib/kubelet path. - type: string - labels: - additionalProperties: - type: string - description: Pod's labels - type: object - priorityClassName: - description: Pod's user defined priority class name - type: string - resources: - description: Resource requirements for plugin's containers - properties: - addons: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - liveness: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - logRotator: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - plugin: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - registrar: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - serviceAccountName: - description: Service account name to be used for driver's pods - type: string - tolerations: - description: Pod's tolerations list - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topology: - description: Topology settings for the plugin pods - properties: - domainLabels: - description: Domain labels define which node labels to use as - domains for CSI nodeplugins to advertise their domains - items: - type: string - type: array - required: - - domainLabels - type: object - updateStrategy: - description: |- - Driver's plugin daemonset update strategy, supported values are OnDelete and RollingUpdate. - Default value is RollingUpdate with MaxAvailabile set to 1 - properties: - rollingUpdate: - description: Rolling update config params. Present only if type - = "RollingUpdate". - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of nodes with an existing available DaemonSet pod that - can have an updated DaemonSet pod during during an update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up to a minimum of 1. - Default value is 0. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked as deleted. - The update starts by launching new pods on 30% of nodes. Once an updated - pod is available (Ready for at least minReadySeconds) the old DaemonSet pod - on that node is marked deleted. If the old pod becomes unavailable for any - reason (Ready transitions to false, is evicted, or is drained) an updated - pod is immediately created on that node without considering surge limits. - Allowing surge implies the possibility that the resources consumed by the - daemonset on any given node can double if the readiness check fails, and - so resource intensive daemonsets should take into account that they may - cause evictions during disruption. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of DaemonSet pods that can be unavailable during the - update. Value can be an absolute number (ex: 5) or a percentage of total - number of DaemonSet pods at the start of the update (ex: 10%). Absolute - number is calculated from percentage by rounding up. - This cannot be 0 if MaxSurge is 0 - Default value is 1. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet pods and then brings - up new DaemonSet pods in their place. Once the new pods are available, - it then proceeds onto other DaemonSet pods, thus ensuring that at least - 70% of original number of DaemonSet pods are available at all times during - the update. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" - or "OnDelete". Default is RollingUpdate. - type: string - type: object - volumes: - description: Volume and volume mount definitions to attach to the - pod - items: - properties: - mount: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - volume: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the - blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure managed - data disk (only in managed availability set). defaults - to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default is - /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name, namespace - and uid are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of the - relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that - is attached to a kubelet's host machine and then exposed - to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to use - for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that details - Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the - ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the - downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a - field of the pod: only annotations, - labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in - terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified API - version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file to - be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will - be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an - already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool - associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret - or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated with - the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: object - type: array - type: object - snapshotPolicy: - description: 'Select a policy for snapshot behavior: none, autodetect, - snapshot, sanpshotGroup' - enum: - - none - - volumeGroupSnapshot - - volumeSnapshot - type: string - type: object - status: - description: DriverStatus defines the observed state of Driver - type: object - type: object - x-kubernetes-validations: - - message: '.metadata.name must match: ''[.](rbd|cephfs|nfs).csi.ceph.com''' - rule: self.metadata.name.matches('^(.+\\.)?(rbd|cephfs|nfs)?\\.csi\\.ceph\\.com$') - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: v1alpha1 is deprecated, please use v1 - name: v1alpha1 - schema: - openAPIV3Schema: - description: Driver is the Schema for the drivers API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DriverSpec defines the desired state of Driver - properties: - attachRequired: - description: |- - Whether to skip any attach operation altogether for CephCsi PVCs. - See more details [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object). - If set to false it skips the volume attachments and makes the creation of pods using the CephCsi PVC fast. - **WARNING** It's highly discouraged to use this for RWO volumes. for RBD PVC it can cause data corruption, - csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set to false - since we'll have no VolumeAttachments to determine which node the PVC is mounted on. - Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details. - type: boolean - cephFsClientType: - description: |- - Select between between cephfs kernel driver and ceph-fuse - If you select a non-kernel client, your application may be disrupted during upgrade. - See the upgrade guide: https://rook.io/docs/rook/latest/ceph-upgrade.html - NOTE! cephfs quota is not supported in kernel version < 4.17 - enum: - - autodetect - - kernel - type: string - clusterName: - description: |- - Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful in cases - when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster. - type: string - controllerPlugin: - description: Driver's controller plugin configuration - properties: - affinity: - description: Pod's affinity settings - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with - the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: Pod's annotations - type: object - deploymentStrategy: - description: |- - DeploymentStrategy describes how to replace existing pods with new ones - Default value is RollingUpdate with MaxUnavailable and MaxSurege as 25% (kubernetes default) - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". - Default is RollingUpdate. - type: string - type: object - hostNetwork: - description: hostNetwork setting to be propagated to CSI controller - plugin pods - type: boolean - imagePullPolicy: - description: To indicate the image pull policy to be applied to - all the containers in the csi driver pods. - type: string - labels: - additionalProperties: - type: string - description: Pod's labels - type: object - priorityClassName: - description: Pod's user defined priority class name - type: string - privileged: - description: |- - To enable logrotation for csi pods, - Some platforms require controller plugin to run privileged, - For example, OpenShift with SELinux restrictions requires the pod to be privileged to write to hostPath. - type: boolean - replicas: - description: Set replicas for controller plugin's deployment. Defaults - to 2 - format: int32 - minimum: 1 - type: integer - resources: - description: Resource requirements for controller plugin's containers - properties: - addons: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - attacher: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - liveness: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - logRotator: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - omapGenerator: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - plugin: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - provisioner: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - resizer: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - snapshotter: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - serviceAccountName: - description: Service account name to be used for driver's pods - type: string - tolerations: - description: Pod's tolerations list - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - volumes: - description: Volume and volume mount definitions to attach to the - pod - items: - properties: - mount: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - volume: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the - blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure managed - data disk (only in managed availability set). defaults - to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default is - /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name, namespace - and uid are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of the - relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that - is attached to a kubelet's host machine and then exposed - to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to use - for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that details - Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the - ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the - downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a - field of the pod: only annotations, - labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in - terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified API - version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file to - be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will - be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an - already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool - associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret - or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated with - the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - required: - - mount - - volume - type: object - type: array - type: object - deployCsiAddons: - description: a list of additional sidecars? - type: boolean - enableMetadata: - description: |- - Set to true to enable adding volume metadata on the CephFS subvolumes and RBD images. - Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images. - Hence enable metadata is false by default. - type: boolean - encryption: - description: Driver's encryption settings - properties: - configMapName: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - required: - - configMapName - type: object - fsGroupPolicy: - description: |- - Policy for modifying a volume's ownership or permissions when the PVC is being mounted. - supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html - type: string - fuseMountOptions: - additionalProperties: - type: string - description: Set mount options to use when using the Fuse client - type: object - generateOMapInfo: - description: |- - OMAP generator will generate the omap mapping between the PV name and the RBD image. - Need to be enabled when we are using rbd mirroring feature. - By default OMAP generator sidecar is not deployed with Csi controller plugin pod, to enable - it set it to true. - type: boolean - grpcTimeout: - description: Set the gRPC timeout for gRPC call issued by the driver - components - minimum: 0 - type: integer - imageSet: - description: |- - A reference to a ConfigMap resource holding image overwrite for deployed - containers - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - kernelMountOptions: - additionalProperties: - type: string - description: |- - Set mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options - Set to "ms_mode=secure" when connections.encrypted is enabled in Ceph - type: object - leaderElection: - description: Leader election setting - properties: - leaseDuration: - description: |- - Duration in seconds that non-leader candidates will wait to force acquire leadership. - Default to 137 seconds. - minimum: 0 - type: integer - renewDeadline: - description: |- - Deadline in seconds that the acting leader will retry refreshing leadership before giving up. - Defaults to 107 seconds. - minimum: 0 - type: integer - retryPeriod: - description: |- - Retry Period in seconds the LeaderElector clients should wait between tries of actions. - Defaults to 26 seconds. - minimum: 0 - type: integer - type: object - liveness: - description: |- - Liveness metrics configuration. - disabled by default. - properties: - metricsPort: - description: Port to expose liveness metrics - maximum: 65535 - minimum: 1024 - type: integer - required: - - metricsPort - type: object - log: - description: Logging configuration for driver's pods - properties: - rotation: - description: log rotation for csi pods - properties: - logHostPath: - description: |- - LogHostPath is the prefix directory path for the csi log files - Default to /var/lib/cephcsi - type: string - maxFiles: - description: |- - MaxFiles is the number of logrtoate files - Default to 7 - type: integer - maxLogSize: - anyOf: - - type: integer - - type: string - description: MaxLogSize is the maximum size of the log file - per csi pods - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - periodicity: - description: Periodicity is the periodicity of the log rotation. - enum: - - hourly - - daily - - weekly - - monthly - type: string - type: object - x-kubernetes-validations: - - message: Either maxLogSize or periodicity must be set - rule: (has(self.maxLogSize)) || (has(self.periodicity)) - verbosity: - description: |- - Log verbosity level for driver pods, - Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity. - Default to 0 - maximum: 5 - minimum: 0 - type: integer - type: object - nodePlugin: - description: Driver's plugin configuration - properties: - affinity: - description: Pod's affinity settings - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with - the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: Pod's annotations - type: object - enableSeLinuxHostMount: - description: Control the host mount of /etc/selinux for csi plugin - pods. Defaults to false - type: boolean - imagePullPolicy: - description: To indicate the image pull policy to be applied to - all the containers in the csi driver pods. - type: string - kubeletDirPath: - description: kubelet directory path, if kubelet configured to use - other than /var/lib/kubelet path. - type: string - labels: - additionalProperties: - type: string - description: Pod's labels - type: object - priorityClassName: - description: Pod's user defined priority class name - type: string - resources: - description: Resource requirements for plugin's containers - properties: - addons: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - liveness: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - logRotator: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - plugin: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - registrar: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - serviceAccountName: - description: Service account name to be used for driver's pods - type: string - tolerations: - description: Pod's tolerations list - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topology: - description: Topology settings for the plugin pods - properties: - domainLabels: - description: Domain labels define which node labels to use as - domains for CSI nodeplugins to advertise their domains - items: - type: string - type: array - required: - - domainLabels - type: object - updateStrategy: - description: |- - Driver's plugin daemonset update strategy, supported values are OnDelete and RollingUpdate. - Default value is RollingUpdate with MaxAvailabile set to 1 - properties: - rollingUpdate: - description: Rolling update config params. Present only if type - = "RollingUpdate". - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of nodes with an existing available DaemonSet pod that - can have an updated DaemonSet pod during during an update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up to a minimum of 1. - Default value is 0. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked as deleted. - The update starts by launching new pods on 30% of nodes. Once an updated - pod is available (Ready for at least minReadySeconds) the old DaemonSet pod - on that node is marked deleted. If the old pod becomes unavailable for any - reason (Ready transitions to false, is evicted, or is drained) an updated - pod is immediately created on that node without considering surge limits. - Allowing surge implies the possibility that the resources consumed by the - daemonset on any given node can double if the readiness check fails, and - so resource intensive daemonsets should take into account that they may - cause evictions during disruption. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of DaemonSet pods that can be unavailable during the - update. Value can be an absolute number (ex: 5) or a percentage of total - number of DaemonSet pods at the start of the update (ex: 10%). Absolute - number is calculated from percentage by rounding up. - This cannot be 0 if MaxSurge is 0 - Default value is 1. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet pods and then brings - up new DaemonSet pods in their place. Once the new pods are available, - it then proceeds onto other DaemonSet pods, thus ensuring that at least - 70% of original number of DaemonSet pods are available at all times during - the update. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" - or "OnDelete". Default is RollingUpdate. - type: string - type: object - volumes: - description: Volume and volume mount definitions to attach to the - pod - items: - properties: - mount: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - volume: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in the - blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure managed - data disk (only in managed availability set). defaults - to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default is - /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name, namespace - and uid are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of the - relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource that - is attached to a kubelet's host machine and then exposed - to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide - names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver to use - for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the specified - revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that details - Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the - ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about the - downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a - field of the pod: only annotations, - labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in - terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified API - version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file to - be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs will - be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the secret - data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references an - already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the ScaleIO - API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the ScaleIO - Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage Pool - associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret - or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated with - the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - required: - - mount - - volume - type: object - type: array - type: object - snapshotPolicy: - description: 'Select a policy for snapshot behavior: none, autodetect, - snapshot, sanpshotGroup' - enum: - - none - - volumeGroupSnapshot - - volumeSnapshot - type: string - type: object - status: - description: DriverStatus defines the observed state of Driver - type: object - type: object - x-kubernetes-validations: - - message: '.metadata.name must match: ''[.](rbd|cephfs|nfs).csi.ceph.com''' - rule: self.metadata.name.matches('^(.+\\.)?(rbd|cephfs|nfs)?\\.csi\\.ceph\\.com$') - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/operatorconfig-crd.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: operatorconfigs.csi.ceph.io - annotations: - controller-gen.kubebuilder.io/version: v0.17.2 - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -spec: - group: csi.ceph.io - names: - kind: OperatorConfig - listKind: OperatorConfigList - plural: operatorconfigs - singular: operatorconfig - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: OperatorConfig is the Schema for the operatorconfigs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: OperatorConfigSpec defines the desired state of OperatorConfig - properties: - driverSpecDefaults: - description: Allow overwrite of hardcoded defaults for any driver managed - by this operator - properties: - attachRequired: - description: |- - Whether to skip any attach operation altogether for CephCsi PVCs. - See more details [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object). - If set to false it skips the volume attachments and makes the creation of pods using the CephCsi PVC fast. - **WARNING** It's highly discouraged to use this for RWO volumes. for RBD PVC it can cause data corruption, - csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set to false - since we'll have no VolumeAttachments to determine which node the PVC is mounted on. - Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details. - type: boolean - cephFsClientType: - description: |- - Select between between cephfs kernel driver and ceph-fuse - If you select a non-kernel client, your application may be disrupted during upgrade. - See the upgrade guide: https://rook.io/docs/rook/latest/ceph-upgrade.html - NOTE! cephfs quota is not supported in kernel version < 4.17 - enum: - - autodetect - - kernel - type: string - clusterName: - description: |- - Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful in cases - when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster. - type: string - controllerPlugin: - description: Driver's controller plugin configuration - properties: - affinity: - description: Pod's affinity settings - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range - 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: Pod's annotations - type: object - deploymentStrategy: - description: |- - DeploymentStrategy describes how to replace existing pods with new ones - Default value is RollingUpdate with MaxUnavailable and MaxSurege as 25% (kubernetes default) - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". - Default is RollingUpdate. - type: string - type: object - hostNetwork: - description: hostNetwork setting to be propagated to CSI controller - plugin pods - type: boolean - imagePullPolicy: - description: To indicate the image pull policy to be applied - to all the containers in the csi driver pods. - type: string - labels: - additionalProperties: - type: string - description: Pod's labels - type: object - priorityClassName: - description: Pod's user defined priority class name - type: string - privileged: - description: |- - To enable logrotation for csi pods, - Some platforms require controller plugin to run privileged, - For example, OpenShift with SELinux restrictions requires the pod to be privileged to write to hostPath. - type: boolean - replicas: - description: Set replicas for controller plugin's deployment. - Defaults to 2 - format: int32 - minimum: 1 - type: integer - resources: - description: Resource requirements for controller plugin's containers - properties: - addons: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - attacher: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - liveness: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - logRotator: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - omapGenerator: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - plugin: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - provisioner: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - resizer: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - snapshotter: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - serviceAccountName: - description: Service account name to be used for driver's pods - type: string - tolerations: - description: Pod's tolerations list - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - volumes: - description: Volume and volume mount definitions to attach to - the pod - items: - properties: - mount: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - volume: - description: Volume represents a named volume in a pod - that may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching - mode: None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data - disk in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: - multiple blob disks per storage account Dedicated: - single blob disk per storage account Managed: - azure managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret - that contains Azure Storage Account Name and - Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that - should populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name, namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query - over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding - reference to the PersistentVolume backing - this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and - then exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver - to use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field - holds extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that - details Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether - support iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified - Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for - iSCSI target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the - volume root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about - the configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key to - project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile - represents information to create - the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name, namespace and - uid are supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is - written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. - Must be utf-8 encoded. The first - item of the relative path must - not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the - output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs - will be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key to - project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify - whether the Secret or its key must - be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to - project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured - storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage - system as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage - Policy Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: object - type: array - type: object - deployCsiAddons: - description: a list of additional sidecars? - type: boolean - enableFencing: - description: |- - Set to true to enable fencing for the driver. - Fencing is a feature that allows the driver to fence a node when it is tainted with node.kubernetes.io/out-of-service. - type: boolean - enableMetadata: - description: |- - Set to true to enable adding volume metadata on the CephFS subvolumes and RBD images. - Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images. - Hence enable metadata is false by default. - type: boolean - encryption: - description: Driver's encryption settings - properties: - configMapName: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - required: - - configMapName - type: object - fsGroupPolicy: - description: |- - Policy for modifying a volume's ownership or permissions when the PVC is being mounted. - supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html - type: string - fuseMountOptions: - additionalProperties: - type: string - description: Set mount options to use when using the Fuse client - type: object - generateOMapInfo: - description: |- - OMAP generator will generate the omap mapping between the PV name and the RBD image. - Need to be enabled when we are using rbd mirroring feature. - By default OMAP generator sidecar is not deployed with Csi controller plugin pod, to enable - it set it to true. - type: boolean - grpcTimeout: - description: Set the gRPC timeout for gRPC call issued by the driver - components - minimum: 0 - type: integer - imageSet: - description: |- - A reference to a ConfigMap resource holding image overwrite for deployed - containers - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - kernelMountOptions: - additionalProperties: - type: string - description: |- - Set mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options - Set to "ms_mode=secure" when connections.encrypted is enabled in Ceph - type: object - leaderElection: - description: Leader election setting - properties: - leaseDuration: - description: |- - Duration in seconds that non-leader candidates will wait to force acquire leadership. - Default to 137 seconds. - minimum: 0 - type: integer - renewDeadline: - description: |- - Deadline in seconds that the acting leader will retry refreshing leadership before giving up. - Defaults to 107 seconds. - minimum: 0 - type: integer - retryPeriod: - description: |- - Retry Period in seconds the LeaderElector clients should wait between tries of actions. - Defaults to 26 seconds. - minimum: 0 - type: integer - type: object - liveness: - description: |- - Liveness metrics configuration. - disabled by default. - properties: - metricsPort: - description: Port to expose liveness metrics - maximum: 65535 - minimum: 1024 - type: integer - required: - - metricsPort - type: object - log: - description: Logging configuration for driver's pods - properties: - rotation: - description: log rotation for csi pods - properties: - logHostPath: - description: |- - LogHostPath is the prefix directory path for the csi log files - Default to /var/lib/cephcsi - type: string - maxFiles: - description: |- - MaxFiles is the number of logrtoate files - Default to 7 - type: integer - maxLogSize: - anyOf: - - type: integer - - type: string - description: MaxLogSize is the maximum size of the log file - per csi pods - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - periodicity: - description: Periodicity is the periodicity of the log rotation. - enum: - - hourly - - daily - - weekly - - monthly - type: string - type: object - x-kubernetes-validations: - - message: Either maxLogSize or periodicity must be set - rule: (has(self.maxLogSize)) || (has(self.periodicity)) - verbosity: - description: |- - Log verbosity level for driver pods, - Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity. - Default to 0 - maximum: 5 - minimum: 0 - type: integer - type: object - nodePlugin: - description: Driver's plugin configuration - properties: - affinity: - description: Pod's affinity settings - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range - 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: Pod's annotations - type: object - enableSeLinuxHostMount: - description: Control the host mount of /etc/selinux for csi - plugin pods. Defaults to false - type: boolean - imagePullPolicy: - description: To indicate the image pull policy to be applied - to all the containers in the csi driver pods. - type: string - kubeletDirPath: - description: kubelet directory path, if kubelet configured to - use other than /var/lib/kubelet path. - type: string - labels: - additionalProperties: - type: string - description: Pod's labels - type: object - priorityClassName: - description: Pod's user defined priority class name - type: string - resources: - description: Resource requirements for plugin's containers - properties: - addons: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - liveness: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - logRotator: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - plugin: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - registrar: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - serviceAccountName: - description: Service account name to be used for driver's pods - type: string - tolerations: - description: Pod's tolerations list - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topology: - description: Topology settings for the plugin pods - properties: - domainLabels: - description: Domain labels define which node labels to use - as domains for CSI nodeplugins to advertise their domains - items: - type: string - type: array - required: - - domainLabels - type: object - updateStrategy: - description: |- - Driver's plugin daemonset update strategy, supported values are OnDelete and RollingUpdate. - Default value is RollingUpdate with MaxAvailabile set to 1 - properties: - rollingUpdate: - description: Rolling update config params. Present only - if type = "RollingUpdate". - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of nodes with an existing available DaemonSet pod that - can have an updated DaemonSet pod during during an update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up to a minimum of 1. - Default value is 0. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked as deleted. - The update starts by launching new pods on 30% of nodes. Once an updated - pod is available (Ready for at least minReadySeconds) the old DaemonSet pod - on that node is marked deleted. If the old pod becomes unavailable for any - reason (Ready transitions to false, is evicted, or is drained) an updated - pod is immediately created on that node without considering surge limits. - Allowing surge implies the possibility that the resources consumed by the - daemonset on any given node can double if the readiness check fails, and - so resource intensive daemonsets should take into account that they may - cause evictions during disruption. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of DaemonSet pods that can be unavailable during the - update. Value can be an absolute number (ex: 5) or a percentage of total - number of DaemonSet pods at the start of the update (ex: 10%). Absolute - number is calculated from percentage by rounding up. - This cannot be 0 if MaxSurge is 0 - Default value is 1. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet pods and then brings - up new DaemonSet pods in their place. Once the new pods are available, - it then proceeds onto other DaemonSet pods, thus ensuring that at least - 70% of original number of DaemonSet pods are available at all times during - the update. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" - or "OnDelete". Default is RollingUpdate. - type: string - type: object - volumes: - description: Volume and volume mount definitions to attach to - the pod - items: - properties: - mount: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - volume: - description: Volume represents a named volume in a pod - that may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching - mode: None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data - disk in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: - multiple blob disks per storage account Dedicated: - single blob disk per storage account Managed: - azure managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret - that contains Azure Storage Account Name and - Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that - should populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name, namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query - over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding - reference to the PersistentVolume backing - this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and - then exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver - to use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field - holds extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that - details Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether - support iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified - Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for - iSCSI target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the - volume root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about - the configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key to - project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile - represents information to create - the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name, namespace and - uid are supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is - written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. - Must be utf-8 encoded. The first - item of the relative path must - not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the - output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs - will be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key to - project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify - whether the Secret or its key must - be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to - project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured - storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage - system as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage - Policy Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: object - type: array - type: object - snapshotPolicy: - description: 'Select a policy for snapshot behavior: none, autodetect, - snapshot, sanpshotGroup' - enum: - - none - - volumeGroupSnapshot - - volumeSnapshot - type: string - type: object - log: - description: OperatorLogSpec provide log related settings for the operator - properties: - verbosity: - description: Operator's log level - maximum: 3 - minimum: 0 - type: integer - type: object - type: object - status: - description: OperatorConfigStatus defines the observed state of OperatorConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: v1alpha1 is deprecated, please use v1 - name: v1alpha1 - schema: - openAPIV3Schema: - description: OperatorConfig is the Schema for the operatorconfigs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: OperatorConfigSpec defines the desired state of OperatorConfig - properties: - driverSpecDefaults: - description: Allow overwrite of hardcoded defaults for any driver managed - by this operator - properties: - attachRequired: - description: |- - Whether to skip any attach operation altogether for CephCsi PVCs. - See more details [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object). - If set to false it skips the volume attachments and makes the creation of pods using the CephCsi PVC fast. - **WARNING** It's highly discouraged to use this for RWO volumes. for RBD PVC it can cause data corruption, - csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set to false - since we'll have no VolumeAttachments to determine which node the PVC is mounted on. - Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details. - type: boolean - cephFsClientType: - description: |- - Select between between cephfs kernel driver and ceph-fuse - If you select a non-kernel client, your application may be disrupted during upgrade. - See the upgrade guide: https://rook.io/docs/rook/latest/ceph-upgrade.html - NOTE! cephfs quota is not supported in kernel version < 4.17 - enum: - - autodetect - - kernel - type: string - clusterName: - description: |- - Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful in cases - when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster. - type: string - controllerPlugin: - description: Driver's controller plugin configuration - properties: - affinity: - description: Pod's affinity settings - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range - 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: Pod's annotations - type: object - deploymentStrategy: - description: |- - DeploymentStrategy describes how to replace existing pods with new ones - Default value is RollingUpdate with MaxUnavailable and MaxSurege as 25% (kubernetes default) - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". - Default is RollingUpdate. - type: string - type: object - hostNetwork: - description: hostNetwork setting to be propagated to CSI controller - plugin pods - type: boolean - imagePullPolicy: - description: To indicate the image pull policy to be applied - to all the containers in the csi driver pods. - type: string - labels: - additionalProperties: - type: string - description: Pod's labels - type: object - priorityClassName: - description: Pod's user defined priority class name - type: string - privileged: - description: |- - To enable logrotation for csi pods, - Some platforms require controller plugin to run privileged, - For example, OpenShift with SELinux restrictions requires the pod to be privileged to write to hostPath. - type: boolean - replicas: - description: Set replicas for controller plugin's deployment. - Defaults to 2 - format: int32 - minimum: 1 - type: integer - resources: - description: Resource requirements for controller plugin's containers - properties: - addons: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - attacher: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - liveness: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - logRotator: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - omapGenerator: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - plugin: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - provisioner: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - resizer: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - snapshotter: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - serviceAccountName: - description: Service account name to be used for driver's pods - type: string - tolerations: - description: Pod's tolerations list - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - volumes: - description: Volume and volume mount definitions to attach to - the pod - items: - properties: - mount: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - volume: - description: Volume represents a named volume in a pod - that may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching - mode: None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data - disk in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: - multiple blob disks per storage account Dedicated: - single blob disk per storage account Managed: - azure managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret - that contains Azure Storage Account Name and - Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that - should populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name, namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query - over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding - reference to the PersistentVolume backing - this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and - then exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver - to use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field - holds extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that - details Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether - support iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified - Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for - iSCSI target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the - volume root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about - the configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key to - project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile - represents information to create - the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name, namespace and - uid are supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is - written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. - Must be utf-8 encoded. The first - item of the relative path must - not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the - output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs - will be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key to - project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify - whether the Secret or its key must - be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to - project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured - storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage - system as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage - Policy Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - required: - - mount - - volume - type: object - type: array - type: object - deployCsiAddons: - description: a list of additional sidecars? - type: boolean - enableMetadata: - description: |- - Set to true to enable adding volume metadata on the CephFS subvolumes and RBD images. - Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images. - Hence enable metadata is false by default. - type: boolean - encryption: - description: Driver's encryption settings - properties: - configMapName: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - required: - - configMapName - type: object - fsGroupPolicy: - description: |- - Policy for modifying a volume's ownership or permissions when the PVC is being mounted. - supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html - type: string - fuseMountOptions: - additionalProperties: - type: string - description: Set mount options to use when using the Fuse client - type: object - generateOMapInfo: - description: |- - OMAP generator will generate the omap mapping between the PV name and the RBD image. - Need to be enabled when we are using rbd mirroring feature. - By default OMAP generator sidecar is not deployed with Csi controller plugin pod, to enable - it set it to true. - type: boolean - grpcTimeout: - description: Set the gRPC timeout for gRPC call issued by the driver - components - minimum: 0 - type: integer - imageSet: - description: |- - A reference to a ConfigMap resource holding image overwrite for deployed - containers - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: '''.name'' cannot be empty' - rule: self.name != "" - kernelMountOptions: - additionalProperties: - type: string - description: |- - Set mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options - Set to "ms_mode=secure" when connections.encrypted is enabled in Ceph - type: object - leaderElection: - description: Leader election setting - properties: - leaseDuration: - description: |- - Duration in seconds that non-leader candidates will wait to force acquire leadership. - Default to 137 seconds. - minimum: 0 - type: integer - renewDeadline: - description: |- - Deadline in seconds that the acting leader will retry refreshing leadership before giving up. - Defaults to 107 seconds. - minimum: 0 - type: integer - retryPeriod: - description: |- - Retry Period in seconds the LeaderElector clients should wait between tries of actions. - Defaults to 26 seconds. - minimum: 0 - type: integer - type: object - liveness: - description: |- - Liveness metrics configuration. - disabled by default. - properties: - metricsPort: - description: Port to expose liveness metrics - maximum: 65535 - minimum: 1024 - type: integer - required: - - metricsPort - type: object - log: - description: Logging configuration for driver's pods - properties: - rotation: - description: log rotation for csi pods - properties: - logHostPath: - description: |- - LogHostPath is the prefix directory path for the csi log files - Default to /var/lib/cephcsi - type: string - maxFiles: - description: |- - MaxFiles is the number of logrtoate files - Default to 7 - type: integer - maxLogSize: - anyOf: - - type: integer - - type: string - description: MaxLogSize is the maximum size of the log file - per csi pods - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - periodicity: - description: Periodicity is the periodicity of the log rotation. - enum: - - hourly - - daily - - weekly - - monthly - type: string - type: object - x-kubernetes-validations: - - message: Either maxLogSize or periodicity must be set - rule: (has(self.maxLogSize)) || (has(self.periodicity)) - verbosity: - description: |- - Log verbosity level for driver pods, - Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity. - Default to 0 - maximum: 5 - minimum: 0 - type: integer - type: object - nodePlugin: - description: Driver's plugin configuration - properties: - affinity: - description: Pod's affinity settings - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range - 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: Pod's annotations - type: object - enableSeLinuxHostMount: - description: Control the host mount of /etc/selinux for csi - plugin pods. Defaults to false - type: boolean - imagePullPolicy: - description: To indicate the image pull policy to be applied - to all the containers in the csi driver pods. - type: string - kubeletDirPath: - description: kubelet directory path, if kubelet configured to - use other than /var/lib/kubelet path. - type: string - labels: - additionalProperties: - type: string - description: Pod's labels - type: object - priorityClassName: - description: Pod's user defined priority class name - type: string - resources: - description: Resource requirements for plugin's containers - properties: - addons: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - liveness: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - logRotator: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - plugin: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - registrar: - description: ResourceRequirements describes the compute - resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in - PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - serviceAccountName: - description: Service account name to be used for driver's pods - type: string - tolerations: - description: Pod's tolerations list - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topology: - description: Topology settings for the plugin pods - properties: - domainLabels: - description: Domain labels define which node labels to use - as domains for CSI nodeplugins to advertise their domains - items: - type: string - type: array - required: - - domainLabels - type: object - updateStrategy: - description: |- - Driver's plugin daemonset update strategy, supported values are OnDelete and RollingUpdate. - Default value is RollingUpdate with MaxAvailabile set to 1 - properties: - rollingUpdate: - description: Rolling update config params. Present only - if type = "RollingUpdate". - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of nodes with an existing available DaemonSet pod that - can have an updated DaemonSet pod during during an update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up to a minimum of 1. - Default value is 0. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked as deleted. - The update starts by launching new pods on 30% of nodes. Once an updated - pod is available (Ready for at least minReadySeconds) the old DaemonSet pod - on that node is marked deleted. If the old pod becomes unavailable for any - reason (Ready transitions to false, is evicted, or is drained) an updated - pod is immediately created on that node without considering surge limits. - Allowing surge implies the possibility that the resources consumed by the - daemonset on any given node can double if the readiness check fails, and - so resource intensive daemonsets should take into account that they may - cause evictions during disruption. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of DaemonSet pods that can be unavailable during the - update. Value can be an absolute number (ex: 5) or a percentage of total - number of DaemonSet pods at the start of the update (ex: 10%). Absolute - number is calculated from percentage by rounding up. - This cannot be 0 if MaxSurge is 0 - Default value is 1. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet pods and then brings - up new DaemonSet pods in their place. Once the new pods are available, - it then proceeds onto other DaemonSet pods, thus ensuring that at least - 70% of original number of DaemonSet pods are available at all times during - the update. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" - or "OnDelete". Default is RollingUpdate. - type: string - type: object - volumes: - description: Volume and volume mount definitions to attach to - the pod - items: - properties: - mount: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - volume: - description: Volume represents a named volume in a pod - that may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree - awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: |- - azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type - are redirected to the disk.csi.azure.com CSI driver. - properties: - cachingMode: - description: 'cachingMode is the Host Caching - mode: None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data - disk in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: - multiple blob disks per storage account Dedicated: - single blob disk per storage account Managed: - azure managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: |- - azureFile represents an Azure File Service mount on the host and bind mount to the pod. - Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type - are redirected to the file.csi.azure.com CSI driver. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret - that contains Azure Storage Account Name and - Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: |- - cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. - Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - Deprecated: Cinder is deprecated. All operations for the in-tree cinder type - are redirected to the cinder.csi.openstack.org CSI driver. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that - should populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers. - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name, namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query - over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string or nil value indicates that no - VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, - this field can be reset to its previous value (including nil) to cancel the modification. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding - reference to the PersistentVolume backing - this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and - then exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. - properties: - driver: - description: driver is the name of the driver - to use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field - holds extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: |- - flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. - Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree - gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. - properties: - endpoints: - description: endpoints is the endpoint name that - details Glusterfs topology. - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether - support iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified - Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for - iSCSI target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: |- - photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. - Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: |- - portworxVolume represents a portworx volume attached and mounted on kubelets host machine. - Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type - are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate - is on. - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the - volume root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about - the configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key to - project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile - represents information to create - the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name, namespace and - uid are supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is - written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. - Must be utf-8 encoded. The first - item of the relative path must - not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the - output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podCertificate: - description: |- - Projects an auto-rotating credential bundle (private key and certificate - chain) that the pod can use either as a TLS client or server. - - Kubelet generates a private key and uses it to send a - PodCertificateRequest to the named signer. Once the signer approves the - request and issues a certificate chain, Kubelet writes the key and - certificate chain to the pod filesystem. The pod does not start until - certificates have been issued for each podCertificate projected volume - source in its spec. - - Kubelet will begin trying to rotate the certificate at the time indicated - by the signer using the PodCertificateRequest.Status.BeginRefreshAt - timestamp. - - Kubelet can write a single file, indicated by the credentialBundlePath - field, or separate files, indicated by the keyPath and - certificateChainPath fields. - - The credential bundle is a single file in PEM format. The first PEM - entry is the private key (in PKCS#8 format), and the remaining PEM - entries are the certificate chain issued by the signer (typically, - signers will return their certificate chain in leaf-to-root order). - - Prefer using the credential bundle format, since your application code - can read it atomically. If you use keyPath and certificateChainPath, - your application must make two separate file reads. If these coincide - with a certificate rotation, it is possible that the private key and leaf - certificate you read may not correspond to each other. Your application - will need to check for this condition, and re-read until they are - consistent. - - The named signer controls chooses the format of the certificate it - issues; consult the signer implementation's documentation to learn how to - use the certificates it issues. - properties: - certificateChainPath: - description: |- - Write the certificate chain at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - credentialBundlePath: - description: |- - Write the credential bundle at this path in the projected volume. - - The credential bundle is a single file that contains multiple PEM blocks. - The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private - key. - - The remaining blocks are CERTIFICATE blocks, containing the issued - certificate chain from the signer (leaf and any intermediates). - - Using credentialBundlePath lets your Pod's application code make a single - atomic read that retrieves a consistent key and certificate chain. If you - project them to separate files, your application code will need to - additionally check that the leaf certificate was issued to the key. - type: string - keyPath: - description: |- - Write the key at this path in the projected volume. - - Most applications should use credentialBundlePath. When using keyPath - and certificateChainPath, your application needs to check that the key - and leaf certificate are consistent, because it is possible to read the - files mid-rotation. - type: string - keyType: - description: |- - The type of keypair Kubelet will generate for the pod. - - Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", - "ECDSAP521", and "ED25519". - type: string - maxExpirationSeconds: - description: |- - maxExpirationSeconds is the maximum lifetime permitted for the - certificate. - - Kubelet copies this value verbatim into the PodCertificateRequests it - generates for this projection. - - If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver - will reject values shorter than 3600 (1 hour). The maximum allowable - value is 7862400 (91 days). - - The signer implementation is then free to issue a certificate with any - lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 - seconds (1 hour). This constraint is enforced by kube-apiserver. - `kubernetes.io` signers will never issue certificates with a lifetime - longer than 24 hours. - format: int32 - type: integer - signerName: - description: Kubelet's generated CSRs - will be addressed to this signer. - type: string - required: - - keyType - - signerName - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key to - project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify - whether the Secret or its key must - be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to - project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: |- - quobyte represents a Quobyte mount on the host that shares a pod's lifetime. - Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: |- - scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured - storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage - system as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: |- - storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: |- - vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. - Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type - are redirected to the csi.vsphere.vmware.com CSI driver. - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage - Policy Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - required: - - mount - - volume - type: object - type: array - type: object - snapshotPolicy: - description: 'Select a policy for snapshot behavior: none, autodetect, - snapshot, sanpshotGroup' - enum: - - none - - volumeGroupSnapshot - - volumeSnapshot - type: string - type: object - log: - description: OperatorLogSpec provide log related settings for the operator - properties: - verbosity: - description: Operator's log level - maximum: 3 - minimum: 0 - type: integer - type: object - type: object - status: - description: OperatorConfigStatus defines the observed state of OperatorConfig - type: object - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephblockpoolradosnamespaces.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephBlockPoolRadosNamespace - listKind: CephBlockPoolRadosNamespaceList - plural: cephblockpoolradosnamespaces - shortNames: - - cephbprns - - cephrns - singular: cephblockpoolradosnamespace - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - description: Name of the Ceph BlockPool - jsonPath: .spec.blockPoolName - name: BlockPool - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephBlockPoolRadosNamespace represents a Ceph BlockPool Rados Namespace - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec represents the specification of a Ceph BlockPool Rados Namespace - properties: - blockPoolName: - description: |- - BlockPoolName is the name of Ceph BlockPool. Typically it's the name of - the CephBlockPool CR. - type: string - x-kubernetes-validations: - - message: blockPoolName is immutable - rule: self == oldSelf - clusterID: - description: |- - ClusterID to be used for this RadosNamespace in the CSI configuration. - It must be unique among all Ceph clusters managed by Rook. - If not specified, the clusterID will be generated and can be found in the CR status. - maxLength: 36 - minLength: 1 - pattern: ^[a-zA-Z0-9_-]+$ - type: string - x-kubernetes-validations: - - message: ClusterID is immutable - rule: self == oldSelf - mirroring: - description: Mirroring configuration of CephBlockPoolRadosNamespace - properties: - mode: - description: Mode is the mirroring mode; either pool or image. - enum: - - "" - - pool - - image - type: string - remoteNamespace: - description: RemoteNamespace is the name of the CephBlockPoolRadosNamespace on the secondary cluster CephBlockPool - type: string - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored images - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - required: - - mode - type: object - name: - description: The name of the CephBlockPoolRadosNamespaceSpec namespace. If not set, the default is the name of the CR. - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - required: - - blockPoolName - type: object - status: - description: Status represents the status of a CephBlockPool Rados Namespace - properties: - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - info: - additionalProperties: - type: string - nullable: true - type: object - mirroringInfo: - description: MirroringInfoSpec is the status of the pool/radosnamespace mirroring - properties: - details: - type: string - lastChanged: - type: string - lastChecked: - type: string - mode: - description: Mode is the mirroring mode - type: string - peers: - description: Peers are the list of peer sites connected to that cluster - items: - description: PeersSpec contains peer details - properties: - client_name: - description: ClientName is the CephX user used to connect to the peer - type: string - direction: - description: Direction is the peer mirroring direction - type: string - mirror_uuid: - description: MirrorUUID is the mirror UUID - type: string - site_name: - description: SiteName is the current site name - type: string - uuid: - description: UUID is the peer UUID - type: string - type: object - type: array - site_name: - description: SiteName is the current site name - type: string - type: object - mirroringStatus: - description: MirroringStatusSpec is the status of the pool/radosNamespace mirroring - properties: - details: - description: Details contains potential status errors - type: string - lastChanged: - description: LastChanged is the last time time the status last changed - type: string - lastChecked: - description: LastChecked is the last time time the status was checked - type: string - summary: - description: Summary is the mirroring status summary - properties: - daemon_health: - description: DaemonHealth is the health of the mirroring daemon - type: string - group_health: - description: GroupHealth is the health of the mirrored image group - nullable: true - type: string - group_states: - description: GroupStates is the various state for all mirrored image groups - nullable: true - properties: - error: - description: Error is when the mirroring state is errored - type: integer - replaying: - description: Replaying is when the replay of the mirroring journal is on-going - type: integer - starting_replay: - description: StartingReplay is when the replay of the mirroring journal starts - type: integer - stopped: - description: Stopped is when the mirroring state is stopped - type: integer - stopping_replay: - description: StopReplaying is when the replay of the mirroring journal stops - type: integer - syncing: - description: Syncing is when the image is syncing - type: integer - unknown: - description: Unknown is when the mirroring state is unknown - type: integer - type: object - health: - description: Health is the mirroring health - type: string - image_health: - description: ImageHealth is the health of the mirrored image - type: string - image_states: - description: ImageStates is the various state for all mirrored images - nullable: true - properties: - error: - description: Error is when the mirroring state is errored - type: integer - replaying: - description: Replaying is when the replay of the mirroring journal is on-going - type: integer - starting_replay: - description: StartingReplay is when the replay of the mirroring journal starts - type: integer - stopped: - description: Stopped is when the mirroring state is stopped - type: integer - stopping_replay: - description: StopReplaying is when the replay of the mirroring journal stops - type: integer - syncing: - description: Syncing is when the image is syncing - type: integer - unknown: - description: Unknown is when the mirroring state is unknown - type: integer - type: object - states: - description: States is the various state for all mirrored images - nullable: true - properties: - error: - description: Error is when the mirroring state is errored - type: integer - replaying: - description: Replaying is when the replay of the mirroring journal is on-going - type: integer - starting_replay: - description: StartingReplay is when the replay of the mirroring journal starts - type: integer - stopped: - description: Stopped is when the mirroring state is stopped - type: integer - stopping_replay: - description: StopReplaying is when the replay of the mirroring journal stops - type: integer - syncing: - description: Syncing is when the image is syncing - type: integer - unknown: - description: Unknown is when the mirroring state is unknown - type: integer - type: object - type: object - type: object - phase: - description: ConditionType represent a resource's status - type: string - snapshotScheduleStatus: - description: SnapshotScheduleStatusSpec is the status of the snapshot schedule - properties: - details: - description: Details contains potential status errors - type: string - lastChanged: - description: LastChanged is the last time time the status last changed - type: string - lastChecked: - description: LastChecked is the last time time the status was checked - type: string - snapshotSchedules: - description: SnapshotSchedules is the list of snapshots scheduled - items: - description: SnapshotSchedulesSpec is the list of snapshot scheduled for images in a pool - properties: - image: - description: Image is the mirrored image - type: string - items: - description: Items is the list schedules times for a given snapshot - items: - description: SnapshotSchedule is a schedule - properties: - interval: - description: Interval is the interval in which snapshots will be taken - type: string - start_time: - description: StartTime is the snapshot starting time - type: string - type: object - type: array - namespace: - description: Namespace is the RADOS namespace the image is part of - type: string - pool: - description: Pool is the pool name - type: string - type: object - nullable: true - type: array - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephblockpools.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephBlockPool - listKind: CephBlockPoolList - plural: cephblockpools - shortNames: - - cephbp - singular: cephblockpool - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .status.info.type - name: Type - type: string - - jsonPath: .status.info.failureDomain - name: FailureDomain - type: string - - jsonPath: .spec.replicated.size - name: Replication - priority: 1 - type: integer - - jsonPath: .spec.erasureCoded.codingChunks - name: EC-CodingChunks - priority: 1 - type: integer - - jsonPath: .spec.erasureCoded.dataChunks - name: EC-DataChunks - priority: 1 - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephBlockPool represents a Ceph Storage Pool - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - NamedBlockPoolSpec allows a block pool to be created with a non-default name. - This is more specific than the NamedPoolSpec so we get schema validation on the - allowed pool names that can be specified. - properties: - application: - description: The application name to set on the pool. Only expected to be set for rgw pools. - type: string - compressionMode: - description: |- - DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" - The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) - Do NOT set a default value for kubebuilder as this will override the Parameters - enum: - - none - - passive - - aggressive - - force - - "" - nullable: true - type: string - crushRoot: - description: The root of the crush hierarchy utilized by the pool - nullable: true - type: string - deviceClass: - description: The device class the OSD should set to for use in the pool - nullable: true - type: string - enableCrushUpdates: - description: Allow rook operator to change the pool CRUSH tunables once the pool is created - nullable: true - type: boolean - enableRBDStats: - description: EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool - type: boolean - erasureCoded: - description: The erasure code settings - properties: - algorithm: - description: |- - The algorithm for erasure coding. - If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile. - enum: - - isa - - jerasure - type: string - codingChunks: - description: |- - Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - This is the number of OSDs that can be lost simultaneously before data cannot be recovered. - minimum: 0 - type: integer - dataChunks: - description: |- - Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - The number of chunks required to recover an object when any single OSD is lost is the same - as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. - minimum: 0 - type: integer - required: - - codingChunks - - dataChunks - type: object - failureDomain: - description: 'The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map' - type: string - mirroring: - description: The mirroring settings - properties: - enabled: - description: Enabled whether this pool is mirrored or not - type: boolean - mode: - description: 'Mode is the mirroring mode: pool, image or init-only.' - enum: - - pool - - image - - init-only - type: string - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored images/pools - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - type: object - name: - description: The desired name of the pool if different from the CephBlockPool CR name. - enum: - - .rgw.root - - .nfs - - .mgr - type: string - parameters: - additionalProperties: - type: string - description: Parameters is a list of properties to enable on a given pool - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - quotas: - description: The quota settings - nullable: true - properties: - maxBytes: - description: |- - MaxBytes represents the quota in bytes - Deprecated in favor of MaxSize - format: int64 - type: integer - maxObjects: - description: MaxObjects represents the quota in objects - format: int64 - type: integer - maxSize: - description: MaxSize represents the quota in bytes as a string - pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ - type: string - type: object - replicated: - description: The replication settings - properties: - hybridStorage: - description: HybridStorage represents hybrid storage tier settings - nullable: true - properties: - primaryDeviceClass: - description: PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD - minLength: 1 - type: string - secondaryDeviceClass: - description: SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs - minLength: 1 - type: string - required: - - primaryDeviceClass - - secondaryDeviceClass - type: object - replicasPerFailureDomain: - description: ReplicasPerFailureDomain the number of replica in the specified failure domain - minimum: 1 - type: integer - requireSafeReplicaSize: - description: RequireSafeReplicaSize if false allows you to set replica 1 - type: boolean - size: - description: Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type) - minimum: 0 - type: integer - subFailureDomain: - description: SubFailureDomain the name of the sub-failure domain - type: string - targetSizeRatio: - description: TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity - minimum: 0 - type: number - required: - - size - type: object - statusCheck: - description: The mirroring statusCheck - properties: - mirror: - description: HealthCheckSpec represents the health check of an object store bucket - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: CephBlockPoolStatus represents the mirroring status of Ceph Storage Pool - properties: - cephx: - description: PeerTokenCephxStatus represents the cephx key rotation status for peer tokens - properties: - peerToken: - description: PeerToken shows the rotation status of the peer token associated with the `rbd-mirror-peer` user. - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - type: object - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - info: - additionalProperties: - type: string - nullable: true - type: object - mirroringInfo: - description: MirroringInfoSpec is the status of the pool/radosnamespace mirroring - properties: - details: - type: string - lastChanged: - type: string - lastChecked: - type: string - mode: - description: Mode is the mirroring mode - type: string - peers: - description: Peers are the list of peer sites connected to that cluster - items: - description: PeersSpec contains peer details - properties: - client_name: - description: ClientName is the CephX user used to connect to the peer - type: string - direction: - description: Direction is the peer mirroring direction - type: string - mirror_uuid: - description: MirrorUUID is the mirror UUID - type: string - site_name: - description: SiteName is the current site name - type: string - uuid: - description: UUID is the peer UUID - type: string - type: object - type: array - site_name: - description: SiteName is the current site name - type: string - type: object - mirroringStatus: - description: MirroringStatusSpec is the status of the pool/radosNamespace mirroring - properties: - details: - description: Details contains potential status errors - type: string - lastChanged: - description: LastChanged is the last time time the status last changed - type: string - lastChecked: - description: LastChecked is the last time time the status was checked - type: string - summary: - description: Summary is the mirroring status summary - properties: - daemon_health: - description: DaemonHealth is the health of the mirroring daemon - type: string - group_health: - description: GroupHealth is the health of the mirrored image group - nullable: true - type: string - group_states: - description: GroupStates is the various state for all mirrored image groups - nullable: true - properties: - error: - description: Error is when the mirroring state is errored - type: integer - replaying: - description: Replaying is when the replay of the mirroring journal is on-going - type: integer - starting_replay: - description: StartingReplay is when the replay of the mirroring journal starts - type: integer - stopped: - description: Stopped is when the mirroring state is stopped - type: integer - stopping_replay: - description: StopReplaying is when the replay of the mirroring journal stops - type: integer - syncing: - description: Syncing is when the image is syncing - type: integer - unknown: - description: Unknown is when the mirroring state is unknown - type: integer - type: object - health: - description: Health is the mirroring health - type: string - image_health: - description: ImageHealth is the health of the mirrored image - type: string - image_states: - description: ImageStates is the various state for all mirrored images - nullable: true - properties: - error: - description: Error is when the mirroring state is errored - type: integer - replaying: - description: Replaying is when the replay of the mirroring journal is on-going - type: integer - starting_replay: - description: StartingReplay is when the replay of the mirroring journal starts - type: integer - stopped: - description: Stopped is when the mirroring state is stopped - type: integer - stopping_replay: - description: StopReplaying is when the replay of the mirroring journal stops - type: integer - syncing: - description: Syncing is when the image is syncing - type: integer - unknown: - description: Unknown is when the mirroring state is unknown - type: integer - type: object - states: - description: States is the various state for all mirrored images - nullable: true - properties: - error: - description: Error is when the mirroring state is errored - type: integer - replaying: - description: Replaying is when the replay of the mirroring journal is on-going - type: integer - starting_replay: - description: StartingReplay is when the replay of the mirroring journal starts - type: integer - stopped: - description: Stopped is when the mirroring state is stopped - type: integer - stopping_replay: - description: StopReplaying is when the replay of the mirroring journal stops - type: integer - syncing: - description: Syncing is when the image is syncing - type: integer - unknown: - description: Unknown is when the mirroring state is unknown - type: integer - type: object - type: object - type: object - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - description: ConditionType represent a resource's status - type: string - poolID: - description: optional - type: integer - snapshotScheduleStatus: - description: SnapshotScheduleStatusSpec is the status of the snapshot schedule - properties: - details: - description: Details contains potential status errors - type: string - lastChanged: - description: LastChanged is the last time time the status last changed - type: string - lastChecked: - description: LastChecked is the last time time the status was checked - type: string - snapshotSchedules: - description: SnapshotSchedules is the list of snapshots scheduled - items: - description: SnapshotSchedulesSpec is the list of snapshot scheduled for images in a pool - properties: - image: - description: Image is the mirrored image - type: string - items: - description: Items is the list schedules times for a given snapshot - items: - description: SnapshotSchedule is a schedule - properties: - interval: - description: Interval is the interval in which snapshots will be taken - type: string - start_time: - description: StartTime is the snapshot starting time - type: string - type: object - type: array - namespace: - description: Namespace is the RADOS namespace the image is part of - type: string - pool: - description: Pool is the pool name - type: string - type: object - nullable: true - type: array - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephbucketnotifications.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephBucketNotification - listKind: CephBucketNotificationList - plural: cephbucketnotifications - shortNames: - - cephbn - singular: cephbucketnotification - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephBucketNotification represents a Bucket Notifications - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BucketNotificationSpec represent the spec of a Bucket Notification - properties: - events: - description: List of events that should trigger the notification - items: - description: BucketNotificationSpec represent the event type of the bucket notification - enum: - - s3:ObjectCreated:* - - s3:ObjectCreated:Put - - s3:ObjectCreated:Post - - s3:ObjectCreated:Copy - - s3:ObjectCreated:CompleteMultipartUpload - - s3:ObjectRemoved:* - - s3:ObjectRemoved:Delete - - s3:ObjectRemoved:DeleteMarkerCreated - type: string - type: array - filter: - description: Spec of notification filter - properties: - keyFilters: - description: Filters based on the object's key - items: - description: NotificationKeyFilterRule represent a single key rule in the Notification Filter spec - properties: - name: - description: Name of the filter - prefix/suffix/regex - enum: - - prefix - - suffix - - regex - type: string - value: - description: Value to filter on - type: string - required: - - name - - value - type: object - type: array - metadataFilters: - description: Filters based on the object's metadata - items: - description: NotificationFilterRule represent a single rule in the Notification Filter spec - properties: - name: - description: Name of the metadata or tag - minLength: 1 - type: string - value: - description: Value to filter on - type: string - required: - - name - - value - type: object - type: array - tagFilters: - description: Filters based on the object's tags - items: - description: NotificationFilterRule represent a single rule in the Notification Filter spec - properties: - name: - description: Name of the metadata or tag - minLength: 1 - type: string - value: - description: Value to filter on - type: string - required: - - name - - value - type: object - type: array - type: object - topic: - description: The name of the topic associated with this notification - minLength: 1 - type: string - required: - - topic - type: object - status: - description: Status represents the status of an object - properties: - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephbuckettopics.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephBucketTopic - listKind: CephBucketTopicList - plural: cephbuckettopics - shortNames: - - cephbt - singular: cephbuckettopic - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephBucketTopic represents a Ceph Object Topic for Bucket Notifications - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BucketTopicSpec represent the spec of a Bucket Topic - properties: - endpoint: - description: Contains the endpoint spec of the topic - properties: - amqp: - description: Spec of AMQP endpoint - properties: - ackLevel: - default: broker - description: The ack level required for this topic (none/broker/routeable) - enum: - - none - - broker - - routeable - type: string - disableVerifySSL: - description: Indicate whether the server certificate is validated by the client or not - type: boolean - exchange: - description: Name of the exchange that is used to route messages based on topics - minLength: 1 - type: string - uri: - description: The URI of the AMQP endpoint to push notification to - minLength: 1 - type: string - required: - - exchange - - uri - type: object - http: - description: Spec of HTTP endpoint - properties: - disableVerifySSL: - description: Indicate whether the server certificate is validated by the client or not - type: boolean - sendCloudEvents: - description: 'Send the notifications with the CloudEvents header: https://github.com/cloudevents/spec/blob/main/cloudevents/adapters/aws-s3.md' - type: boolean - uri: - description: The URI of the HTTP endpoint to push notification to - minLength: 1 - type: string - required: - - uri - type: object - kafka: - description: Spec of Kafka endpoint - properties: - ackLevel: - default: broker - description: The ack level required for this topic (none/broker) - enum: - - none - - broker - type: string - disableVerifySSL: - description: Indicate whether the server certificate is validated by the client or not - type: boolean - mechanism: - default: PLAIN - description: The authentication mechanism for this topic (PLAIN/SCRAM-SHA-512/SCRAM-SHA-256/GSSAPI/OAUTHBEARER) - enum: - - PLAIN - - SCRAM-SHA-512 - - SCRAM-SHA-256 - - GSSAPI - - OAUTHBEARER - type: string - passwordSecretRef: - description: The kafka password to use for authentication - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - uri: - description: The URI of the Kafka endpoint to push notification to - minLength: 1 - type: string - useSSL: - description: Indicate whether to use SSL when communicating with the broker - type: boolean - userSecretRef: - description: The kafka user name to use for authentication - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - required: - - uri - type: object - type: object - objectStoreName: - description: The name of the object store on which to define the topic - minLength: 1 - type: string - objectStoreNamespace: - description: The namespace of the object store on which to define the topic - minLength: 1 - type: string - opaqueData: - description: Data which is sent in each event - type: string - persistent: - description: Indication whether notifications to this endpoint are persistent or not - type: boolean - required: - - endpoint - - objectStoreName - - objectStoreNamespace - type: object - status: - description: BucketTopicStatus represents the Status of a CephBucketTopic - properties: - ARN: - description: The ARN of the topic generated by the RGW - nullable: true - type: string - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - secrets: - items: - properties: - name: - description: name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: namespace defines the space within which the secret name must be unique. - type: string - resourceVersion: - type: string - uid: - description: |- - UID is a type that holds unique ID values, including UUIDs. Because we - don't ONLY use UUIDs, this is an alias to string. Being a type captures - intent and helps make sure that UIDs and names do not get conflated. - type: string - type: object - x-kubernetes-map-type: atomic - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephclients.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephClient - listKind: CephClientList - plural: cephclients - shortNames: - - cephcl - singular: cephclient - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephClient represents a Ceph Client - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec represents the specification of a Ceph Client - properties: - caps: - additionalProperties: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - name: - type: string - removeSecret: - description: |- - RemoveSecret indicates whether the current secret for this ceph client should be removed or not. - If true, the K8s secret will be deleted, but the cephx keyring will remain until the CR is deleted. - type: boolean - secretName: - description: |- - SecretName is the name of the secret created for this ceph client. - If not specified, the default name is "rook-ceph-client-" as a prefix to the CR name. - type: string - x-kubernetes-validations: - - message: SecretName is immutable and cannot be changed - rule: self == oldSelf - security: - description: Security represents security settings - properties: - cephx: - description: 'CephX configures CephX key settings. More: https://docs.ceph.com/en/latest/dev/cephx/' - properties: - keyGeneration: - description: |- - KeyGeneration specifies the desired CephX key generation. This is used when KeyRotationPolicy - is KeyGeneration and ignored for other policies. If this is set to greater than the current - key generation, relevant keys will be rotated, and the generation value will be updated to - this new value (generation values are not necessarily incremental, though that is the - intended use case). If this is set to less than or equal to the current key generation, keys - are not rotated. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: keyGeneration cannot be decreased - rule: self >= oldSelf - keyRotationPolicy: - description: |- - KeyRotationPolicy controls if and when CephX keys are rotated after initial creation. - One of Disabled, or KeyGeneration. Default Disabled. - enum: - - "" - - Disabled - - KeyGeneration - type: string - type: object - type: object - required: - - caps - type: object - status: - description: Status represents the status of a Ceph Client - properties: - cephx: - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - info: - additionalProperties: - type: string - nullable: true - type: object - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - description: ConditionType represent a resource's status - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephclusters.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephCluster - listKind: CephClusterList - plural: cephclusters - shortNames: - - ceph - singular: cephcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Directory used on the K8s nodes - jsonPath: .spec.dataDirHostPath - name: DataDirHostPath - type: string - - description: Number of MONs - jsonPath: .spec.mon.count - name: MonCount - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.phase - name: Phase - type: string - - description: Message - jsonPath: .status.message - name: Message - type: string - - description: Ceph Health - jsonPath: .status.ceph.health - name: Health - type: string - - jsonPath: .spec.external.enable - name: External - type: boolean - - description: Ceph FSID - jsonPath: .status.ceph.fsid - name: FSID - type: string - name: v1 - schema: - openAPIV3Schema: - description: CephCluster is a Ceph storage cluster - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterSpec represents the specification of Ceph Cluster - properties: - annotations: - additionalProperties: - additionalProperties: - type: string - description: Annotations are annotations - type: object - description: The annotations-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - cephConfig: - additionalProperties: - additionalProperties: - type: string - type: object - description: Ceph Config options - nullable: true - type: object - cephConfigFromSecret: - additionalProperties: - additionalProperties: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - description: CephConfigFromSecret works exactly like CephConfig but takes config value from Secret Key reference. - nullable: true - type: object - cephVersion: - description: The version information that instructs Rook to orchestrate a particular version of Ceph. - nullable: true - properties: - allowUnsupported: - description: Whether to allow unsupported versions (do not set to true in production) - type: boolean - image: - description: |- - Image is the container image used to launch the ceph daemons, such as quay.io/ceph/ceph: - The full list of images can be found at https://quay.io/repository/ceph/ceph?tab=tags - type: string - imagePullPolicy: - description: |- - ImagePullPolicy describes a policy for if/when to pull a container image - One of Always, Never, IfNotPresent. - enum: - - IfNotPresent - - Always - - Never - - "" - type: string - type: object - cleanupPolicy: - description: |- - Indicates user intent when deleting a cluster; blocks orchestration and should not be set if cluster - deletion is not imminent. - nullable: true - properties: - allowUninstallWithVolumes: - description: AllowUninstallWithVolumes defines whether we can proceed with the uninstall if they are RBD images still present - type: boolean - confirmation: - description: Confirmation represents the cleanup confirmation - nullable: true - pattern: ^$|^yes-really-destroy-data$ - type: string - sanitizeDisks: - description: SanitizeDisks represents way we sanitize disks - nullable: true - properties: - dataSource: - description: DataSource is the data source to use to sanitize the disk with - enum: - - zero - - random - type: string - iteration: - description: Iteration is the number of pass to apply the sanitizing - format: int32 - type: integer - method: - description: Method is the method we use to sanitize disks - enum: - - complete - - quick - type: string - type: object - wipeDevicesFromOtherClusters: - description: |- - WipeDevicesFromOtherClusters wipes the OSD disks belonging to other clusters. This is useful in scenarios where ceph cluster - was reinstalled but OSD disk still contains the metadata from previous ceph cluster. - type: boolean - type: object - continueUpgradeAfterChecksEvenIfNotHealthy: - description: ContinueUpgradeAfterChecksEvenIfNotHealthy defines if an upgrade should continue even if PGs are not clean - type: boolean - crashCollector: - description: A spec for the crash controller - nullable: true - properties: - daysToRetain: - description: DaysToRetain represents the number of days to retain crash until they get pruned - type: integer - disable: - description: Disable determines whether we should enable the crash collector - type: boolean - type: object - csi: - description: CSI Driver Options applied per cluster. - properties: - cephfs: - description: CephFS defines CSI Driver settings for CephFS driver. - properties: - fuseMountOptions: - description: FuseMountOptions defines the mount options for ceph fuse mounter. - type: string - kernelMountOptions: - description: KernelMountOptions defines the mount options for kernel mounter. - type: string - type: object - readAffinity: - description: ReadAffinity defines the read affinity settings for CSI driver. - properties: - crushLocationLabels: - description: |- - CrushLocationLabels defines which node labels to use - as CRUSH location. This should correspond to the values set in - the CRUSH map. - items: - type: string - type: array - enabled: - description: Enables read affinity for CSI driver. - type: boolean - type: object - skipUserCreation: - description: |- - SkipUserCreation determines whether CSI users and their associated secrets should be skipped. - If set to true, the user must manually manage these secrets. - type: boolean - type: object - dashboard: - description: Dashboard settings - nullable: true - properties: - enabled: - description: Enabled determines whether to enable the dashboard - type: boolean - port: - description: Port is the dashboard webserver port - maximum: 65535 - minimum: 0 - type: integer - prometheusEndpoint: - description: Endpoint for the Prometheus host - type: string - prometheusEndpointSSLVerify: - description: Whether to verify the ssl endpoint for prometheus. Set to false for a self-signed cert. - type: boolean - ssl: - description: SSL determines whether SSL should be used - type: boolean - urlPrefix: - description: URLPrefix is a prefix for all URLs to use the dashboard with a reverse proxy - type: string - type: object - dataDirHostPath: - description: The path on the host where config and data can be persisted - pattern: ^/(\S+) - type: string - x-kubernetes-validations: - - message: DataDirHostPath is immutable - rule: self == oldSelf - disruptionManagement: - description: A spec for configuring disruption management. - nullable: true - properties: - machineDisruptionBudgetNamespace: - description: Deprecated. Namespace to look for MDBs by the machineDisruptionBudgetController - type: string - manageMachineDisruptionBudgets: - description: Deprecated. This enables management of machinedisruptionbudgets. - type: boolean - managePodBudgets: - description: This enables management of poddisruptionbudgets - type: boolean - osdMaintenanceTimeout: - description: |- - OSDMaintenanceTimeout sets how many additional minutes the DOWN/OUT interval is for drained failure domains - it only works if managePodBudgets is true. - the default is 30 minutes - format: int64 - type: integer - pgHealthCheckTimeout: - description: 'DEPRECATED: PGHealthCheckTimeout is no longer implemented' - format: int64 - type: integer - pgHealthyRegex: - description: |- - PgHealthyRegex is the regular expression that is used to determine which PG states should be considered healthy. - The default is `^(active\+clean|active\+clean\+scrubbing|active\+clean\+scrubbing\+deep)$` - type: string - type: object - external: - description: |- - Whether the Ceph Cluster is running external to this Kubernetes cluster - mon, mgr, osd, mds, and discover daemons will not be created for external clusters. - nullable: true - properties: - enable: - description: Enable determines whether external mode is enabled or not - type: boolean - type: object - x-kubernetes-preserve-unknown-fields: true - healthCheck: - description: Internal daemon healthchecks and liveness probe - nullable: true - properties: - daemonHealth: - description: DaemonHealth is the health check for a given daemon - nullable: true - properties: - mon: - description: Monitor represents the health check settings for the Ceph monitor - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - osd: - description: ObjectStorageDaemon represents the health check settings for the Ceph OSDs - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - status: - description: Status represents the health check settings for the Ceph health - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - livenessProbe: - additionalProperties: - description: ProbeSpec is a wrapper around Probe so it can be enabled or disabled for a Ceph daemon - properties: - disabled: - description: Disabled determines whether probe is disable or not - type: boolean - probe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies a command to execute in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - type: object - description: LivenessProbe allows changing the livenessProbe configuration for a given daemon - type: object - startupProbe: - additionalProperties: - description: ProbeSpec is a wrapper around Probe so it can be enabled or disabled for a Ceph daemon - properties: - disabled: - description: Disabled determines whether probe is disable or not - type: boolean - probe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies a command to execute in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - type: object - description: StartupProbe allows changing the startupProbe configuration for a given daemon - type: object - type: object - labels: - additionalProperties: - additionalProperties: - type: string - description: Labels are label for a given daemons - type: object - description: The labels-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - logCollector: - description: Logging represents loggings settings - nullable: true - properties: - enabled: - description: Enabled represents whether the log collector is enabled - type: boolean - maxLogSize: - anyOf: - - type: integer - - type: string - description: MaxLogSize is the maximum size of the log per ceph daemons. Must be at least 1M. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - periodicity: - description: Periodicity is the periodicity of the log rotation. - pattern: ^$|^(hourly|daily|weekly|monthly|1h|24h|1d)$ - type: string - type: object - mgr: - description: A spec for mgr related options - nullable: true - properties: - allowMultiplePerNode: - description: AllowMultiplePerNode allows to run multiple managers on the same node (not recommended) - type: boolean - count: - description: Count is the number of manager daemons to run - maximum: 5 - minimum: 0 - type: integer - hostNetwork: - description: Whether host networking is enabled for the Ceph Mgr. If not set, the network settings from CephCluster.spec.networking will be applied. - type: boolean - modules: - description: Modules is the list of ceph manager modules to enable/disable - items: - description: Module represents mgr modules that the user wants to enable or disable - properties: - enabled: - description: Enabled determines whether a module should be enabled or not - type: boolean - name: - description: Name is the name of the ceph manager module - type: string - settings: - description: Settings to further configure the module - properties: - balancerMode: - description: BalancerMode sets the `balancer` module with different modes like `upmap`, `crush-compact` etc - enum: - - "" - - crush-compat - - upmap - - read - - upmap-read - type: string - type: object - type: object - nullable: true - type: array - type: object - mon: - description: A spec for mon related options - nullable: true - properties: - allowMultiplePerNode: - description: AllowMultiplePerNode determines if we can run multiple monitors on the same node (not recommended) - type: boolean - count: - description: Count is the number of Ceph monitors - maximum: 9 - minimum: 0 - type: integer - externalMonIDs: - description: |- - ExternalMonIDs - optional list of monitor IDs which are deployed externally and not managed by Rook. - If set, Rook will not remove mons with given IDs from quorum. - This parameter is used only for local Rook cluster running in normal mode - and will be ignored if external or stretched mode is used. - leading - items: - type: string - type: array - failureDomainLabel: - type: string - stretchCluster: - description: StretchCluster is the stretch cluster specification - properties: - failureDomainLabel: - description: 'FailureDomainLabel the failure domain name (e,g: zone)' - type: string - subFailureDomain: - description: SubFailureDomain is the failure domain within a zone - type: string - zones: - description: Zones is the list of zones - items: - description: MonZoneSpec represents the specification of a zone in a Ceph Cluster - properties: - arbiter: - description: Arbiter determines if the zone contains the arbiter used for stretch cluster mode - type: boolean - name: - description: Name is the name of the zone - type: string - volumeClaimTemplate: - description: VolumeClaimTemplate is the PVC template - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - nullable: true - type: array - type: object - volumeClaimTemplate: - description: VolumeClaimTemplate is the PVC definition - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - zones: - description: Zones are specified when we want to provide zonal awareness to mons - items: - description: MonZoneSpec represents the specification of a zone in a Ceph Cluster - properties: - arbiter: - description: Arbiter determines if the zone contains the arbiter used for stretch cluster mode - type: boolean - name: - description: Name is the name of the zone - type: string - volumeClaimTemplate: - description: VolumeClaimTemplate is the PVC template - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-validations: - - message: zones must be less than or equal to count - rule: '!has(self.zones) || (has(self.zones) && (size(self.zones) <= self.count))' - - message: stretchCluster zones must be equal to 3 - rule: '!has(self.stretchCluster) || (has(self.stretchCluster) && (size(self.stretchCluster.zones) > 0) && (size(self.stretchCluster.zones) == 3))' - monitoring: - description: Prometheus based Monitoring settings - nullable: true - properties: - enabled: - description: |- - Enabled determines whether to create the prometheus rules for the ceph cluster. If true, the prometheus - types must exist or the creation will fail. Default is false. - type: boolean - exporter: - description: Ceph exporter configuration - properties: - hostNetwork: - description: Whether host networking is enabled for CephExporter. If not set, the network settings from CephCluster.spec.networking will be applied. - nullable: true - type: boolean - perfCountersPrioLimit: - default: 5 - description: Only performance counters greater than or equal to this option are fetched - format: int64 - type: integer - statsPeriodSeconds: - default: 5 - description: Time to wait before sending requests again to exporter server (seconds) - format: int64 - type: integer - type: object - externalMgrEndpoints: - description: ExternalMgrEndpoints points to an existing Ceph prometheus exporter endpoint - items: - description: |- - EndpointAddress is a tuple that describes single IP address. - Deprecated: This API is deprecated in v1.33+. - properties: - hostname: - description: The Hostname of this endpoint - type: string - ip: - description: |- - The IP of this endpoint. - May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), - or link-local multicast (224.0.0.0/24 or ff02::/16). - type: string - nodeName: - description: 'Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.' - type: string - targetRef: - description: Reference to object providing the endpoint. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - required: - - ip - type: object - x-kubernetes-map-type: atomic - nullable: true - type: array - externalMgrPrometheusPort: - description: ExternalMgrPrometheusPort Prometheus exporter port - maximum: 65535 - minimum: 0 - type: integer - interval: - description: Interval determines prometheus scrape interval - type: string - metricsDisabled: - description: |- - Whether to disable the metrics reported by Ceph. If false, the prometheus mgr module and Ceph exporter are enabled. - If true, the prometheus mgr module and Ceph exporter are both disabled. Default is false. - type: boolean - port: - description: Port is the prometheus server port - maximum: 65535 - minimum: 0 - type: integer - type: object - network: - description: Network related configuration - nullable: true - properties: - addressRanges: - description: |- - AddressRanges specify a list of CIDRs that Rook will apply to Ceph's 'public_network' and/or - 'cluster_network' configurations. This config section may be used for the "host" or "multus" - network providers. - nullable: true - properties: - cluster: - description: Cluster defines a list of CIDRs to use for Ceph cluster network communication. - items: - description: |- - An IPv4 or IPv6 network CIDR. - - This naive kubebuilder regex provides immediate feedback for some typos and for a common problem - case where the range spec is forgotten (e.g., /24). Rook does in-depth validation in code. - pattern: ^[0-9a-fA-F:.]{2,}\/[0-9]{1,3}$ - type: string - type: array - public: - description: Public defines a list of CIDRs to use for Ceph public network communication. - items: - description: |- - An IPv4 or IPv6 network CIDR. - - This naive kubebuilder regex provides immediate feedback for some typos and for a common problem - case where the range spec is forgotten (e.g., /24). Rook does in-depth validation in code. - pattern: ^[0-9a-fA-F:.]{2,}\/[0-9]{1,3}$ - type: string - type: array - type: object - connections: - description: |- - Settings for network connections such as compression and encryption across the - wire. - nullable: true - properties: - compression: - description: Compression settings for the network connections. - nullable: true - properties: - enabled: - description: |- - Whether to compress the data in transit across the wire. - The default is not set. - type: boolean - type: object - encryption: - description: Encryption settings for the network connections. - nullable: true - properties: - enabled: - description: |- - Whether to encrypt the data in transit across the wire to prevent eavesdropping - the data on the network. The default is not set. Even if encryption is not enabled, - clients still establish a strong initial authentication for the connection - and data integrity is still validated with a crc check. When encryption is enabled, - all communication between clients and Ceph daemons, or between Ceph daemons will - be encrypted. - type: boolean - type: object - requireMsgr2: - description: |- - Whether to require msgr2 (port 3300) even if compression or encryption are not enabled. - If true, the msgr1 port (6789) will be disabled. - Requires a kernel that supports msgr2 (kernel 5.11 or CentOS 8.4 or newer). - type: boolean - type: object - dualStack: - description: DualStack determines whether Ceph daemons should listen on both IPv4 and IPv6 - type: boolean - hostNetwork: - description: |- - HostNetwork to enable host network. - If host networking is enabled or disabled on a running cluster, then the operator will automatically fail over all the mons to - apply the new network settings. - type: boolean - ipFamily: - description: IPFamily is the single stack IPv6 or IPv4 protocol - enum: - - IPv4 - - IPv6 - nullable: true - type: string - multiClusterService: - description: Enable multiClusterService to export the Services between peer clusters - properties: - clusterID: - description: |- - ClusterID uniquely identifies a cluster. It is used as a prefix to nslookup exported - services. For example: ...svc.clusterset.local - type: string - enabled: - description: |- - Enable multiClusterService to export the mon and OSD services to peer cluster. - Ensure that peer clusters are connected using an MCS API compatible application, - like Globalnet Submariner. - type: boolean - type: object - provider: - description: |- - Provider is what provides network connectivity to the cluster e.g. "host" or "multus". - If the Provider is updated from being empty to "host" on a running cluster, then the operator will automatically fail over all the mons to apply the "host" network settings. - enum: - - "" - - host - - multus - nullable: true - type: string - x-kubernetes-validations: - - message: network provider must be disabled (reverted to empty string) before a new provider is enabled - rule: self == '' || oldSelf == '' || self == oldSelf - selectors: - additionalProperties: - type: string - description: |- - Selectors define NetworkAttachmentDefinitions to be used for Ceph public and/or cluster - networks when the "multus" network provider is used. This config section is not used for - other network providers. - - Valid keys are "public" and "cluster". Refer to Ceph networking documentation for more: - https://docs.ceph.com/en/latest/rados/configuration/network-config-ref/ - - Refer to Multus network annotation documentation for help selecting values: - https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/how-to-use.md#run-pod-with-network-annotation - - Rook will make a best-effort attempt to automatically detect CIDR address ranges for given - network attachment definitions. Rook's methods are robust but may be imprecise for - sufficiently complicated networks. Rook's auto-detection process obtains a new IP address - lease for each CephCluster reconcile. If Rook fails to detect, incorrectly detects, only - partially detects, or if underlying networks do not support reusing old IP addresses, it is - best to use the 'addressRanges' config section to specify CIDR ranges for the Ceph cluster. - - As a contrived example, one can use a theoretical Kubernetes-wide network for Ceph client - traffic and a theoretical Rook-only network for Ceph replication traffic as shown: - selectors: - public: "default/cluster-fast-net" - cluster: "rook-ceph/ceph-backend-net" - nullable: true - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-validations: - - message: at least one network selector must be specified when using multus - rule: '!has(self.provider) || (self.provider != ''multus'' || (self.provider == ''multus'' && size(self.selectors) > 0))' - - message: the legacy hostNetwork setting can only be set if the network.provider is set to the empty string - rule: '!has(self.hostNetwork) || self.hostNetwork == false || !has(self.provider) || self.provider == ""' - placement: - additionalProperties: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - priorityClassNames: - additionalProperties: - type: string - description: PriorityClassNames sets priority classes on components - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - removeOSDsIfOutAndSafeToRemove: - description: Remove the OSD that is out and safe to remove only if this option is true - type: boolean - resources: - additionalProperties: - description: ResourceRequirements describes the compute resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - description: Resources set resource requests and limits - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - security: - description: Security represents security settings - nullable: true - properties: - cephx: - description: 'CephX configures CephX key settings. More: https://docs.ceph.com/en/latest/dev/cephx/' - properties: - csi: - description: |- - CSI configures CephX key rotation settings for the Ceph-CSI daemons in the current Kubernetes cluster. - CSI key rotation can affect existing PV connections, so take care when exercising this option. - properties: - keepPriorKeyCountMax: - description: |- - KeepPriorKeyCountMax tells Rook how many prior keys to keep active. - Generally, this would be set to 1 to allow for a migration period for applications. - If desired, set this to 0 to delete prior keys after migration. - This config only applies to prior keys that already exist. - If PriorKeyCount is set to 2 while only a single key currently exists, only a single prior key will be kept, - and the reported status will only indicate the actual number of prior keys, - not necessarily a reflection of PriorKeyCount config here. - maximum: 10 - minimum: 0 - type: integer - keyGeneration: - description: |- - KeyGeneration specifies the desired CephX key generation. This is used when KeyRotationPolicy - is KeyGeneration and ignored for other policies. If this is set to greater than the current - key generation, relevant keys will be rotated, and the generation value will be updated to - this new value (generation values are not necessarily incremental, though that is the - intended use case). If this is set to less than or equal to the current key generation, keys - are not rotated. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: keyGeneration cannot be decreased - rule: self >= oldSelf - keyRotationPolicy: - description: |- - KeyRotationPolicy controls if and when CephX keys are rotated after initial creation. - One of Disabled, or KeyGeneration. Default Disabled. - enum: - - "" - - Disabled - - KeyGeneration - type: string - type: object - daemon: - description: |- - Daemon configures CephX key settings for local Ceph daemons managed by Rook and part of the - Ceph cluster. Daemon CephX keys can be rotated without affecting client connections. - properties: - keyGeneration: - description: |- - KeyGeneration specifies the desired CephX key generation. This is used when KeyRotationPolicy - is KeyGeneration and ignored for other policies. If this is set to greater than the current - key generation, relevant keys will be rotated, and the generation value will be updated to - this new value (generation values are not necessarily incremental, though that is the - intended use case). If this is set to less than or equal to the current key generation, keys - are not rotated. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: keyGeneration cannot be decreased - rule: self >= oldSelf - keyRotationPolicy: - description: |- - KeyRotationPolicy controls if and when CephX keys are rotated after initial creation. - One of Disabled, or KeyGeneration. Default Disabled. - enum: - - "" - - Disabled - - KeyGeneration - type: string - type: object - rbdMirrorPeer: - description: |- - RBDMirrorPeer configures CephX key settings of the `rbd-mirror-peer` user that is used for creating - bootstrap peer token used connect peer clusters. Rotating the `rbd-mirror-peer` user key will update - the mirror peer token. - Rotation will affect any existing peers connected to this cluster, so take care when exercising this option. - properties: - keyGeneration: - description: |- - KeyGeneration specifies the desired CephX key generation. This is used when KeyRotationPolicy - is KeyGeneration and ignored for other policies. If this is set to greater than the current - key generation, relevant keys will be rotated, and the generation value will be updated to - this new value (generation values are not necessarily incremental, though that is the - intended use case). If this is set to less than or equal to the current key generation, keys - are not rotated. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: keyGeneration cannot be decreased - rule: self >= oldSelf - keyRotationPolicy: - description: |- - KeyRotationPolicy controls if and when CephX keys are rotated after initial creation. - One of Disabled, or KeyGeneration. Default Disabled. - enum: - - "" - - Disabled - - KeyGeneration - type: string - type: object - type: object - keyRotation: - description: KeyRotation defines options for rotation of OSD disk encryption keys. - nullable: true - properties: - enabled: - default: false - description: Enabled represents whether the key rotation is enabled. - type: boolean - schedule: - description: Schedule represents the cron schedule for key rotation. - type: string - type: object - kms: - description: KeyManagementService is the main Key Management option - nullable: true - properties: - connectionDetails: - additionalProperties: - type: string - description: ConnectionDetails contains the KMS connection details (address, port etc) - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - tokenSecretName: - description: TokenSecretName is the kubernetes secret containing the KMS token - type: string - type: object - type: object - skipUpgradeChecks: - description: SkipUpgradeChecks defines if an upgrade should be forced even if one of the check fails - type: boolean - storage: - description: A spec for available storage in the cluster and how it should be used - nullable: true - properties: - allowDeviceClassUpdate: - description: Whether to allow updating the device class after the OSD is initially provisioned - type: boolean - allowOsdCrushWeightUpdate: - description: |- - Whether Rook will resize the OSD CRUSH weight when the OSD PVC size is increased. - This allows cluster data to be rebalanced to make most effective use of new OSD space. - The default is false since data rebalancing can cause temporary cluster slowdown. - type: boolean - backfillFullRatio: - description: BackfillFullRatio is the ratio at which the cluster is too full for backfill. Backfill will be disabled if above this threshold. Default is 0.90. - maximum: 1 - minimum: 0 - nullable: true - type: number - config: - additionalProperties: - type: string - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - deviceFilter: - description: A regular expression to allow more fine-grained selection of devices on nodes across the cluster - type: string - devicePathFilter: - description: A regular expression to allow more fine-grained selection of devices with path names - type: string - devices: - description: List of devices to use as storage devices - items: - description: Device represents a disk to use in the cluster - properties: - config: - additionalProperties: - type: string - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - fullpath: - type: string - name: - type: string - type: object - nullable: true - type: array - x-kubernetes-preserve-unknown-fields: true - flappingRestartIntervalHours: - description: |- - FlappingRestartIntervalHours defines the time for which the OSD pods, that failed with zero exit code, will sleep before restarting. - This is needed for OSD flapping where OSD daemons are marked down more than 5 times in 600 seconds by Ceph. - Preventing the OSD pods to restart immediately in such scenarios will prevent Rook from marking OSD as `up` and thus - peering of the PGs mapped to the OSD. - User needs to manually restart the OSD pod if they manage to fix the underlying OSD flapping issue before the restart interval. - The sleep will be disabled if this interval is set to 0. - type: integer - fullRatio: - description: FullRatio is the ratio at which the cluster is considered full and ceph will stop accepting writes. Default is 0.95. - maximum: 1 - minimum: 0 - nullable: true - type: number - migration: - description: Migration handles the OSD migration - properties: - confirmation: - description: |- - A user confirmation to migrate the OSDs. It destroys each OSD one at a time, cleans up the backing disk - and prepares OSD with same ID on that disk - pattern: ^$|^yes-really-migrate-osds$ - type: string - type: object - nearFullRatio: - description: NearFullRatio is the ratio at which the cluster is considered nearly full and will raise a ceph health warning. Default is 0.85. - maximum: 1 - minimum: 0 - nullable: true - type: number - nodes: - items: - description: Node is a storage nodes - properties: - config: - additionalProperties: - type: string - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - deviceFilter: - description: A regular expression to allow more fine-grained selection of devices on nodes across the cluster - type: string - devicePathFilter: - description: A regular expression to allow more fine-grained selection of devices with path names - type: string - devices: - description: List of devices to use as storage devices - items: - description: Device represents a disk to use in the cluster - properties: - config: - additionalProperties: - type: string - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - fullpath: - type: string - name: - type: string - type: object - nullable: true - type: array - x-kubernetes-preserve-unknown-fields: true - name: - type: string - resources: - description: ResourceRequirements describes the compute resource requirements. - nullable: true - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - useAllDevices: - description: Whether to consume all the storage devices found on a machine - type: boolean - volumeClaimTemplates: - description: PersistentVolumeClaims to use as storage - items: - description: VolumeClaimTemplate is a simplified version of K8s corev1's PVC. It has no type meta or status. - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - type: object - nullable: true - type: array - onlyApplyOSDPlacement: - type: boolean - osdMaxUpdatesInParallel: - description: The maximum number of OSDs to update in parallel. - format: int32 - minimum: 1 - type: integer - scheduleAlways: - description: Whether to always schedule OSDs on a node even if the node is not currently scheduleable or ready - type: boolean - storageClassDeviceSets: - items: - description: StorageClassDeviceSet is a storage class device set - properties: - config: - additionalProperties: - type: string - description: Provider-specific device configuration - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count is the number of devices in this set - minimum: 1 - type: integer - encrypted: - description: Whether to encrypt the deviceSet - type: boolean - name: - description: Name is a unique identifier for the set - type: string - placement: - nullable: true - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - portable: - description: Portable represents OSD portability across the hosts - type: boolean - preparePlacement: - nullable: true - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - resources: - description: ResourceRequirements describes the compute resource requirements. - nullable: true - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - schedulerName: - description: Scheduler name for OSD pod placement - type: string - tuneDeviceClass: - description: TuneSlowDeviceClass Tune the OSD when running on a slow Device Class - type: boolean - tuneFastDeviceClass: - description: TuneFastDeviceClass Tune the OSD when running on a fast Device Class - type: boolean - volumeClaimTemplates: - description: VolumeClaimTemplates is a list of PVC templates for the underlying storage devices - items: - description: VolumeClaimTemplate is a simplified version of K8s corev1's PVC. It has no type meta or status. - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - required: - - count - - name - - volumeClaimTemplates - type: object - nullable: true - type: array - store: - description: OSDStore is the backend storage type used for creating the OSDs - properties: - type: - description: Type of backend storage to be used while creating OSDs. If empty, then bluestore will be used - enum: - - bluestore - - bluestore-rdr - type: string - updateStore: - description: |- - UpdateStore updates the backend store for existing OSDs. It destroys each OSD one at a time, cleans up the backing disk - and prepares same OSD on that disk - pattern: ^$|^yes-really-update-store$ - type: string - type: object - useAllDevices: - description: Whether to consume all the storage devices found on a machine - type: boolean - useAllNodes: - type: boolean - volumeClaimTemplates: - description: PersistentVolumeClaims to use as storage - items: - description: VolumeClaimTemplate is a simplified version of K8s corev1's PVC. It has no type meta or status. - properties: - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - type: object - upgradeOSDRequiresHealthyPGs: - description: |- - UpgradeOSDRequiresHealthyPGs defines if OSD upgrade requires PGs are clean. If set to `true` OSD upgrade process won't start until PGs are healthy. - This configuration will be ignored if `skipUpgradeChecks` is `true`. - Default is false. - type: boolean - waitTimeoutForHealthyOSDInMinutes: - description: |- - WaitTimeoutForHealthyOSDInMinutes defines the time the operator would wait before an OSD can be stopped for upgrade or restart. - If the timeout exceeds and OSD is not ok to stop, then the operator would skip upgrade for the current OSD and proceed with the next one - if `continueUpgradeAfterChecksEvenIfNotHealthy` is `false`. If `continueUpgradeAfterChecksEvenIfNotHealthy` is `true`, then operator would - continue with the upgrade of an OSD even if its not ok to stop after the timeout. This timeout won't be applied if `skipUpgradeChecks` is `true`. - The default wait timeout is 10 minutes. - format: int64 - type: integer - type: object - status: - description: ClusterStatus represents the status of a Ceph cluster - nullable: true - properties: - ceph: - description: CephStatus is the details health of a Ceph Cluster - properties: - capacity: - description: Capacity is the capacity information of a Ceph Cluster - properties: - bytesAvailable: - format: int64 - type: integer - bytesTotal: - format: int64 - type: integer - bytesUsed: - format: int64 - type: integer - lastUpdated: - type: string - type: object - details: - additionalProperties: - description: CephHealthMessage represents the health message of a Ceph Cluster - properties: - message: - type: string - severity: - type: string - required: - - message - - severity - type: object - type: object - fsid: - type: string - health: - type: string - lastChanged: - type: string - lastChecked: - type: string - previousHealth: - type: string - versions: - description: CephDaemonsVersions show the current ceph version for different ceph daemons - properties: - cephfs-mirror: - additionalProperties: - type: integer - description: CephFSMirror shows CephFSMirror Ceph version - type: object - mds: - additionalProperties: - type: integer - description: Mds shows Mds Ceph version - type: object - mgr: - additionalProperties: - type: integer - description: Mgr shows Mgr Ceph version - type: object - mon: - additionalProperties: - type: integer - description: Mon shows Mon Ceph version - type: object - osd: - additionalProperties: - type: integer - description: Osd shows Osd Ceph version - type: object - overall: - additionalProperties: - type: integer - description: Overall shows overall Ceph version - type: object - rbd-mirror: - additionalProperties: - type: integer - description: RbdMirror shows RbdMirror Ceph version - type: object - rgw: - additionalProperties: - type: integer - description: Rgw shows Rgw Ceph version - type: object - type: object - type: object - cephx: - description: ClusterCephxStatus defines the cephx key rotation status of various daemons on the cephCluster resource - properties: - admin: - description: Admin shows the CephX key status for the client.admin key - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - cephExporter: - description: Ceph Exporter represents the cephx key rotation status of the ceph exporter daemon - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - crashCollector: - description: Crash Collector represents the cephx key rotation status of the crash collector daemon - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - csi: - description: CSI shows the CephX key status for Ceph-CSI components. - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - priorKeyCount: - description: PriorKeyCount reports the number of prior-generation CephX keys that remain active for the related component - type: integer - type: object - mgr: - description: Mgr represents the cephx key rotation status of the ceph manager daemon - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - mon: - description: Mon represents the CephX key status of the Monitor daemons - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - osd: - description: OSD shows the CephX key status of of OSDs - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - rbdMirrorPeer: - description: RBDMirrorPeer represents the cephx key rotation status of the `rbd-mirror-peer` user - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - type: object - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - message: - type: string - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - description: ConditionType represent a resource's status - type: string - state: - description: ClusterState represents the state of a Ceph Cluster - type: string - storage: - description: CephStorage represents flavors of Ceph Cluster Storage - properties: - deprecatedOSDs: - additionalProperties: - items: - type: integer - type: array - type: object - deviceClasses: - items: - description: DeviceClasses represents device classes of a Ceph Cluster - properties: - name: - type: string - type: object - type: array - osd: - description: OSDStatus represents OSD status of the ceph Cluster - properties: - migrationStatus: - description: MigrationStatus status represents the current status of any OSD migration. - properties: - pending: - type: integer - type: object - storeType: - additionalProperties: - type: integer - description: StoreType is a mapping between the OSD backend stores and number of OSDs using these stores - type: object - type: object - type: object - version: - description: ClusterVersion represents the version of a Ceph Cluster - properties: - image: - type: string - version: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephcosidrivers.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephCOSIDriver - listKind: CephCOSIDriverList - plural: cephcosidrivers - shortNames: - - cephcosi - singular: cephcosidriver - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: CephCOSIDriver represents the CRD for the Ceph COSI Driver Deployment - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec represents the specification of a Ceph COSI Driver - properties: - deploymentStrategy: - description: DeploymentStrategy is the strategy to use to deploy the COSI driver. - enum: - - Never - - Auto - - Always - type: string - image: - description: Image is the container image to run the Ceph COSI driver - type: string - objectProvisionerImage: - description: ObjectProvisionerImage is the container image to run the COSI driver sidecar - type: string - placement: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - resources: - description: Resources is the resource requirements for the COSI driver - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephfilesystemmirrors.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephFilesystemMirror - listKind: CephFilesystemMirrorList - plural: cephfilesystemmirrors - shortNames: - - cephfsm - singular: cephfilesystemmirror - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephFilesystemMirror is the Ceph Filesystem Mirror object definition - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FilesystemMirroringSpec is the filesystem mirroring specification - properties: - annotations: - additionalProperties: - type: string - description: The annotations-related configuration to add/set on each Pod related object. - nullable: true - type: object - labels: - additionalProperties: - type: string - description: The labels-related configuration to add/set on each Pod related object. - nullable: true - type: object - placement: - nullable: true - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - priorityClassName: - description: PriorityClassName sets priority class on the cephfs-mirror pods - type: string - resources: - description: The resource requirements for the cephfs-mirror pods - nullable: true - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - status: - description: FileMirrorStatus represents the status of the FileSystem mirror resource - properties: - cephx: - properties: - daemon: - description: Daemon shows the CephX key status for local Ceph daemons associated with this resources. - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - type: object - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephfilesystems.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephFilesystem - listKind: CephFilesystemList - plural: cephfilesystems - shortNames: - - cephfs - singular: cephfilesystem - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Number of desired active MDS daemons - jsonPath: .spec.metadataServer.activeCount - name: ActiveMDS - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.phase - name: Phase - type: string - name: v1 - schema: - openAPIV3Schema: - description: CephFilesystem represents a Ceph Filesystem - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FilesystemSpec represents the spec of a file system - properties: - dataPools: - description: The data pool settings, with optional predefined pool name. - items: - description: NamedPoolSpec represents the named ceph pool spec - properties: - application: - description: The application name to set on the pool. Only expected to be set for rgw pools. - type: string - compressionMode: - description: |- - DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" - The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) - Do NOT set a default value for kubebuilder as this will override the Parameters - enum: - - none - - passive - - aggressive - - force - - "" - nullable: true - type: string - crushRoot: - description: The root of the crush hierarchy utilized by the pool - nullable: true - type: string - deviceClass: - description: The device class the OSD should set to for use in the pool - nullable: true - type: string - enableCrushUpdates: - description: Allow rook operator to change the pool CRUSH tunables once the pool is created - nullable: true - type: boolean - enableRBDStats: - description: EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool - type: boolean - erasureCoded: - description: The erasure code settings - properties: - algorithm: - description: |- - The algorithm for erasure coding. - If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile. - enum: - - isa - - jerasure - type: string - codingChunks: - description: |- - Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - This is the number of OSDs that can be lost simultaneously before data cannot be recovered. - minimum: 0 - type: integer - dataChunks: - description: |- - Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - The number of chunks required to recover an object when any single OSD is lost is the same - as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. - minimum: 0 - type: integer - required: - - codingChunks - - dataChunks - type: object - failureDomain: - description: 'The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map' - type: string - mirroring: - description: The mirroring settings - properties: - enabled: - description: Enabled whether this pool is mirrored or not - type: boolean - mode: - description: 'Mode is the mirroring mode: pool, image or init-only.' - enum: - - pool - - image - - init-only - type: string - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored images/pools - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - type: object - name: - description: Name of the pool - type: string - parameters: - additionalProperties: - type: string - description: Parameters is a list of properties to enable on a given pool - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - quotas: - description: The quota settings - nullable: true - properties: - maxBytes: - description: |- - MaxBytes represents the quota in bytes - Deprecated in favor of MaxSize - format: int64 - type: integer - maxObjects: - description: MaxObjects represents the quota in objects - format: int64 - type: integer - maxSize: - description: MaxSize represents the quota in bytes as a string - pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ - type: string - type: object - replicated: - description: The replication settings - properties: - hybridStorage: - description: HybridStorage represents hybrid storage tier settings - nullable: true - properties: - primaryDeviceClass: - description: PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD - minLength: 1 - type: string - secondaryDeviceClass: - description: SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs - minLength: 1 - type: string - required: - - primaryDeviceClass - - secondaryDeviceClass - type: object - replicasPerFailureDomain: - description: ReplicasPerFailureDomain the number of replica in the specified failure domain - minimum: 1 - type: integer - requireSafeReplicaSize: - description: RequireSafeReplicaSize if false allows you to set replica 1 - type: boolean - size: - description: Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type) - minimum: 0 - type: integer - subFailureDomain: - description: SubFailureDomain the name of the sub-failure domain - type: string - targetSizeRatio: - description: TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity - minimum: 0 - type: number - required: - - size - type: object - statusCheck: - description: The mirroring statusCheck - properties: - mirror: - description: HealthCheckSpec represents the health check of an object store bucket - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - nullable: true - type: array - metadataPool: - description: The metadata pool settings - nullable: true - properties: - application: - description: The application name to set on the pool. Only expected to be set for rgw pools. - type: string - compressionMode: - description: |- - DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" - The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) - Do NOT set a default value for kubebuilder as this will override the Parameters - enum: - - none - - passive - - aggressive - - force - - "" - nullable: true - type: string - crushRoot: - description: The root of the crush hierarchy utilized by the pool - nullable: true - type: string - deviceClass: - description: The device class the OSD should set to for use in the pool - nullable: true - type: string - enableCrushUpdates: - description: Allow rook operator to change the pool CRUSH tunables once the pool is created - nullable: true - type: boolean - enableRBDStats: - description: EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool - type: boolean - erasureCoded: - description: The erasure code settings - properties: - algorithm: - description: |- - The algorithm for erasure coding. - If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile. - enum: - - isa - - jerasure - type: string - codingChunks: - description: |- - Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - This is the number of OSDs that can be lost simultaneously before data cannot be recovered. - minimum: 0 - type: integer - dataChunks: - description: |- - Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - The number of chunks required to recover an object when any single OSD is lost is the same - as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. - minimum: 0 - type: integer - required: - - codingChunks - - dataChunks - type: object - failureDomain: - description: 'The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map' - type: string - mirroring: - description: The mirroring settings - properties: - enabled: - description: Enabled whether this pool is mirrored or not - type: boolean - mode: - description: 'Mode is the mirroring mode: pool, image or init-only.' - enum: - - pool - - image - - init-only - type: string - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored images/pools - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - type: object - name: - description: Name of the pool - type: string - parameters: - additionalProperties: - type: string - description: Parameters is a list of properties to enable on a given pool - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - quotas: - description: The quota settings - nullable: true - properties: - maxBytes: - description: |- - MaxBytes represents the quota in bytes - Deprecated in favor of MaxSize - format: int64 - type: integer - maxObjects: - description: MaxObjects represents the quota in objects - format: int64 - type: integer - maxSize: - description: MaxSize represents the quota in bytes as a string - pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ - type: string - type: object - replicated: - description: The replication settings - properties: - hybridStorage: - description: HybridStorage represents hybrid storage tier settings - nullable: true - properties: - primaryDeviceClass: - description: PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD - minLength: 1 - type: string - secondaryDeviceClass: - description: SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs - minLength: 1 - type: string - required: - - primaryDeviceClass - - secondaryDeviceClass - type: object - replicasPerFailureDomain: - description: ReplicasPerFailureDomain the number of replica in the specified failure domain - minimum: 1 - type: integer - requireSafeReplicaSize: - description: RequireSafeReplicaSize if false allows you to set replica 1 - type: boolean - size: - description: Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type) - minimum: 0 - type: integer - subFailureDomain: - description: SubFailureDomain the name of the sub-failure domain - type: string - targetSizeRatio: - description: TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity - minimum: 0 - type: number - required: - - size - type: object - statusCheck: - description: The mirroring statusCheck - properties: - mirror: - description: HealthCheckSpec represents the health check of an object store bucket - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - metadataServer: - description: The mds pod info - properties: - activeCount: - description: The number of metadata servers that are active. The remaining servers in the cluster will be in standby mode. - format: int32 - maximum: 50 - minimum: 1 - type: integer - activeStandby: - description: |- - Whether each active MDS instance will have an active standby with a warm metadata cache for faster failover. - If false, standbys will still be available, but will not have a warm metadata cache. - type: boolean - annotations: - additionalProperties: - type: string - description: The annotations-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - cacheMemoryLimitFactor: - description: |- - CacheMemoryLimitFactor is the factor applied to the memory limit to determine the MDS cache memory limit. - MDS cache memory limit should be set to 50-60% of RAM reserved for the MDS container. - MDS uses approximately 125% of the value of mds_cache_memory_limit in RAM. - This factor is applied when resources.limits.memory is set. - maximum: 1 - minimum: 0 - type: number - cacheMemoryRequestFactor: - description: |- - CacheMemoryRequestFactor is the factor applied to the memory request to determine the MDS cache memory limit. - This factor is applied when resources.requests.memory is set and resources.limits.memory is not set. - maximum: 1 - minimum: 0 - type: number - labels: - additionalProperties: - type: string - description: The labels-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - livenessProbe: - description: ProbeSpec is a wrapper around Probe so it can be enabled or disabled for a Ceph daemon - properties: - disabled: - description: Disabled determines whether probe is disable or not - type: boolean - probe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies a command to execute in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - type: object - placement: - nullable: true - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - priorityClassName: - description: PriorityClassName sets priority classes on components - type: string - resources: - description: The resource requirements for the mds pods - nullable: true - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - startupProbe: - description: ProbeSpec is a wrapper around Probe so it can be enabled or disabled for a Ceph daemon - properties: - disabled: - description: Disabled determines whether probe is disable or not - type: boolean - probe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies a command to execute in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - type: object - required: - - activeCount - type: object - mirroring: - description: The mirroring settings - nullable: true - properties: - enabled: - description: Enabled whether this filesystem is mirrored or not - type: boolean - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - snapshotRetention: - description: |- - Retention is the retention policy for a snapshot schedule - One path has exactly one retention policy. - A policy can however contain multiple count-time period pairs in order to specify complex retention policies - items: - description: SnapshotScheduleRetentionSpec is a retention policy - properties: - duration: - description: Duration represents the retention duration for a snapshot - type: string - path: - description: Path is the path to snapshot - type: string - type: object - type: array - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored filesystems - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - type: object - preserveFilesystemOnDelete: - description: Preserve the fs in the cluster on CephFilesystem CR deletion. Setting this to true automatically implies PreservePoolsOnDelete is true. - type: boolean - preservePoolNames: - description: Preserve pool names as specified - type: boolean - preservePoolsOnDelete: - description: Preserve pools on filesystem deletion - type: boolean - statusCheck: - description: The mirroring statusCheck - properties: - mirror: - description: HealthCheckSpec represents the health check of an object store bucket - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - dataPools - - metadataPool - - metadataServer - type: object - status: - description: CephFilesystemStatus represents the status of a Ceph Filesystem - properties: - cephx: - properties: - daemon: - description: Daemon shows the CephX key status for local Ceph daemons associated with this resources. - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - type: object - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - info: - additionalProperties: - type: string - description: Use only info and put mirroringStatus in it? - nullable: true - type: object - mirroringStatus: - description: MirroringStatus is the filesystem mirroring status - properties: - daemonsStatus: - description: PoolMirroringStatus is the mirroring status of a filesystem - items: - description: FilesystemMirrorInfoSpec is the filesystem mirror status of a given filesystem - properties: - daemon_id: - description: DaemonID is the cephfs-mirror name - type: integer - filesystems: - description: Filesystems is the list of filesystems managed by a given cephfs-mirror daemon - items: - description: FilesystemsSpec is spec for the mirrored filesystem - properties: - directory_count: - description: DirectoryCount is the number of directories in the filesystem - type: integer - filesystem_id: - description: FilesystemID is the filesystem identifier - type: integer - name: - description: Name is name of the filesystem - type: string - peers: - description: Peers represents the mirroring peers - items: - description: FilesystemMirrorInfoPeerSpec is the specification of a filesystem peer mirror - properties: - remote: - description: Remote are the remote cluster information - properties: - client_name: - description: ClientName is cephx name - type: string - cluster_name: - description: ClusterName is the name of the cluster - type: string - fs_name: - description: FsName is the filesystem name - type: string - type: object - stats: - description: Stats are the stat a peer mirror - properties: - failure_count: - description: FailureCount is the number of mirroring failure - type: integer - recovery_count: - description: RecoveryCount is the number of recovery attempted after failures - type: integer - type: object - uuid: - description: UUID is the peer unique identifier - type: string - type: object - type: array - type: object - type: array - type: object - nullable: true - type: array - details: - description: Details contains potential status errors - type: string - lastChanged: - description: LastChanged is the last time time the status last changed - type: string - lastChecked: - description: LastChecked is the last time time the status was checked - type: string - type: object - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - description: ConditionType represent a resource's status - type: string - snapshotScheduleStatus: - description: FilesystemSnapshotScheduleStatusSpec is the status of the snapshot schedule - properties: - details: - description: Details contains potential status errors - type: string - lastChanged: - description: LastChanged is the last time time the status last changed - type: string - lastChecked: - description: LastChecked is the last time time the status was checked - type: string - snapshotSchedules: - description: SnapshotSchedules is the list of snapshots scheduled - items: - description: FilesystemSnapshotSchedulesSpec is the list of snapshot scheduled for images in a pool - properties: - fs: - description: Fs is the name of the Ceph Filesystem - type: string - path: - description: Path is the path on the filesystem - type: string - rel_path: - type: string - retention: - description: FilesystemSnapshotScheduleStatusRetention is the retention specification for a filesystem snapshot schedule - properties: - active: - description: Active is whether the scheduled is active or not - type: boolean - created: - description: Created is when the snapshot schedule was created - type: string - created_count: - description: CreatedCount is total amount of snapshots - type: integer - first: - description: First is when the first snapshot schedule was taken - type: string - last: - description: Last is when the last snapshot schedule was taken - type: string - last_pruned: - description: LastPruned is when the last snapshot schedule was pruned - type: string - pruned_count: - description: PrunedCount is total amount of pruned snapshots - type: integer - start: - description: Start is when the snapshot schedule starts - type: string - type: object - schedule: - type: string - subvol: - description: Subvol is the name of the sub volume - type: string - type: object - nullable: true - type: array - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephfilesystemsubvolumegroups.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephFilesystemSubVolumeGroup - listKind: CephFilesystemSubVolumeGroupList - plural: cephfilesystemsubvolumegroups - shortNames: - - cephfssvg - - cephsvg - singular: cephfilesystemsubvolumegroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - description: Name of the CephFileSystem - jsonPath: .spec.filesystemName - name: Filesystem - type: string - - jsonPath: .spec.quota - name: Quota - type: string - - jsonPath: .status.info.pinning - name: Pinning - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephFilesystemSubVolumeGroup represents a Ceph Filesystem SubVolumeGroup - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec represents the specification of a Ceph Filesystem SubVolumeGroup - properties: - clusterID: - description: |- - ClusterID to be used for this subvolume group in the CSI configuration. - It must be unique among all Ceph clusters managed by Rook. - If not specified, the clusterID will be generated and can be found in the CR status. - maxLength: 36 - minLength: 1 - pattern: ^[a-zA-Z0-9_-]+$ - type: string - x-kubernetes-validations: - - message: ClusterID is immutable - rule: self == oldSelf - dataPoolName: - description: The data pool name for the Ceph Filesystem subvolume group layout, if the default CephFS pool is not desired. - type: string - filesystemName: - description: |- - FilesystemName is the name of Ceph Filesystem SubVolumeGroup volume name. Typically it's the name of - the CephFilesystem CR. If not coming from the CephFilesystem CR, it can be retrieved from the - list of Ceph Filesystem volumes with `ceph fs volume ls`. To learn more about Ceph Filesystem - abstractions see https://docs.ceph.com/en/latest/cephfs/fs-volumes/#fs-volumes-and-subvolumes - type: string - x-kubernetes-validations: - - message: filesystemName is immutable - rule: self == oldSelf - name: - description: The name of the subvolume group. If not set, the default is the name of the subvolumeGroup CR. - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - pinning: - description: |- - Pinning configuration of CephFilesystemSubVolumeGroup, - reference https://docs.ceph.com/en/latest/cephfs/fs-volumes/#pinning-subvolumes-and-subvolume-groups - only one out of (export, distributed, random) can be set at a time - properties: - distributed: - maximum: 1 - minimum: 0 - nullable: true - type: integer - export: - maximum: 256 - minimum: -1 - nullable: true - type: integer - random: - maximum: 1 - minimum: 0 - nullable: true - type: number - type: object - x-kubernetes-validations: - - message: only one pinning type should be set - rule: (has(self.export) && !has(self.distributed) && !has(self.random)) || (!has(self.export) && has(self.distributed) && !has(self.random)) || (!has(self.export) && !has(self.distributed) && has(self.random)) || (!has(self.export) && !has(self.distributed) && !has(self.random)) - quota: - anyOf: - - type: integer - - type: string - description: Quota size of the Ceph Filesystem subvolume group. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - filesystemName - type: object - status: - description: Status represents the status of a CephFilesystem SubvolumeGroup - properties: - info: - additionalProperties: - type: string - nullable: true - type: object - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - description: ConditionType represent a resource's status - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephnfses.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephNFS - listKind: CephNFSList - plural: cephnfses - shortNames: - - nfs - singular: cephnfs - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephNFS represents a Ceph NFS - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NFSGaneshaSpec represents the spec of an nfs ganesha server - properties: - rados: - description: RADOS is the Ganesha RADOS specification - nullable: true - properties: - namespace: - description: |- - The namespace inside the Ceph pool (set by 'pool') where shared NFS-Ganesha config is stored. - This setting is deprecated as it is internally set to the name of the CephNFS. - type: string - pool: - description: |- - The Ceph pool used store the shared configuration for NFS-Ganesha daemons. - This setting is deprecated, as it is internally required to be ".nfs". - type: string - type: object - security: - description: Security allows specifying security configurations for the NFS cluster - nullable: true - properties: - kerberos: - description: Kerberos configures NFS-Ganesha to secure NFS client connections with Kerberos. - nullable: true - properties: - configFiles: - description: |- - ConfigFiles defines where the Kerberos configuration should be sourced from. Config files - will be placed into the `/etc/krb5.conf.rook/` directory. - - If this is left empty, Rook will not add any files. This allows you to manage the files - yourself however you wish. For example, you may build them into your custom Ceph container - image or use the Vault agent injector to securely add the files via annotations on the - CephNFS spec (passed to the NFS server pods). - - Rook configures Kerberos to log to stderr. We suggest removing logging sections from config - files to avoid consuming unnecessary disk space from logging to files. - properties: - volumeSource: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - emptyDir: - properties: - medium: - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - properties: - path: - type: string - type: - type: string - required: - - path - type: object - persistentVolumeClaim: - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - projected: - properties: - defaultMode: - format: int32 - type: integer - sources: - items: - properties: - clusterTrustBundle: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - optional: - type: boolean - path: - type: string - signerName: - type: string - required: - - path - type: object - configMap: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - properties: - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - properties: - audience: - type: string - expirationSeconds: - format: int64 - type: integer - path: - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - type: boolean - secretName: - type: string - type: object - type: object - type: object - domainName: - description: DomainName should be set to the Kerberos Realm. - type: string - keytabFile: - description: |- - KeytabFile defines where the Kerberos keytab should be sourced from. The keytab file will be - placed into `/etc/krb5.keytab`. If this is left empty, Rook will not add the file. - This allows you to manage the `krb5.keytab` file yourself however you wish. For example, you - may build it into your custom Ceph container image or use the Vault agent injector to - securely add the file via annotations on the CephNFS spec (passed to the NFS server pods). - properties: - volumeSource: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - emptyDir: - properties: - medium: - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - properties: - path: - type: string - type: - type: string - required: - - path - type: object - persistentVolumeClaim: - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - projected: - properties: - defaultMode: - format: int32 - type: integer - sources: - items: - properties: - clusterTrustBundle: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - optional: - type: boolean - path: - type: string - signerName: - type: string - required: - - path - type: object - configMap: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - properties: - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - properties: - audience: - type: string - expirationSeconds: - format: int64 - type: integer - path: - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - type: boolean - secretName: - type: string - type: object - type: object - type: object - principalName: - default: nfs - description: |- - PrincipalName corresponds directly to NFS-Ganesha's NFS_KRB5:PrincipalName config. In - practice, this is the service prefix of the principal name. The default is "nfs". - This value is combined with (a) the namespace and name of the CephNFS (with a hyphen between) - and (b) the Realm configured in the user-provided krb5.conf to determine the full principal - name: /-@. e.g., nfs/rook-ceph-my-nfs@example.net. - See https://github.com/nfs-ganesha/nfs-ganesha/wiki/RPCSEC_GSS for more detail. - type: string - type: object - sssd: - description: |- - SSSD enables integration with System Security Services Daemon (SSSD). SSSD can be used to - provide user ID mapping from a number of sources. See https://sssd.io for more information - about the SSSD project. - nullable: true - properties: - sidecar: - description: Sidecar tells Rook to run SSSD in a sidecar alongside the NFS-Ganesha server in each NFS pod. - properties: - additionalFiles: - description: |- - AdditionalFiles defines any number of additional files that should be mounted into the SSSD - sidecar with a directory root of `/etc/sssd/rook-additional/`. - These files may be referenced by the sssd.conf config file. - items: - description: |- - AdditionalVolumeMount represents the source from where additional files in pod containers - should come from and what subdirectory they are made available in. - properties: - subPath: - description: |- - SubPath defines the sub-path (subdirectory) of the directory root where the volumeSource will - be mounted. All files/keys in the volume source's volume will be mounted to the subdirectory. - This is not the same as the Kubernetes `subPath` volume mount option. - Each subPath definition must be unique and must not contain ':'. - minLength: 1 - pattern: ^[^:]+$ - type: string - volumeSource: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - emptyDir: - properties: - medium: - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - properties: - path: - type: string - type: - type: string - required: - - path - type: object - persistentVolumeClaim: - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - projected: - properties: - defaultMode: - format: int32 - type: integer - sources: - items: - properties: - clusterTrustBundle: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - optional: - type: boolean - path: - type: string - signerName: - type: string - required: - - path - type: object - configMap: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - properties: - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - properties: - audience: - type: string - expirationSeconds: - format: int64 - type: integer - path: - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - type: boolean - secretName: - type: string - type: object - type: object - required: - - subPath - - volumeSource - type: object - type: array - debugLevel: - description: |- - DebugLevel sets the debug level for SSSD. If unset or set to 0, Rook does nothing. Otherwise, - this may be a value between 1 and 10. See SSSD docs for more info: - https://sssd.io/troubleshooting/basics.html#sssd-debug-logs - maximum: 10 - minimum: 0 - type: integer - image: - description: Image defines the container image that should be used for the SSSD sidecar. - minLength: 1 - type: string - resources: - description: Resources allow specifying resource requests/limits on the SSSD sidecar container. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - sssdConfigFile: - description: |- - SSSDConfigFile defines where the SSSD configuration should be sourced from. The config file - will be placed into `/etc/sssd/sssd.conf`. If this is left empty, Rook will not add the file. - This allows you to manage the `sssd.conf` file yourself however you wish. For example, you - may build it into your custom Ceph container image or use the Vault agent injector to - securely add the file via annotations on the CephNFS spec (passed to the NFS server pods). - properties: - volumeSource: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - emptyDir: - properties: - medium: - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - properties: - path: - type: string - type: - type: string - required: - - path - type: object - persistentVolumeClaim: - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - projected: - properties: - defaultMode: - format: int32 - type: integer - sources: - items: - properties: - clusterTrustBundle: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - optional: - type: boolean - path: - type: string - signerName: - type: string - required: - - path - type: object - configMap: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - properties: - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - properties: - audience: - type: string - expirationSeconds: - format: int64 - type: integer - path: - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - type: boolean - secretName: - type: string - type: object - type: object - type: object - required: - - image - type: object - type: object - type: object - server: - description: Server is the Ganesha Server specification - properties: - active: - description: The number of active Ganesha servers - type: integer - annotations: - additionalProperties: - type: string - description: The annotations-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - hostNetwork: - description: Whether host networking is enabled for the Ganesha server. If not set, the network settings from the cluster CR will be applied. - nullable: true - type: boolean - labels: - additionalProperties: - type: string - description: The labels-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - livenessProbe: - description: |- - A liveness-probe to verify that Ganesha server has valid run-time state. - If LivenessProbe.Disabled is false and LivenessProbe.Probe is nil uses default probe. - properties: - disabled: - description: Disabled determines whether probe is disable or not - type: boolean - probe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies a command to execute in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - type: object - logLevel: - description: LogLevel set logging level - type: string - placement: - nullable: true - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - priorityClassName: - description: PriorityClassName sets the priority class on the pods - type: string - resources: - description: Resources set resource requests and limits - nullable: true - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - active - type: object - required: - - server - type: object - status: - description: NFSStatus represents the status of Ceph NFS - properties: - cephx: - properties: - daemon: - description: Daemon shows the CephX key status for local Ceph daemons associated with this resources. - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - type: object - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephobjectrealms.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephObjectRealm - listKind: CephObjectRealmList - plural: cephobjectrealms - shortNames: - - cephor - singular: cephobjectrealm - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephObjectRealm represents a Ceph Object Store Gateway Realm - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ObjectRealmSpec represent the spec of an ObjectRealm - nullable: true - properties: - defaultRealm: - description: Set this realm as the default in Ceph. Only one realm should be default. - type: boolean - pull: - description: PullSpec represents the pulling specification of a Ceph Object Storage Gateway Realm - properties: - endpoint: - pattern: ^https*:// - type: string - type: object - type: object - status: - description: Status represents the status of an object - properties: - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephobjectstores.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephObjectStore - listKind: CephObjectStoreList - plural: cephobjectstores - shortNames: - - cephos - singular: cephobjectstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .status.info.endpoint - name: Endpoint - type: string - - jsonPath: .status.info.secureEndpoint - name: SecureEndpoint - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephObjectStore represents a Ceph Object Store Gateway - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ObjectStoreSpec represent the spec of a pool - properties: - allowUsersInNamespaces: - description: |- - The list of allowed namespaces in addition to the object store namespace - where ceph object store users may be created. Specify "*" to allow all - namespaces, otherwise list individual namespaces that are to be allowed. - This is useful for applications that need object store credentials - to be created in their own namespace, where neither OBCs nor COSI - is being used to create buckets. The default is empty. - items: - type: string - type: array - auth: - description: The authentication configuration - properties: - keystone: - description: The spec for Keystone - nullable: true - properties: - acceptedRoles: - description: The roles requires to serve requests. - items: - type: string - type: array - implicitTenants: - description: Create new users in their own tenants of the same name. Possible values are true, false, swift and s3. The latter have the effect of splitting the identity space such that only the indicated protocol will use implicit tenants. - type: string - revocationInterval: - description: The number of seconds between token revocation checks. - nullable: true - type: integer - serviceUserSecretName: - description: The name of the secret containing the credentials for the service user account used by RGW. It has to be in the same namespace as the object store resource. - type: string - tokenCacheSize: - description: The maximum number of entries in each Keystone token cache. - nullable: true - type: integer - url: - description: The URL for the Keystone server. - type: string - required: - - acceptedRoles - - serviceUserSecretName - - url - type: object - type: object - dataPool: - description: The data pool settings - nullable: true - properties: - application: - description: The application name to set on the pool. Only expected to be set for rgw pools. - type: string - compressionMode: - description: |- - DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" - The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) - Do NOT set a default value for kubebuilder as this will override the Parameters - enum: - - none - - passive - - aggressive - - force - - "" - nullable: true - type: string - crushRoot: - description: The root of the crush hierarchy utilized by the pool - nullable: true - type: string - deviceClass: - description: The device class the OSD should set to for use in the pool - nullable: true - type: string - enableCrushUpdates: - description: Allow rook operator to change the pool CRUSH tunables once the pool is created - nullable: true - type: boolean - enableRBDStats: - description: EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool - type: boolean - erasureCoded: - description: The erasure code settings - properties: - algorithm: - description: |- - The algorithm for erasure coding. - If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile. - enum: - - isa - - jerasure - type: string - codingChunks: - description: |- - Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - This is the number of OSDs that can be lost simultaneously before data cannot be recovered. - minimum: 0 - type: integer - dataChunks: - description: |- - Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - The number of chunks required to recover an object when any single OSD is lost is the same - as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. - minimum: 0 - type: integer - required: - - codingChunks - - dataChunks - type: object - failureDomain: - description: 'The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map' - type: string - mirroring: - description: The mirroring settings - properties: - enabled: - description: Enabled whether this pool is mirrored or not - type: boolean - mode: - description: 'Mode is the mirroring mode: pool, image or init-only.' - enum: - - pool - - image - - init-only - type: string - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored images/pools - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - type: object - parameters: - additionalProperties: - type: string - description: Parameters is a list of properties to enable on a given pool - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - quotas: - description: The quota settings - nullable: true - properties: - maxBytes: - description: |- - MaxBytes represents the quota in bytes - Deprecated in favor of MaxSize - format: int64 - type: integer - maxObjects: - description: MaxObjects represents the quota in objects - format: int64 - type: integer - maxSize: - description: MaxSize represents the quota in bytes as a string - pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ - type: string - type: object - replicated: - description: The replication settings - properties: - hybridStorage: - description: HybridStorage represents hybrid storage tier settings - nullable: true - properties: - primaryDeviceClass: - description: PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD - minLength: 1 - type: string - secondaryDeviceClass: - description: SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs - minLength: 1 - type: string - required: - - primaryDeviceClass - - secondaryDeviceClass - type: object - replicasPerFailureDomain: - description: ReplicasPerFailureDomain the number of replica in the specified failure domain - minimum: 1 - type: integer - requireSafeReplicaSize: - description: RequireSafeReplicaSize if false allows you to set replica 1 - type: boolean - size: - description: Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type) - minimum: 0 - type: integer - subFailureDomain: - description: SubFailureDomain the name of the sub-failure domain - type: string - targetSizeRatio: - description: TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity - minimum: 0 - type: number - required: - - size - type: object - statusCheck: - description: The mirroring statusCheck - properties: - mirror: - description: HealthCheckSpec represents the health check of an object store bucket - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - defaultRealm: - description: |- - Set this realm as the default in Ceph. Only one realm should be default. - Do not set this true on more than one CephObjectStore. - This may not be set when zone is also specified; in this case, the realm - referenced by the zone's zonegroup should configure defaulting behavior. - type: boolean - gateway: - description: The rgw pod info - nullable: true - properties: - additionalVolumeMounts: - description: |- - AdditionalVolumeMounts allows additional volumes to be mounted to the RGW pod. - The root directory for each additional volume mount is `/var/rgw`. - Example: for an additional mount at subPath `ldap`, mounted from a secret that has key - `bindpass.secret`, the file would reside at `/var/rgw/ldap/bindpass.secret`. - items: - description: |- - AdditionalVolumeMount represents the source from where additional files in pod containers - should come from and what subdirectory they are made available in. - properties: - subPath: - description: |- - SubPath defines the sub-path (subdirectory) of the directory root where the volumeSource will - be mounted. All files/keys in the volume source's volume will be mounted to the subdirectory. - This is not the same as the Kubernetes `subPath` volume mount option. - Each subPath definition must be unique and must not contain ':'. - minLength: 1 - pattern: ^[^:]+$ - type: string - volumeSource: - properties: - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - emptyDir: - properties: - medium: - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - hostPath: - properties: - path: - type: string - type: - type: string - required: - - path - type: object - persistentVolumeClaim: - properties: - claimName: - type: string - readOnly: - type: boolean - required: - - claimName - type: object - projected: - properties: - defaultMode: - format: int32 - type: integer - sources: - items: - properties: - clusterTrustBundle: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - name: - type: string - optional: - type: boolean - path: - type: string - signerName: - type: string - required: - - path - type: object - configMap: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - properties: - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - type: string - optional: - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - properties: - audience: - type: string - expirationSeconds: - format: int64 - type: integer - path: - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - type: boolean - secretName: - type: string - type: object - type: object - required: - - subPath - - volumeSource - type: object - type: array - annotations: - additionalProperties: - type: string - description: The annotations-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - caBundleRef: - description: The name of the secret that stores custom ca-bundle with root and intermediate certificates. - nullable: true - type: string - dashboardEnabled: - description: Whether rgw dashboard is enabled for the rgw daemon. If not set, the rgw dashboard will be enabled. - nullable: true - type: boolean - x-kubernetes-preserve-unknown-fields: true - disableMultisiteSyncTraffic: - description: |- - DisableMultisiteSyncTraffic, when true, prevents this object store's gateways from - transmitting multisite replication data. Note that this value does not affect whether - gateways receive multisite replication traffic: see ObjectZone.spec.customEndpoints for that. - If false or unset, this object store's gateways will be able to transmit multisite - replication data. - type: boolean - externalRgwEndpoints: - description: |- - ExternalRgwEndpoints points to external RGW endpoint(s). Multiple endpoints can be given, but - for stability of ObjectBucketClaims, we highly recommend that users give only a single - external RGW endpoint that is a load balancer that sends requests to the multiple RGWs. - items: - description: |- - EndpointAddress is a tuple that describes a single IP address or host name. This is a subset of - Kubernetes's v1.EndpointAddress. - properties: - hostname: - description: The DNS-addressable Hostname of this endpoint. This field will be preferred over IP if both are given. - type: string - ip: - description: The IP of this endpoint. As a legacy behavior, this supports being given a DNS-addressable hostname as well. - type: string - type: object - x-kubernetes-map-type: atomic - nullable: true - type: array - hostNetwork: - description: Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied. - nullable: true - type: boolean - x-kubernetes-preserve-unknown-fields: true - instances: - description: The number of pods in the rgw replicaset. - format: int32 - nullable: true - type: integer - labels: - additionalProperties: - type: string - description: The labels-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - opsLogSidecar: - description: Enable enhanced operation Logs for S3 in a sidecar named ops-log - nullable: true - properties: - resources: - description: Resources represents the way to specify resource requirements for the ops-log sidecar - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - placement: - nullable: true - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - port: - description: The port the rgw service will be listening on (http) - format: int32 - type: integer - priorityClassName: - description: PriorityClassName sets priority classes on the rgw pods - type: string - readAffinity: - description: |- - ReadAffinity defines the RGW read affinity policy to optimize the read requests for the RGW clients - Note: Only supported from Ceph Tentacle (v20) - properties: - type: - description: |- - Type defines the RGW ReadAffinity type - localize: read from the nearest OSD based on crush location of the RGW client - balance: picks a random OSD from the PG's active set - default: read from the primary OSD - enum: - - localize - - balance - - default - type: string - required: - - type - type: object - resources: - description: The resource requirements for the rgw pods - nullable: true - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - rgwCommandFlags: - additionalProperties: - type: string - description: |- - RgwCommandFlags sets Ceph RGW config values for the gateway clients that serve this object - store. Values are modified at RGW startup, resulting in RGW pod restarts. - This feature is intended for advanced users. It allows breaking configurations to be easily - applied. Use with caution. - nullable: true - type: object - rgwConfig: - additionalProperties: - type: string - description: |- - RgwConfig sets Ceph RGW config values for the gateway clients that serve this object store. - Values are modified at runtime without RGW restart. - This feature is intended for advanced users. It allows breaking configurations to be easily - applied. Use with caution. - nullable: true - type: object - rgwConfigFromSecret: - additionalProperties: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - description: |- - RgwConfigFromSecret works exactly like RgwConfig but takes config value from Secret Key reference. - Values are modified at runtime without RGW restart. - This feature is intended for advanced users. It allows breaking configurations to be easily - applied. Use with caution. - nullable: true - type: object - securePort: - description: The port the rgw service will be listening on (https) - format: int32 - maximum: 65535 - minimum: 0 - nullable: true - type: integer - service: - description: The configuration related to add/set on each rgw service. - nullable: true - properties: - annotations: - additionalProperties: - type: string - description: |- - The annotations-related configuration to add/set on each rgw service. - nullable - optional - type: object - type: object - sslCertificateRef: - description: The name of the secret that stores the ssl certificate for secure rgw connections - nullable: true - type: string - type: object - healthCheck: - description: The RGW health probes - nullable: true - properties: - readinessProbe: - description: ProbeSpec is a wrapper around Probe so it can be enabled or disabled for a Ceph daemon - properties: - disabled: - description: Disabled determines whether probe is disable or not - type: boolean - probe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies a command to execute in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - startupProbe: - description: ProbeSpec is a wrapper around Probe so it can be enabled or disabled for a Ceph daemon - properties: - disabled: - description: Disabled determines whether probe is disable or not - type: boolean - probe: - description: |- - Probe describes a health check to be performed against a container to determine whether it is - alive or ready to receive traffic. - properties: - exec: - description: Exec specifies a command to execute in the container. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies a GRPC HealthCheckRequest. - properties: - port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies an HTTP GET request to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies a connection to a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - type: object - type: object - hosting: - description: |- - Hosting settings for the object store. - A common use case for hosting configuration is to inform Rook of endpoints that support DNS - wildcards, which in turn allows virtual host-style bucket addressing. - nullable: true - properties: - advertiseEndpoint: - description: |- - AdvertiseEndpoint is the default endpoint Rook will return for resources dependent on this - object store. This endpoint will be returned to CephObjectStoreUsers, Object Bucket Claims, - and COSI Buckets/Accesses. - By default, Rook returns the endpoint for the object store's Kubernetes service using HTTPS - with `gateway.securePort` if it is defined (otherwise, HTTP with `gateway.port`). - nullable: true - properties: - dnsName: - description: |- - DnsName is the DNS name (in RFC-1123 format) of the endpoint. - If the DNS name corresponds to an endpoint with DNS wildcard support, do not include the - wildcard itself in the list of hostnames. - E.g., use "mystore.example.com" instead of "*.mystore.example.com". - minLength: 1 - type: string - port: - description: Port is the port on which S3 connections can be made for this endpoint. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - useTls: - description: UseTls defines whether the endpoint uses TLS (HTTPS) or not (HTTP). - type: boolean - required: - - dnsName - - port - - useTls - type: object - dnsNames: - description: |- - A list of DNS host names on which object store gateways will accept client S3 connections. - When specified, object store gateways will reject client S3 connections to hostnames that are - not present in this list, so include all endpoints. - The object store's advertiseEndpoint and Kubernetes service endpoint, plus CephObjectZone - `customEndpoints` are automatically added to the list but may be set here again if desired. - Each DNS name must be valid according RFC-1123. - If the DNS name corresponds to an endpoint with DNS wildcard support, do not include the - wildcard itself in the list of hostnames. - E.g., use "mystore.example.com" instead of "*.mystore.example.com". - items: - type: string - type: array - type: object - metadataPool: - description: The metadata pool settings - nullable: true - properties: - application: - description: The application name to set on the pool. Only expected to be set for rgw pools. - type: string - compressionMode: - description: |- - DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" - The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) - Do NOT set a default value for kubebuilder as this will override the Parameters - enum: - - none - - passive - - aggressive - - force - - "" - nullable: true - type: string - crushRoot: - description: The root of the crush hierarchy utilized by the pool - nullable: true - type: string - deviceClass: - description: The device class the OSD should set to for use in the pool - nullable: true - type: string - enableCrushUpdates: - description: Allow rook operator to change the pool CRUSH tunables once the pool is created - nullable: true - type: boolean - enableRBDStats: - description: EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool - type: boolean - erasureCoded: - description: The erasure code settings - properties: - algorithm: - description: |- - The algorithm for erasure coding. - If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile. - enum: - - isa - - jerasure - type: string - codingChunks: - description: |- - Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - This is the number of OSDs that can be lost simultaneously before data cannot be recovered. - minimum: 0 - type: integer - dataChunks: - description: |- - Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - The number of chunks required to recover an object when any single OSD is lost is the same - as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. - minimum: 0 - type: integer - required: - - codingChunks - - dataChunks - type: object - failureDomain: - description: 'The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map' - type: string - mirroring: - description: The mirroring settings - properties: - enabled: - description: Enabled whether this pool is mirrored or not - type: boolean - mode: - description: 'Mode is the mirroring mode: pool, image or init-only.' - enum: - - pool - - image - - init-only - type: string - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored images/pools - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - type: object - parameters: - additionalProperties: - type: string - description: Parameters is a list of properties to enable on a given pool - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - quotas: - description: The quota settings - nullable: true - properties: - maxBytes: - description: |- - MaxBytes represents the quota in bytes - Deprecated in favor of MaxSize - format: int64 - type: integer - maxObjects: - description: MaxObjects represents the quota in objects - format: int64 - type: integer - maxSize: - description: MaxSize represents the quota in bytes as a string - pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ - type: string - type: object - replicated: - description: The replication settings - properties: - hybridStorage: - description: HybridStorage represents hybrid storage tier settings - nullable: true - properties: - primaryDeviceClass: - description: PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD - minLength: 1 - type: string - secondaryDeviceClass: - description: SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs - minLength: 1 - type: string - required: - - primaryDeviceClass - - secondaryDeviceClass - type: object - replicasPerFailureDomain: - description: ReplicasPerFailureDomain the number of replica in the specified failure domain - minimum: 1 - type: integer - requireSafeReplicaSize: - description: RequireSafeReplicaSize if false allows you to set replica 1 - type: boolean - size: - description: Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type) - minimum: 0 - type: integer - subFailureDomain: - description: SubFailureDomain the name of the sub-failure domain - type: string - targetSizeRatio: - description: TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity - minimum: 0 - type: number - required: - - size - type: object - statusCheck: - description: The mirroring statusCheck - properties: - mirror: - description: HealthCheckSpec represents the health check of an object store bucket - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - preservePoolsOnDelete: - description: Preserve pools on object store deletion - type: boolean - protocols: - description: The protocol specification - properties: - enableAPIs: - description: |- - Represents RGW 'rgw_enable_apis' config option. See: https://docs.ceph.com/en/reef/radosgw/config-ref/#confval-rgw_enable_apis - If no value provided then all APIs will be enabled: s3, s3website, swift, swift_auth, admin, sts, iam, notifications - If enabled APIs are set, all remaining APIs will be disabled. - This option overrides S3.Enabled value. - items: - enum: - - s3 - - s3website - - swift - - swift_auth - - admin - - sts - - iam - - notifications - type: string - nullable: true - type: array - s3: - description: The spec for S3 - nullable: true - properties: - authUseKeystone: - description: Whether to use Keystone for authentication. This option maps directly to the rgw_s3_auth_use_keystone option. Enabling it allows generating S3 credentials via an OpenStack API call, see the docs. If not given, the defaults of the corresponding RGW option apply. - nullable: true - type: boolean - enabled: - description: |- - Deprecated: use protocol.enableAPIs instead. - Whether to enable S3. This defaults to true (even if protocols.s3 is not present in the CRD). This maintains backwards compatibility – by default S3 is enabled. - nullable: true - type: boolean - type: object - swift: - description: The spec for Swift - nullable: true - properties: - accountInUrl: - description: Whether or not the Swift account name should be included in the Swift API URL. If set to false (the default), then the Swift API will listen on a URL formed like http://host:port//v1. If set to true, the Swift API URL will be http://host:port//v1/AUTH_. You must set this option to true (and update the Keystone service catalog) if you want radosgw to support publicly-readable containers and temporary URLs. - nullable: true - type: boolean - urlPrefix: - description: The URL prefix for the Swift API, to distinguish it from the S3 API endpoint. The default is swift, which makes the Swift API available at the URL http://host:port/swift/v1 (or http://host:port/swift/v1/AUTH_%(tenant_id)s if rgw swift account in url is enabled). - nullable: true - type: string - versioningEnabled: - description: Enables the Object Versioning of OpenStack Object Storage API. This allows clients to put the X-Versions-Location attribute on containers that should be versioned. - nullable: true - type: boolean - type: object - type: object - security: - description: Security represents security settings - nullable: true - properties: - keyRotation: - description: KeyRotation defines options for Key Rotation. - nullable: true - properties: - enabled: - default: false - description: Enabled represents whether the key rotation is enabled. - type: boolean - schedule: - description: Schedule represents the cron schedule for key rotation. - type: string - type: object - kms: - description: KeyManagementService is the main Key Management option - nullable: true - properties: - connectionDetails: - additionalProperties: - type: string - description: ConnectionDetails contains the KMS connection details (address, port etc) - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - tokenSecretName: - description: TokenSecretName is the kubernetes secret containing the KMS token - type: string - type: object - s3: - description: The settings for supporting AWS-SSE:S3 with RGW - nullable: true - properties: - connectionDetails: - additionalProperties: - type: string - description: ConnectionDetails contains the KMS connection details (address, port etc) - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - tokenSecretName: - description: TokenSecretName is the kubernetes secret containing the KMS token - type: string - type: object - type: object - sharedPools: - description: The pool information when configuring RADOS namespaces in existing pools. - nullable: true - properties: - dataPoolName: - description: The data pool used for creating RADOS namespaces in the object store - type: string - x-kubernetes-validations: - - message: object store shared data pool is immutable - rule: self == oldSelf - metadataPoolName: - description: The metadata pool used for creating RADOS namespaces in the object store - type: string - x-kubernetes-validations: - - message: object store shared metadata pool is immutable - rule: self == oldSelf - poolPlacements: - description: |- - PoolPlacements control which Pools are associated with a particular RGW bucket. - Once PoolPlacements are defined, RGW client will be able to associate pool - with ObjectStore bucket by providing "" during s3 bucket creation - or "X-Storage-Policy" header during swift container creation. - See: https://docs.ceph.com/en/latest/radosgw/placement/#placement-targets - PoolPlacement with name: "default" will be used as a default pool if no option - is provided during bucket creation. - If default placement is not provided, spec.sharedPools.dataPoolName and spec.sharedPools.MetadataPoolName will be used as default pools. - If spec.sharedPools are also empty, then RGW pools (spec.dataPool and spec.metadataPool) will be used as defaults. - items: - properties: - dataNonECPoolName: - description: |- - The data pool used to store ObjectStore data that cannot use erasure coding (ex: multi-part uploads). - If dataPoolName is not erasure coded, then there is no need for dataNonECPoolName. - type: string - dataPoolName: - description: The data pool used to store ObjectStore objects data. - minLength: 1 - type: string - default: - description: |- - Sets given placement as default. Only one placement in the list can be marked as default. - Default is false. - type: boolean - metadataPoolName: - description: The metadata pool used to store ObjectStore bucket index. - minLength: 1 - type: string - name: - description: Pool placement name. Name can be arbitrary. Placement with name "default" will be used as default. - minLength: 1 - pattern: ^[a-zA-Z0-9._/-]+$ - type: string - storageClasses: - description: |- - StorageClasses can be selected by user to override dataPoolName during object creation. - Each placement has default STANDARD StorageClass pointing to dataPoolName. - This list allows defining additional StorageClasses on top of default STANDARD storage class. - items: - properties: - dataPoolName: - description: DataPoolName is the data pool used to store ObjectStore objects data. - minLength: 1 - type: string - name: - description: |- - Name is the StorageClass name. Ceph allows arbitrary name for StorageClasses, - however most clients/libs insist on AWS names so it is recommended to use - one of the valid x-amz-storage-class values for better compatibility: - REDUCED_REDUNDANCY | STANDARD_IA | ONEZONE_IA | INTELLIGENT_TIERING | GLACIER | DEEP_ARCHIVE | OUTPOSTS | GLACIER_IR | SNOW | EXPRESS_ONEZONE - See AWS docs: https://aws.amazon.com/de/s3/storage-classes/ - minLength: 1 - pattern: ^[a-zA-Z0-9._/-]+$ - type: string - required: - - dataPoolName - - name - type: object - type: array - required: - - dataPoolName - - metadataPoolName - - name - type: object - type: array - preserveRadosNamespaceDataOnDelete: - description: Whether the RADOS namespaces should be preserved on deletion of the object store - type: boolean - type: object - zone: - description: The multisite info - nullable: true - properties: - name: - description: CephObjectStoreZone name this CephObjectStore is part of - type: string - required: - - name - type: object - type: object - x-kubernetes-validations: - - message: defaultRealm must not be true when zone.name is set (multisite configuration) - rule: '!(has(self.defaultRealm) && self.defaultRealm == true && has(self.zone) && size(self.zone.name) > 0)' - status: - description: ObjectStoreStatus represents the status of a Ceph Object Store resource - properties: - cephx: - properties: - daemon: - description: Daemon shows the CephX key status for local Ceph daemons associated with this resources. - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - type: object - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - endpoints: - properties: - insecure: - items: - type: string - nullable: true - type: array - secure: - items: - type: string - nullable: true - type: array - type: object - info: - additionalProperties: - type: string - nullable: true - type: object - message: - type: string - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - description: ConditionType represent a resource's status - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephobjectstoreusers.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephObjectStoreUser - listKind: CephObjectStoreUserList - plural: cephobjectstoreusers - shortNames: - - rcou - - objectuser - - cephosu - singular: cephobjectstoreuser - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephObjectStoreUser represents a Ceph Object Store Gateway User - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ObjectStoreUserSpec represent the spec of an Objectstoreuser - properties: - capabilities: - description: Additional admin-level capabilities for the Ceph object store user - nullable: true - properties: - amz-cache: - description: Add capabilities for user to send request to RGW Cache API header. Documented in https://docs.ceph.com/en/latest/radosgw/rgw-cache/#cache-api - enum: - - '*' - - read - - write - - read, write - type: string - bilog: - description: Add capabilities for user to change bucket index logging. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - bucket: - description: Admin capabilities to read/write Ceph object store buckets. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - buckets: - description: Admin capabilities to read/write Ceph object store buckets. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - datalog: - description: Add capabilities for user to change data logging. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - info: - description: Admin capabilities to read/write information about the user. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - mdlog: - description: Add capabilities for user to change metadata logging. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - metadata: - description: Admin capabilities to read/write Ceph object store metadata. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - oidc-provider: - description: Add capabilities for user to change oidc provider. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - ratelimit: - description: Add capabilities for user to set rate limiter for user and bucket. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - roles: - description: Admin capabilities to read/write roles for user. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - usage: - description: Admin capabilities to read/write Ceph object store usage. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - user: - description: Admin capabilities to read/write Ceph object store users. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - user-policy: - description: Add capabilities for user to change user policies. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - users: - description: Admin capabilities to read/write Ceph object store users. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - zone: - description: Admin capabilities to read/write Ceph object store zones. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities - enum: - - '*' - - read - - write - - read, write - type: string - type: object - clusterNamespace: - description: The namespace where the parent CephCluster and CephObjectStore are found - type: string - displayName: - description: The display name for the ceph user. - type: string - keys: - description: |- - Allows specifying credentials for the user. If not provided, the operator - will generate them. - items: - description: |- - ObjectUserKey defines a set of rgw user access credentials to be retrieved - from secret resources. - properties: - accessKeyRef: - description: Secret key selector for the access_key (commonly referred to as AWS_ACCESS_KEY_ID). - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Secret key selector for the secret_key (commonly referred to as AWS_SECRET_ACCESS_KEY). - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - type: array - quotas: - description: ObjectUserQuotaSpec can be used to set quotas for the object store user to limit their usage. See the [Ceph docs](https://docs.ceph.com/en/latest/radosgw/admin/?#quota-management) for more - nullable: true - properties: - maxBuckets: - description: Maximum bucket limit for the ceph user - nullable: true - type: integer - maxObjects: - description: Maximum number of objects across all the user's buckets - format: int64 - nullable: true - type: integer - maxSize: - anyOf: - - type: integer - - type: string - description: |- - Maximum size limit of all objects across all the user's buckets - See https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#Quantity for more info. - nullable: true - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - store: - description: The store the user will be created in - type: string - type: object - status: - description: ObjectStoreUserStatus represents the status Ceph Object Store Gateway User - properties: - info: - additionalProperties: - type: string - nullable: true - type: object - keys: - items: - properties: - name: - description: name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: namespace defines the space within which the secret name must be unique. - type: string - resourceVersion: - type: string - uid: - description: |- - UID is a type that holds unique ID values, including UUIDs. Because we - don't ONLY use UUIDs, this is an alias to string. Being a type captures - intent and helps make sure that UIDs and names do not get conflated. - type: string - type: object - x-kubernetes-map-type: atomic - nullable: true - type: array - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephobjectzonegroups.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephObjectZoneGroup - listKind: CephObjectZoneGroupList - plural: cephobjectzonegroups - shortNames: - - cephozg - singular: cephobjectzonegroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephObjectZoneGroup represents a Ceph Object Store Gateway Zone Group - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ObjectZoneGroupSpec represent the spec of an ObjectZoneGroup - properties: - realm: - description: The name of the realm the zone group is a member of. - type: string - required: - - realm - type: object - status: - description: Status represents the status of an object - properties: - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephobjectzones.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephObjectZone - listKind: CephObjectZoneList - plural: cephobjectzones - shortNames: - - cephoz - singular: cephobjectzone - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephObjectZone represents a Ceph Object Store Gateway Zone - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ObjectZoneSpec represent the spec of an ObjectZone - properties: - customEndpoints: - description: |- - If this zone cannot be accessed from other peer Ceph clusters via the ClusterIP Service - endpoint created by Rook, you must set this to the externally reachable endpoint(s). You may - include the port in the definition. For example: "https://my-object-store.my-domain.net:443". - In many cases, you should set this to the endpoint of the ingress resource that makes the - CephObjectStore associated with this CephObjectStoreZone reachable to peer clusters. - The list can have one or more endpoints pointing to different RGW servers in the zone. - - If a CephObjectStore endpoint is omitted from this list, that object store's gateways will - not receive multisite replication data - (see CephObjectStore.spec.gateway.disableMultisiteSyncTraffic). - items: - type: string - nullable: true - type: array - dataPool: - description: The data pool settings - nullable: true - properties: - application: - description: The application name to set on the pool. Only expected to be set for rgw pools. - type: string - compressionMode: - description: |- - DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" - The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) - Do NOT set a default value for kubebuilder as this will override the Parameters - enum: - - none - - passive - - aggressive - - force - - "" - nullable: true - type: string - crushRoot: - description: The root of the crush hierarchy utilized by the pool - nullable: true - type: string - deviceClass: - description: The device class the OSD should set to for use in the pool - nullable: true - type: string - enableCrushUpdates: - description: Allow rook operator to change the pool CRUSH tunables once the pool is created - nullable: true - type: boolean - enableRBDStats: - description: EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool - type: boolean - erasureCoded: - description: The erasure code settings - properties: - algorithm: - description: |- - The algorithm for erasure coding. - If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile. - enum: - - isa - - jerasure - type: string - codingChunks: - description: |- - Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - This is the number of OSDs that can be lost simultaneously before data cannot be recovered. - minimum: 0 - type: integer - dataChunks: - description: |- - Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - The number of chunks required to recover an object when any single OSD is lost is the same - as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. - minimum: 0 - type: integer - required: - - codingChunks - - dataChunks - type: object - failureDomain: - description: 'The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map' - type: string - mirroring: - description: The mirroring settings - properties: - enabled: - description: Enabled whether this pool is mirrored or not - type: boolean - mode: - description: 'Mode is the mirroring mode: pool, image or init-only.' - enum: - - pool - - image - - init-only - type: string - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored images/pools - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - type: object - parameters: - additionalProperties: - type: string - description: Parameters is a list of properties to enable on a given pool - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - quotas: - description: The quota settings - nullable: true - properties: - maxBytes: - description: |- - MaxBytes represents the quota in bytes - Deprecated in favor of MaxSize - format: int64 - type: integer - maxObjects: - description: MaxObjects represents the quota in objects - format: int64 - type: integer - maxSize: - description: MaxSize represents the quota in bytes as a string - pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ - type: string - type: object - replicated: - description: The replication settings - properties: - hybridStorage: - description: HybridStorage represents hybrid storage tier settings - nullable: true - properties: - primaryDeviceClass: - description: PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD - minLength: 1 - type: string - secondaryDeviceClass: - description: SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs - minLength: 1 - type: string - required: - - primaryDeviceClass - - secondaryDeviceClass - type: object - replicasPerFailureDomain: - description: ReplicasPerFailureDomain the number of replica in the specified failure domain - minimum: 1 - type: integer - requireSafeReplicaSize: - description: RequireSafeReplicaSize if false allows you to set replica 1 - type: boolean - size: - description: Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type) - minimum: 0 - type: integer - subFailureDomain: - description: SubFailureDomain the name of the sub-failure domain - type: string - targetSizeRatio: - description: TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity - minimum: 0 - type: number - required: - - size - type: object - statusCheck: - description: The mirroring statusCheck - properties: - mirror: - description: HealthCheckSpec represents the health check of an object store bucket - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - metadataPool: - description: The metadata pool settings - nullable: true - properties: - application: - description: The application name to set on the pool. Only expected to be set for rgw pools. - type: string - compressionMode: - description: |- - DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" - The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) - Do NOT set a default value for kubebuilder as this will override the Parameters - enum: - - none - - passive - - aggressive - - force - - "" - nullable: true - type: string - crushRoot: - description: The root of the crush hierarchy utilized by the pool - nullable: true - type: string - deviceClass: - description: The device class the OSD should set to for use in the pool - nullable: true - type: string - enableCrushUpdates: - description: Allow rook operator to change the pool CRUSH tunables once the pool is created - nullable: true - type: boolean - enableRBDStats: - description: EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool - type: boolean - erasureCoded: - description: The erasure code settings - properties: - algorithm: - description: |- - The algorithm for erasure coding. - If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile. - enum: - - isa - - jerasure - type: string - codingChunks: - description: |- - Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - This is the number of OSDs that can be lost simultaneously before data cannot be recovered. - minimum: 0 - type: integer - dataChunks: - description: |- - Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). - The number of chunks required to recover an object when any single OSD is lost is the same - as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery. - minimum: 0 - type: integer - required: - - codingChunks - - dataChunks - type: object - failureDomain: - description: 'The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map' - type: string - mirroring: - description: The mirroring settings - properties: - enabled: - description: Enabled whether this pool is mirrored or not - type: boolean - mode: - description: 'Mode is the mirroring mode: pool, image or init-only.' - enum: - - pool - - image - - init-only - type: string - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - snapshotSchedules: - description: SnapshotSchedules is the scheduling of snapshot for mirrored images/pools - items: - description: SnapshotScheduleSpec represents the snapshot scheduling settings of a mirrored pool - properties: - interval: - description: Interval represent the periodicity of the snapshot. - type: string - path: - description: Path is the path to snapshot, only valid for CephFS - type: string - startTime: - description: StartTime indicates when to start the snapshot - type: string - type: object - type: array - type: object - parameters: - additionalProperties: - type: string - description: Parameters is a list of properties to enable on a given pool - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - quotas: - description: The quota settings - nullable: true - properties: - maxBytes: - description: |- - MaxBytes represents the quota in bytes - Deprecated in favor of MaxSize - format: int64 - type: integer - maxObjects: - description: MaxObjects represents the quota in objects - format: int64 - type: integer - maxSize: - description: MaxSize represents the quota in bytes as a string - pattern: ^[0-9]+[\.]?[0-9]*([KMGTPE]i|[kMGTPE])?$ - type: string - type: object - replicated: - description: The replication settings - properties: - hybridStorage: - description: HybridStorage represents hybrid storage tier settings - nullable: true - properties: - primaryDeviceClass: - description: PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD - minLength: 1 - type: string - secondaryDeviceClass: - description: SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs - minLength: 1 - type: string - required: - - primaryDeviceClass - - secondaryDeviceClass - type: object - replicasPerFailureDomain: - description: ReplicasPerFailureDomain the number of replica in the specified failure domain - minimum: 1 - type: integer - requireSafeReplicaSize: - description: RequireSafeReplicaSize if false allows you to set replica 1 - type: boolean - size: - description: Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type) - minimum: 0 - type: integer - subFailureDomain: - description: SubFailureDomain the name of the sub-failure domain - type: string - targetSizeRatio: - description: TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity - minimum: 0 - type: number - required: - - size - type: object - statusCheck: - description: The mirroring statusCheck - properties: - mirror: - description: HealthCheckSpec represents the health check of an object store bucket - nullable: true - properties: - disabled: - type: boolean - interval: - description: Interval is the internal in second or minute for the health check to run like 60s for 60 seconds - type: string - timeout: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - preservePoolsOnDelete: - default: true - description: Preserve pools on object zone deletion - type: boolean - sharedPools: - description: The pool information when configuring RADOS namespaces in existing pools. - nullable: true - properties: - dataPoolName: - description: The data pool used for creating RADOS namespaces in the object store - type: string - x-kubernetes-validations: - - message: object store shared data pool is immutable - rule: self == oldSelf - metadataPoolName: - description: The metadata pool used for creating RADOS namespaces in the object store - type: string - x-kubernetes-validations: - - message: object store shared metadata pool is immutable - rule: self == oldSelf - poolPlacements: - description: |- - PoolPlacements control which Pools are associated with a particular RGW bucket. - Once PoolPlacements are defined, RGW client will be able to associate pool - with ObjectStore bucket by providing "" during s3 bucket creation - or "X-Storage-Policy" header during swift container creation. - See: https://docs.ceph.com/en/latest/radosgw/placement/#placement-targets - PoolPlacement with name: "default" will be used as a default pool if no option - is provided during bucket creation. - If default placement is not provided, spec.sharedPools.dataPoolName and spec.sharedPools.MetadataPoolName will be used as default pools. - If spec.sharedPools are also empty, then RGW pools (spec.dataPool and spec.metadataPool) will be used as defaults. - items: - properties: - dataNonECPoolName: - description: |- - The data pool used to store ObjectStore data that cannot use erasure coding (ex: multi-part uploads). - If dataPoolName is not erasure coded, then there is no need for dataNonECPoolName. - type: string - dataPoolName: - description: The data pool used to store ObjectStore objects data. - minLength: 1 - type: string - default: - description: |- - Sets given placement as default. Only one placement in the list can be marked as default. - Default is false. - type: boolean - metadataPoolName: - description: The metadata pool used to store ObjectStore bucket index. - minLength: 1 - type: string - name: - description: Pool placement name. Name can be arbitrary. Placement with name "default" will be used as default. - minLength: 1 - pattern: ^[a-zA-Z0-9._/-]+$ - type: string - storageClasses: - description: |- - StorageClasses can be selected by user to override dataPoolName during object creation. - Each placement has default STANDARD StorageClass pointing to dataPoolName. - This list allows defining additional StorageClasses on top of default STANDARD storage class. - items: - properties: - dataPoolName: - description: DataPoolName is the data pool used to store ObjectStore objects data. - minLength: 1 - type: string - name: - description: |- - Name is the StorageClass name. Ceph allows arbitrary name for StorageClasses, - however most clients/libs insist on AWS names so it is recommended to use - one of the valid x-amz-storage-class values for better compatibility: - REDUCED_REDUNDANCY | STANDARD_IA | ONEZONE_IA | INTELLIGENT_TIERING | GLACIER | DEEP_ARCHIVE | OUTPOSTS | GLACIER_IR | SNOW | EXPRESS_ONEZONE - See AWS docs: https://aws.amazon.com/de/s3/storage-classes/ - minLength: 1 - pattern: ^[a-zA-Z0-9._/-]+$ - type: string - required: - - dataPoolName - - name - type: object - type: array - required: - - dataPoolName - - metadataPoolName - - name - type: object - type: array - preserveRadosNamespaceDataOnDelete: - description: Whether the RADOS namespaces should be preserved on deletion of the object store - type: boolean - type: object - zoneGroup: - description: The name of the zone group the zone is a member of. - type: string - required: - - zoneGroup - type: object - status: - description: Status represents the status of an object - properties: - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: cephrbdmirrors.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephRBDMirror - listKind: CephRBDMirrorList - plural: cephrbdmirrors - shortNames: - - cephrbdm - singular: cephrbdmirror - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CephRBDMirror represents a Ceph RBD Mirror - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: RBDMirroringSpec represents the specification of an RBD mirror daemon - properties: - annotations: - additionalProperties: - type: string - description: The annotations-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count represents the number of rbd mirror instance to run - minimum: 1 - type: integer - labels: - additionalProperties: - type: string - description: The labels-related configuration to add/set on each Pod related object. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - peers: - description: Peers represents the peers spec - nullable: true - properties: - secretNames: - description: SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers - items: - type: string - type: array - type: object - placement: - nullable: true - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - format: int32 - type: integer - minDomains: - format: int32 - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - priorityClassName: - description: PriorityClassName sets priority class on the rbd mirror pods - type: string - resources: - description: The resource requirements for the rbd mirror pods - nullable: true - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - count - type: object - status: - description: RBDMirrorStatus represents the status of the RBD mirror resource - properties: - cephx: - properties: - daemon: - description: Daemon shows the CephX key status for local Ceph daemons associated with this resources. - properties: - keyCephVersion: - description: |- - KeyCephVersion reports the Ceph version that created the current generation's keys. This is - same string format as reported by `CephCluster.status.version.version` to allow them to be - compared. E.g., `20.2.0-0`. - For all newly-created resources, this field set to the version of Ceph that created the key. - The special value "Uninitialized" indicates that keys are being created for the first time. - An empty string indicates that the version is unknown, as expected in brownfield deployments. - type: string - keyGeneration: - description: |- - KeyGeneration represents the CephX key generation for the last successful reconcile. - For all newly-created resources, this field is set to `1`. - When keys are rotated due to any rotation policy, the generation is incremented or updated to - the configured policy generation. - Generation `0` indicates that keys existed prior to the implementation of key tracking. - format: int32 - type: integer - type: object - type: object - conditions: - items: - description: Condition represents a status condition on any Rook-Ceph Custom Resource. - properties: - lastHeartbeatTime: - format: date-time - type: string - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a reason for a condition - type: string - status: - type: string - type: - description: ConditionType represent a resource's status - type: string - type: object - type: array - observedGeneration: - description: ObservedGeneration is the latest generation observed by the controller. - format: int64 - type: integer - phase: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: objectbucketclaims.objectbucket.io - annotations: - helm.sh/resource-policy: keep -spec: - group: objectbucket.io - names: - kind: ObjectBucketClaim - listKind: ObjectBucketClaimList - plural: objectbucketclaims - singular: objectbucketclaim - shortNames: - - obc - - obcs - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - storageClassName: - type: string - bucketName: - type: string - generateBucketName: - type: string - additionalConfig: - type: object - nullable: true - x-kubernetes-preserve-unknown-fields: true - objectBucketName: - type: string - status: - type: object - x-kubernetes-preserve-unknown-fields: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/templates/resources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: objectbuckets.objectbucket.io - annotations: - helm.sh/resource-policy: keep -spec: - group: objectbucket.io - names: - kind: ObjectBucket - listKind: ObjectBucketList - plural: objectbuckets - singular: objectbucket - shortNames: - - ob - - obs - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - storageClassName: - type: string - endpoint: - type: object - nullable: true - properties: - bucketHost: - type: string - bucketPort: - type: integer - format: int32 - bucketName: - type: string - region: - type: string - subRegion: - type: string - additionalConfig: - type: object - nullable: true - x-kubernetes-preserve-unknown-fields: true - authentication: - type: object - nullable: true - items: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalState: - type: object - nullable: true - x-kubernetes-preserve-unknown-fields: true - reclaimPolicy: - type: string - claimRef: - type: object - nullable: true - x-kubernetes-preserve-unknown-fields: true - status: - type: object - x-kubernetes-preserve-unknown-fields: true - subresources: - status: {} ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephconnection-viewer-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-cephconnection-viewer-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - cephconnections - verbs: - - get - - list - - watch -- apiGroups: - - csi.ceph.io - resources: - - cephconnections/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephconnections-editor-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-cephconnections-editor-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - cephconnections - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csi.ceph.io - resources: - - cephconnections/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephfs-ctrlplugin-cr-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-cephfs-ctrlplugin-cr - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - delete - - patch - - update -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - patch - - update -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments/status - verbs: - - patch -- apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list - - watch - - patch - - update -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - groupsnapshot.storage.openshift.io - resources: - - volumegroupsnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - groupsnapshot.storage.openshift.io - resources: - - volumegroupsnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - groupsnapshot.storage.openshift.io - resources: - - volumegroupsnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephfs-nodeplugin-cr-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-cephfs-nodeplugin-cr - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - secrets - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - "" - resources: - - persistentvolumes - - persistentvolumeclaims - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/clientprofile-viewer-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-clientprofile-viewer-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - clientprofiles - verbs: - - get - - list - - watch -- apiGroups: - - csi.ceph.io - resources: - - clientprofiles/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/clientprofilemapping-editor-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-clientprofilemapping-editor-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - clientprofilemappings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csi.ceph.io - resources: - - clientprofilemappings/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/clientprofilemapping-viewer-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-clientprofilemapping-viewer-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - clientprofilemappings - verbs: - - get - - list - - watch -- apiGroups: - - csi.ceph.io - resources: - - clientprofilemappings/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/clientprofiles-editor-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-clientprofiles-editor-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - clientprofiles - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csi.ceph.io - resources: - - clientprofiles/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/driver-editor-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-driver-editor-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - drivers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csi.ceph.io - resources: - - drivers/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/driver-viewer-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-driver-viewer-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - drivers - verbs: - - get - - list - - watch -- apiGroups: - - csi.ceph.io - resources: - - drivers/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/manager-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-manager-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - daemonsets - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - cbt.storage.k8s.io - resources: - - snapshotmetadataservices - verbs: - - get - - list - - watch -- apiGroups: - - csi.ceph.io - resources: - - cephconnections - verbs: - - delete - - get - - list - - update - - watch -- apiGroups: - - csi.ceph.io - resources: - - clientprofilemappings - - clientprofiles - - drivers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csi.ceph.io - resources: - - clientprofilemappings/finalizers - - clientprofiles/finalizers - - drivers/finalizers - verbs: - - update -- apiGroups: - - csi.ceph.io - resources: - - clientprofilemappings/status - - clientprofiles/status - - drivers/status - verbs: - - get - - patch - - update -- apiGroups: - - csi.ceph.io - resources: - - operatorconfigs - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - csidrivers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/metrics-auth-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-metrics-auth-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/metrics-reader-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-metrics-reader - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/nfs-ctrlplugin-cr-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-nfs-ctrlplugin-cr - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - update - - delete - - patch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - patch - - update -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list -- apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments/status - verbs: - - patch ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/nfs-nodeplugin-cr-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-nfs-nodeplugin-cr - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/operatorconfig-editor-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-operatorconfig-editor-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - operatorconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csi.ceph.io - resources: - - operatorconfigs/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/operatorconfig-viewer-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-operatorconfig-viewer-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csi.ceph.io - resources: - - operatorconfigs - verbs: - - get - - list - - watch -- apiGroups: - - csi.ceph.io - resources: - - operatorconfigs/status - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/rbd-ctrlplugin-cr-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-rbd-ctrlplugin-cr - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - delete - - patch - - update -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - update -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch - - patch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments/status - verbs: - - patch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - patch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - get - - list - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents - verbs: - - get - - list - - watch - - patch - - update -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - groupsnapshot.storage.k8s.io - resources: - - volumegroupsnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - groupsnapshot.storage.openshift.io - resources: - - volumegroupsnapshotclasses - verbs: - - get - - list - - watch -- apiGroups: - - groupsnapshot.storage.openshift.io - resources: - - volumegroupsnapshotcontents - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - groupsnapshot.storage.openshift.io - resources: - - volumegroupsnapshotcontents/status - verbs: - - update - - patch -- apiGroups: - - replication.storage.openshift.io - resources: - - volumegroupreplicationcontents - verbs: - - get - - list - - watch -- apiGroups: - - replication.storage.openshift.io - resources: - - volumegroupreplicationclasses - verbs: - - get - - list - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - cbt.storage.k8s.io - resources: - - snapshotmetadataservices - verbs: - - get - - list ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/rbd-nodeplugin-cr-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ceph-csi-rbd-nodeplugin-cr - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - list - - watch - - create - - update - - patch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-system - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - # Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint. - # However, some Kubernetes APIs involve a "subresource", such as the logs for a pod. [...] - # To represent this in an RBAC role, use a slash to delimit the resource and subresource. - # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources - - apiGroups: [""] - resources: ["pods", "pods/log"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["pods/exec"] - verbs: ["create"] - - apiGroups: ["csiaddons.openshift.io"] - resources: ["networkfences"] - verbs: ["create", "get", "update", "delete", "watch", "list", "deletecollection"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get"] - - apiGroups: ["csi.ceph.io"] - resources: ["cephconnections"] - verbs: ["create", "delete", "get", "list","update", "watch"] - - apiGroups: ["csi.ceph.io"] - resources: ["clientprofiles"] - verbs: ["create", "delete", "get", "list", "update", "watch"] - - apiGroups: ["csi.ceph.io"] - resources: ["operatorconfigs"] - verbs: ["create", "delete", "get", "list" ,"update", "watch"] - - apiGroups: ["csi.ceph.io"] - resources: ["drivers"] - verbs: ["create", "delete", "get", "list" ,"update", "watch"] ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -# The cluster role for managing all the cluster-specific resources in a namespace -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-cluster-mgmt - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - "" - - apps - - extensions - resources: - - secrets - - pods - - pods/log - - services - - configmaps - - deployments - - daemonsets - verbs: - - get - - list - - watch - - patch - - create - - update - - delete ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -# The cluster role for managing the Rook CRDs -# Rook watches for its CRDs in all namespaces, so this should be a cluster-scoped role unless the -# operator config `ROOK_CURRENT_NAMESPACE_ONLY=true`. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-global - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - "" - resources: - # Pod access is needed for fencing - - pods - # Node access is needed for determining nodes where mons should run - - nodes - - nodes/proxy - # Rook watches secrets which it uses to configure access to external resources. - # e.g., external Ceph cluster or object store - - secrets - # Rook watches for changes to the rook-operator-config configmap - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - "" - - "discovery.k8s.io" - resources: - # Rook creates events for its custom resources - - events - # Rook creates PVs and PVCs for OSDs managed by the Rook provisioner - - persistentvolumes - - persistentvolumeclaims - # Rook creates endpoints for mgr and object store access - - endpoints - - services - - endpointslices - - endpointslices/restricted - verbs: - - get - - list - - watch - - patch - - create - - update - - delete - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: - - get - - list - - watch - - create - - update - - delete - - deletecollection - # The Rook operator must be able to watch all ceph.rook.io resources to reconcile them. - - apiGroups: ["ceph.rook.io"] - resources: - - cephclients - - cephclusters - - cephblockpools - - cephfilesystems - - cephnfses - - cephobjectstores - - cephobjectstoreusers - - cephobjectrealms - - cephobjectzonegroups - - cephobjectzones - - cephbuckettopics - - cephbucketnotifications - - cephrbdmirrors - - cephfilesystemmirrors - - cephfilesystemsubvolumegroups - - cephblockpoolradosnamespaces - - cephcosidrivers - verbs: - - get - - list - - watch - # Ideally the update permission is not required, but Rook needs it to add finalizers to resources. - - update - # Rook must have update access to status subresources for its custom resources. - - apiGroups: ["ceph.rook.io"] - resources: - - cephclients/status - - cephclusters/status - - cephblockpools/status - - cephfilesystems/status - - cephnfses/status - - cephobjectstores/status - - cephobjectstoreusers/status - - cephobjectrealms/status - - cephobjectzonegroups/status - - cephobjectzones/status - - cephbuckettopics/status - - cephbucketnotifications/status - - cephrbdmirrors/status - - cephfilesystemmirrors/status - - cephfilesystemsubvolumegroups/status - - cephblockpoolradosnamespaces/status - verbs: ["update"] - # The "*/finalizers" permission may need to be strictly given for K8s clusters where - # OwnerReferencesPermissionEnforcement is enabled so that Rook can set blockOwnerDeletion on - # resources owned by Rook CRs (e.g., a Secret owned by an OSD Deployment). See more: - # https://kubernetes.io/docs/reference/access-authn-authz/_print/#ownerreferencespermissionenforcement - - apiGroups: ["ceph.rook.io"] - resources: - - cephclients/finalizers - - cephclusters/finalizers - - cephblockpools/finalizers - - cephfilesystems/finalizers - - cephnfses/finalizers - - cephobjectstores/finalizers - - cephobjectstoreusers/finalizers - - cephobjectrealms/finalizers - - cephobjectzonegroups/finalizers - - cephobjectzones/finalizers - - cephbuckettopics/finalizers - - cephbucketnotifications/finalizers - - cephrbdmirrors/finalizers - - cephfilesystemmirrors/finalizers - - cephfilesystemsubvolumegroups/finalizers - - cephblockpoolradosnamespaces/finalizers - verbs: ["update"] - - apiGroups: - - policy - - apps - - extensions - resources: - # This is for the clusterdisruption controller - - poddisruptionbudgets - # This is for both clusterdisruption and nodedrain controllers - - deployments - - replicasets - verbs: - - get - - list - - watch - - create - - update - - delete - - deletecollection - - apiGroups: - - apps - resources: - # This is to add osd deployment owner ref on key rotation - # cron jobs. - - deployments/finalizers - verbs: - - update - - apiGroups: - - healthchecking.openshift.io - resources: - - machinedisruptionbudgets - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - machine.openshift.io - resources: - - machines - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - storage.k8s.io - resources: - - csidrivers - verbs: - - create - - delete - - get - - update - - apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - verbs: - - get ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -# Aspects of ceph-mgr that require cluster-wide access -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-mgr-cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - "" - resources: - - configmaps - - nodes - - nodes/proxy - - persistentvolumes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list - - get - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -# Aspects of ceph-mgr that require access to the system namespace -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-mgr-system - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -# Used for provisioning ObjectBuckets (OBs) in response to ObjectBucketClaims (OBCs). -# Note: Rook runs a copy of the lib-bucket-provisioner's OBC controller. -# OBCs can be created in any Kubernetes namespace, so this must be a cluster-scoped role. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-object-bucket - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: [""] - resources: ["secrets", "configmaps"] - verbs: - # OBC controller creates secrets and configmaps containing information for users about how to - # connect to object buckets. It deletes them when an OBC is deleted. - - get - - create - - update - - delete - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: - # OBC controller gets parameters from the OBC's storageclass - # Rook gets additional parameters from the OBC's storageclass - - get - - apiGroups: ["objectbucket.io"] - resources: ["objectbucketclaims"] - verbs: - # OBC controller needs to list/watch OBCs and get latest version of a reconciled OBC - - list - - watch - - get - # Ideally, update should not be needed, but the OBC controller updates the OBC with bucket - # information outside of the status subresource - - update - # OBC controller does not delete OBCs; users do this - - apiGroups: ["objectbucket.io"] - resources: ["objectbuckets"] - verbs: - # OBC controller needs to list/watch OBs and get latest version of a reconciled OB - - list - - watch - - get - # OBC controller creates an OB when an OBC's bucket has been provisioned by Ceph, updates them - # when an OBC is updated, and deletes them when the OBC is de-provisioned. - - create - - update - - delete - - apiGroups: ["objectbucket.io"] - resources: ["objectbucketclaims/status", "objectbuckets/status"] - verbs: - # OBC controller updates OBC and OB statuses - - update - - apiGroups: ["objectbucket.io"] - # This does not strictly allow the OBC/OB controllers to update finalizers. That is handled by - # the direct "update" permissions above. Instead, this allows Rook's controller to create - # resources which are owned by OBs/OBCs and where blockOwnerDeletion is set. - resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"] - verbs: - - update ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-osd - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get"] - - apiGroups: [""] - resources: ["serviceaccounts/token"] - verbs: ["create"] ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-external-provisioner-runner - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "patch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list", "watch", "patch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update", "patch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotcontents"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotcontents/status"] - verbs: ["update", "patch"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get"] - - apiGroups: [""] - resources: ["serviceaccounts/token"] - verbs: ["create"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get"] - - apiGroups: [""] - resources: ["serviceaccounts/token"] - verbs: ["create"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-external-provisioner-runner - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list", "watch", "patch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update", "patch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotcontents"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotcontents/status"] - verbs: ["update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get"] - - apiGroups: [""] - resources: ["serviceaccounts/token"] - verbs: ["create"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["referencegrants"] - verbs: ["get", "list", "watch"] - - apiGroups: ["replication.storage.openshift.io"] - resources: ["volumegroupreplicationcontents"] - verbs: ["get", "list", "watch"] - - apiGroups: ["replication.storage.openshift.io"] - resources: ["volumegroupreplicationclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: objectstorage-provisioner-role - labels: - app.kubernetes.io/part-of: container-object-storage-interface - app.kubernetes.io/component: driver-ceph - app.kubernetes.io/name: cosi-driver-ceph -rules: - - apiGroups: ["objectstorage.k8s.io"] - resources: - [ - "buckets", - "bucketaccesses", - "bucketclaims", - "bucketaccessclasses", - "buckets/status", - "bucketaccesses/status", - "bucketclaims/status", - "bucketaccessclasses/status", - ] - verbs: ["get", "list", "watch", "update", "create", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - - apiGroups: [""] - resources: ["secrets", "events"] - verbs: ["get", "delete", "update", "create"] ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephfs-ctrlplugin-crb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ceph-csi-cephfs-ctrlplugin-crb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'ceph-csi-cephfs-ctrlplugin-cr' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-cephfs-ctrlplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephfs-nodeplugin-crb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ceph-csi-cephfs-nodeplugin-crb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'ceph-csi-cephfs-nodeplugin-cr' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-cephfs-nodeplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/manager-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ceph-csi-manager-rolebinding - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'ceph-csi-manager-role' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-controller-manager' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/metrics-auth-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ceph-csi-metrics-auth-rolebinding - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'ceph-csi-metrics-auth-role' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-controller-manager' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/nfs-ctrlplugin-crb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ceph-csi-nfs-ctrlplugin-crb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'ceph-csi-nfs-ctrlplugin-cr' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-nfs-ctrlplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/nfs-nodeplugin-crb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ceph-csi-nfs-nodeplugin-crb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'ceph-csi-nfs-nodeplugin-cr' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-nfs-nodeplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/rbd-ctrlplugin-crb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ceph-csi-rbd-ctrlplugin-crb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'ceph-csi-rbd-ctrlplugin-cr' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-rbd-ctrlplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/rbd-nodeplugin-crb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ceph-csi-rbd-nodeplugin-crb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: 'ceph-csi-rbd-nodeplugin-cr' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-rbd-nodeplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-mgr-cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rook-ceph-mgr-cluster -subjects: - - kind: ServiceAccount - name: rook-ceph-mgr - namespace: rook-ceph # namespace:cluster ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow the ceph osd to access cluster-wide resources necessary for determining their topology location -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-osd - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rook-ceph-osd -subjects: - - kind: ServiceAccount - name: rook-ceph-osd - namespace: rook-ceph # namespace:cluster ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-system - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rook-ceph-system -subjects: - - kind: ServiceAccount - name: rook-ceph-system - namespace: rook-ceph # namespace:operator ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrolebinding.yaml -# Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-global - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rook-ceph-global -subjects: - - kind: ServiceAccount - name: rook-ceph-system - namespace: rook-ceph # namespace:operator ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -# Give Rook-Ceph Operator permissions to provision ObjectBuckets in response to ObjectBucketClaims. -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-object-bucket - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rook-ceph-object-bucket -subjects: - - kind: ServiceAccount - name: rook-ceph-system - namespace: rook-ceph # namespace:operator ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -subjects: - - kind: ServiceAccount - name: rook-csi-rbd-plugin-sa - namespace: rook-ceph # namespace:operator -roleRef: - kind: ClusterRole - name: rbd-csi-nodeplugin - apiGroup: rbac.authorization.k8s.io ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-provisioner-role - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -subjects: - - kind: ServiceAccount - name: rook-csi-cephfs-provisioner-sa - namespace: rook-ceph # namespace:operator -roleRef: - kind: ClusterRole - name: cephfs-external-provisioner-runner - apiGroup: rbac.authorization.k8s.io ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrolebinding.yaml -# This is required by operator-sdk to map the cluster/clusterrolebindings with SA -# otherwise operator-sdk will create a individual file for these. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin-role - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -subjects: - - kind: ServiceAccount - name: rook-csi-cephfs-plugin-sa - namespace: rook-ceph # namespace:operator -roleRef: - kind: ClusterRole - name: cephfs-csi-nodeplugin - apiGroup: rbac.authorization.k8s.io ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-provisioner-role - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -subjects: - - kind: ServiceAccount - name: rook-csi-rbd-provisioner-sa - namespace: rook-ceph # namespace:operator -roleRef: - kind: ClusterRole - name: rbd-external-provisioner-runner - apiGroup: rbac.authorization.k8s.io ---- -# Source: rook-ceph/charts/rook-ceph/templates/clusterrolebinding.yaml -# RBAC for ceph cosi driver service account -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: objectstorage-provisioner-role-binding - labels: - app.kubernetes.io/part-of: container-object-storage-interface - app.kubernetes.io/component: driver-ceph - app.kubernetes.io/name: cosi-driver-ceph -subjects: - - kind: ServiceAccount - name: objectstorage-provisioner - namespace: rook-ceph # namespace:operator -roleRef: - kind: ClusterRole - name: objectstorage-provisioner-role - apiGroup: rbac.authorization.k8s.io ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephfs-ctrlplugin-r-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ceph-csi-cephfs-ctrlplugin-r - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - watch - - list - - delete - - update - - create -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes - verbs: - - get - - watch - - list - - create - - update - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - apps - resources: - - deployments/finalizers - - daemonsets/finalizers - verbs: - - update ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephfs-nodeplugin-r-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ceph-csi-cephfs-nodeplugin-r - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes - verbs: - - get - - watch - - list - - create - - update - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - apps - resources: - - deployments/finalizers - - daemonsets/finalizers - verbs: - - update ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/leader-election-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ceph-csi-leader-election-role - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/rbd-ctrlplugin-r-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ceph-csi-rbd-ctrlplugin-r - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - watch - - list - - delete - - update - - create -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes - verbs: - - get - - watch - - list - - create - - update - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - apps - resources: - - deployments/finalizers - - daemonsets/finalizers - verbs: - - update ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/rbd-nodeplugin-r-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ceph-csi-rbd-nodeplugin-r - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes - verbs: - - get - - watch - - list - - create - - update - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - apps - resources: - - deployments/finalizers - - daemonsets/finalizers - verbs: - - update ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-osd - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - # this is needed for rook's "key-management" CLI to fetch the vault token from the secret when - # validating the connection details and for key rotation operations. - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: ["ceph.rook.io"] - resources: ["cephclusters", "cephclusters/finalizers"] - verbs: ["get", "list", "create", "update", "delete"] ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Aspects of ceph-mgr that operate within the cluster's namespace -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-mgr - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - "" - resources: - - pods - - services - - pods/log - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - ceph.rook.io - resources: - - cephclients - - cephclusters - - cephblockpools - - cephfilesystems - - cephnfses - - cephobjectstores - - cephobjectstoreusers - - cephobjectrealms - - cephobjectzonegroups - - cephobjectzones - - cephbuckettopics - - cephbucketnotifications - - cephrbdmirrors - - cephfilesystemmirrors - - cephfilesystemsubvolumegroups - - cephblockpoolradosnamespaces - - cephcosidrivers - verbs: - - get - - list - - watch - - create - - update - - delete - - patch - - apiGroups: - - apps - resources: - - deployments/scale - - deployments - verbs: - - patch - - delete - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - delete ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-cmd-reporter - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - "" - resources: - - pods - - configmaps - verbs: - - get - - list - - watch - - create - - update - - delete ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Aspects of ceph osd purge job that require access to the cluster namespace -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-purge-osd - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "delete"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["get", "list", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "update", "delete", "list"] ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-monitoring - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - "monitoring.coreos.com" - resources: - - servicemonitors - verbs: - - get - - list - - watch - - create - - update - - delete ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow management of monitoring resources in the mgr -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-monitoring-mgr - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - list - - create - - update ---- -# Source: rook-ceph/charts/rook-ceph/templates/role.yaml -# Allow the operator to manage resources in its own namespace -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-system - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: - - "" - resources: - - pods - - configmaps - - services - verbs: - - get - - list - - watch - - patch - - create - - update - - delete - - apiGroups: - - apps - - extensions - resources: - - daemonsets - - statefulsets - - deployments - verbs: - - get - - list - - watch - - create - - update - - delete - - deletecollection - - apiGroups: - - batch - resources: - - cronjobs - verbs: - - delete - - apiGroups: - - cert-manager.io - resources: - - certificates - - issuers - verbs: - - get - - create - - delete - - apiGroups: - - multicluster.x-k8s.io - resources: - - serviceexports - verbs: - - get - - create ---- -# Source: rook-ceph/charts/rook-ceph/templates/role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-external-provisioner-cfg - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -# Source: rook-ceph/charts/rook-ceph/templates/role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-external-provisioner-cfg - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephfs-ctrlplugin-rb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ceph-csi-cephfs-ctrlplugin-rb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: 'ceph-csi-cephfs-ctrlplugin-r' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-cephfs-ctrlplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/cephfs-nodeplugin-rb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ceph-csi-cephfs-nodeplugin-rb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: 'ceph-csi-cephfs-nodeplugin-r' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-cephfs-nodeplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/leader-election-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ceph-csi-leader-election-rolebinding - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: 'ceph-csi-leader-election-role' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-controller-manager' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/rbd-ctrlplugin-rb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ceph-csi-rbd-ctrlplugin-rb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: 'ceph-csi-rbd-ctrlplugin-r' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-rbd-ctrlplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/rbd-nodeplugin-rb-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ceph-csi-rbd-nodeplugin-rb - labels: - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: 'ceph-csi-rbd-nodeplugin-r' -subjects: -- kind: ServiceAccount - name: 'ceph-csi-rbd-nodeplugin-sa' - namespace: 'rook-ceph' ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow the operator to create resources in this cluster's namespace -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-cluster-mgmt - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rook-ceph-cluster-mgmt -subjects: - - kind: ServiceAccount - name: rook-ceph-system - namespace: rook-ceph # namespace:operator ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow the osd pods in this namespace to work with configmaps -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-osd - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: rook-ceph-osd -subjects: - - kind: ServiceAccount - name: rook-ceph-osd - namespace: rook-ceph # namespace:cluster ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow the ceph mgr to access resources scoped to the CephCluster namespace necessary for mgr modules -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-mgr - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: rook-ceph-mgr -subjects: - - kind: ServiceAccount - name: rook-ceph-mgr - namespace: rook-ceph # namespace:cluster ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow the ceph mgr to access resources in the Rook operator namespace necessary for mgr modules -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-mgr-system - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rook-ceph-mgr-system -subjects: - - kind: ServiceAccount - name: rook-ceph-mgr - namespace: rook-ceph # namespace:cluster ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-cmd-reporter - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: rook-ceph-cmd-reporter -subjects: - - kind: ServiceAccount - name: rook-ceph-cmd-reporter - namespace: rook-ceph # namespace:cluster ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow the osd purge job to run in this namespace -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-purge-osd - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: rook-ceph-purge-osd -subjects: - - kind: ServiceAccount - name: rook-ceph-purge-osd - namespace: rook-ceph # namespace:cluster ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow the operator to get ServiceMonitors in this cluster's namespace -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-monitoring - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: rook-ceph-monitoring -subjects: - - kind: ServiceAccount - name: rook-ceph-system - namespace: rook-ceph # namespace:operator ---- -# Source: rook-ceph/charts/rook-ceph/templates/cluster-rbac.yaml -# Allow creation of monitoring resources in the mgr -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-monitoring-mgr - namespace: rook-ceph # namespace:cluster - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: rook-ceph-monitoring-mgr -subjects: - - kind: ServiceAccount - name: rook-ceph-mgr - namespace: rook-ceph # namespace:cluster ---- -# Source: rook-ceph/charts/rook-ceph/templates/rolebinding.yaml -# Grant the operator, agent, and discovery agents access to resources in the rook-ceph-system namespace -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rook-ceph-system - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: rook-ceph-system -subjects: - - kind: ServiceAccount - name: rook-ceph-system - namespace: rook-ceph # namespace:operator ---- -# Source: rook-ceph/charts/rook-ceph/templates/rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-provisioner-role-cfg - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -subjects: - - kind: ServiceAccount - name: rook-csi-cephfs-provisioner-sa - namespace: rook-ceph # namespace:operator -roleRef: - kind: Role - name: cephfs-external-provisioner-cfg - apiGroup: rbac.authorization.k8s.io ---- -# Source: rook-ceph/charts/rook-ceph/templates/rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-provisioner-role-cfg - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -subjects: - - kind: ServiceAccount - name: rook-csi-rbd-provisioner-sa - namespace: rook-ceph # namespace:operator -roleRef: - kind: Role - name: rbd-external-provisioner-cfg - apiGroup: rbac.authorization.k8s.io ---- -# Source: rook-ceph/charts/cloudflared-rgw/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: rook-ceph-cloudflared-rgw - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared-rgw - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-rgw-1.23.1 - namespace: rook-ceph -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared-rgw - app.kubernetes.io/instance: rook-ceph - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/name: cloudflared-rgw - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: ceph-rgw-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/deployment.yaml -kind: Deployment -apiVersion: apps/v1 -metadata: - name: rook-ceph-tools - namespace: rook-ceph # namespace:cluster - labels: - app: rook-ceph-tools -spec: - replicas: 1 - selector: - matchLabels: - app: rook-ceph-tools - template: - metadata: - labels: - app: rook-ceph-tools - spec: - dnsPolicy: ClusterFirstWithHostNet - containers: - - name: rook-ceph-tools - image: quay.io/ceph/ceph:v19.2.3 - command: - - /bin/bash - - -c - - | - # Replicate the script from toolbox.sh inline so the ceph image - # can be run directly, instead of requiring the rook toolbox - CEPH_CONFIG="/etc/ceph/ceph.conf" - MON_CONFIG="/etc/rook/mon-endpoints" - KEYRING_FILE="/etc/ceph/keyring" - - # create a ceph config file in its default location so ceph/rados tools can be used - # without specifying any arguments - write_endpoints() { - endpoints=$(cat ${MON_CONFIG}) - - # filter out the mon names - # external cluster can have numbers or hyphens in mon names, handling them in regex - # shellcheck disable=SC2001 - mon_endpoints=$(echo "${endpoints}"| sed 's/[a-z0-9_-]\+=//g') - - DATE=$(date) - echo "$DATE writing mon endpoints to ${CEPH_CONFIG}: ${endpoints}" - cat < ${CEPH_CONFIG} - [global] - mon_host = ${mon_endpoints} - - [client.admin] - keyring = ${KEYRING_FILE} - EOF - } - - # watch the endpoints config file and update if the mon endpoints ever change - watch_endpoints() { - # get the timestamp for the target of the soft link - real_path=$(realpath ${MON_CONFIG}) - initial_time=$(stat -c %Z "${real_path}") - while true; do - real_path=$(realpath ${MON_CONFIG}) - latest_time=$(stat -c %Z "${real_path}") - - if [[ "${latest_time}" != "${initial_time}" ]]; then - write_endpoints - initial_time=${latest_time} - fi - - sleep 10 - done - } - - # read the secret from an env var (for backward compatibility), or from the secret file - ceph_secret=${ROOK_CEPH_SECRET} - if [[ "$ceph_secret" == "" ]]; then - ceph_secret=$(cat /var/lib/rook-ceph-mon/secret.keyring) - fi - - # create the keyring file - cat < ${KEYRING_FILE} - [${ROOK_CEPH_USERNAME}] - key = ${ceph_secret} - EOF - - # write the initial config file - write_endpoints - - # continuously update the mon endpoints if they fail over - watch_endpoints - imagePullPolicy: IfNotPresent - tty: true - securityContext: - capabilities: - drop: - - ALL - runAsGroup: 2016 - runAsNonRoot: true - runAsUser: 2016 - env: - - name: ROOK_CEPH_USERNAME - valueFrom: - secretKeyRef: - name: rook-ceph-mon - key: ceph-username - resources: - limits: - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /etc/ceph - name: ceph-config - - name: mon-endpoint-volume - mountPath: /etc/rook - - name: ceph-admin-secret - mountPath: /var/lib/rook-ceph-mon - serviceAccountName: rook-ceph-default - volumes: - - name: ceph-admin-secret - secret: - secretName: rook-ceph-mon - optional: false - items: - - key: ceph-secret - path: secret.keyring - - name: mon-endpoint-volume - configMap: - name: rook-ceph-mon-endpoints - items: - - key: data - path: mon-endpoints - - name: ceph-config - emptyDir: {} - tolerations: - - key: "node.kubernetes.io/unreachable" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 5 ---- -# Source: rook-ceph/charts/rook-ceph/charts/ceph-csi-operator/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ceph-csi-controller-manager - labels: - control-plane: controller-manager - helm.sh/chart: ceph-csi-operator-0.4.1 - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: "v0.4.1" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - control-plane: ceph-csi-op-controller-manager - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - template: - metadata: - labels: - control-plane: ceph-csi-op-controller-manager - app.kubernetes.io/name: ceph-csi - app.kubernetes.io/instance: rook-ceph - annotations: - kubectl.kubernetes.io/default-container: manager - spec: - containers: - - args: - - --leader-elect - command: - - /manager - env: - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CSI_SERVICE_ACCOUNT_PREFIX - value: "ceph-csi-" - - name: WATCH_NAMESPACE - value: "" - - name: KUBERNETES_CLUSTER_DOMAIN - value: "cluster.local" - image: quay.io/cephcsi/ceph-csi-operator:v0.4.1 - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - imagePullSecrets: [] - securityContext: - runAsNonRoot: true - serviceAccountName: ceph-csi-controller-manager - terminationGracePeriodSeconds: 10 ---- -# Source: rook-ceph/charts/rook-ceph/templates/deployment.yaml -kind: Deployment -apiVersion: apps/v1 -metadata: - name: rook-ceph-operator - namespace: rook-ceph # namespace:operator - labels: - operator: rook - storage-backend: ceph - app.kubernetes.io/name: rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/version: v1.18.8 - app.kubernetes.io/part-of: rook-ceph-operator - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/created-by: helm - helm.sh/chart: "rook-ceph-v1.18.8" -spec: - replicas: 1 - selector: - matchLabels: - app: rook-ceph-operator - strategy: - type: Recreate - template: - metadata: - labels: - app: rook-ceph-operator - helm.sh/chart: "rook-ceph-v1.18.8" - spec: - tolerations: - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 5 - containers: - - name: rook-ceph-operator - image: "docker.io/rook/ceph:v1.18.8" - imagePullPolicy: IfNotPresent - args: ["ceph", "operator"] - securityContext: - capabilities: - drop: - - ALL - runAsGroup: 2016 - runAsNonRoot: true - runAsUser: 2016 - volumeMounts: - - mountPath: /var/lib/rook - name: rook-config - - mountPath: /etc/ceph - name: default-config-dir - env: - - name: ROOK_CURRENT_NAMESPACE_ONLY - value: "false" - - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED - value: "false" - - name: ROOK_DISABLE_DEVICE_HOTPLUG - value: "false" - - name: ROOK_DISCOVER_DEVICES_INTERVAL - value: "60m" - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - limits: - memory: 512Mi - requests: - cpu: 200m - memory: 128Mi - serviceAccountName: rook-ceph-system - volumes: - - name: rook-config - emptyDir: {} - - name: default-config-dir - emptyDir: {} ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/cephblockpool.yaml -kind: CephBlockPool -apiVersion: ceph.rook.io/v1 -metadata: - name: ceph-blockpool - namespace: rook-ceph # namespace:cluster -spec: - enableRBDStats: false - failureDomain: host - replicated: - size: 3 ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/cephcluster.yaml -apiVersion: ceph.rook.io/v1 -kind: CephCluster -metadata: - name: "rook-ceph" - namespace: "rook-ceph" # namespace:cluster -spec: - monitoring: - enabled: true - cephVersion: - allowUnsupported: false - image: quay.io/ceph/ceph:v19.2.3 - cleanupPolicy: - allowUninstallWithVolumes: false - confirmation: "" - sanitizeDisks: - dataSource: zero - iteration: 1 - method: quick - continueUpgradeAfterChecksEvenIfNotHealthy: false - crashCollector: - disable: false - csi: - readAffinity: - enabled: true - dashboard: - enabled: true - ssl: false - dataDirHostPath: /var/lib/rook - disruptionManagement: - managePodBudgets: true - osdMaintenanceTimeout: 30 - healthCheck: - daemonHealth: - mon: - disabled: false - interval: 45s - osd: - disabled: false - interval: 60s - status: - disabled: false - interval: 60s - livenessProbe: - mgr: - disabled: false - mon: - disabled: false - osd: - disabled: false - logCollector: - enabled: true - maxLogSize: 500M - periodicity: daily - mgr: - allowMultiplePerNode: false - count: 1 - modules: - - enabled: true - name: pg_autoscaler - - enabled: true - name: rook - mon: - allowMultiplePerNode: false - count: 3 - network: - connections: - compression: - enabled: true - encryption: - enabled: true - requireMsgr2: true - placement: - all: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/rook-osd-node - operator: Exists - mon: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/rook-mon-node - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - tolerations: - - key: node-role.kubernetes.io/rook-mon-node - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - priorityClassNames: - mgr: system-cluster-critical - mon: system-node-critical - osd: system-node-critical - removeOSDsIfOutAndSafeToRemove: false - resources: - cleanup: - limits: - memory: 1Gi - requests: - cpu: 500m - memory: 100Mi - crashcollector: - limits: - memory: 60Mi - requests: - cpu: 100m - memory: 60Mi - exporter: - limits: - memory: 128Mi - requests: - cpu: 50m - memory: 50Mi - logcollector: - limits: - memory: 1Gi - requests: - cpu: 100m - memory: 100Mi - mgr: - limits: - memory: 1Gi - requests: - cpu: 100m - memory: 512Mi - mgr-sidecar: - limits: - memory: 100Mi - requests: - cpu: 100m - memory: 40Mi - mon: - limits: - memory: 2Gi - requests: - cpu: 200m - memory: 256Mi - osd: - limits: - memory: 4Gi - requests: - cpu: 100m - memory: 2Gi - prepareosd: - requests: - cpu: 100m - memory: 128Mi - skipUpgradeChecks: false - storage: - config: - osdsPerDevice: "1" - deviceFilter: sda - useAllDevices: true - useAllNodes: true - upgradeOSDRequiresHealthyPGs: false - waitTimeoutForHealthyOSDInMinutes: 10 ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/cephfilesystem.yaml -kind: CephFilesystem -apiVersion: ceph.rook.io/v1 -metadata: - name: ceph-filesystem - namespace: rook-ceph # namespace:cluster -spec: - dataPools: - - failureDomain: host - name: data0 - replicated: - size: 3 - metadataPool: - replicated: - size: 3 - metadataServer: - activeCount: 1 - activeStandby: true - priorityClassName: system-cluster-critical - resources: - requests: - cpu: 1000m - memory: 4Gi ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/cephfilesystem.yaml -kind: CephFilesystemSubVolumeGroup -apiVersion: ceph.rook.io/v1 -metadata: - name: ceph-filesystem-csi # lets keep the svg crd name same as `filesystem name + csi` for the default csi svg - namespace: rook-ceph # namespace:cluster -spec: - # The name of the subvolume group. If not set, the default is the name of the subvolumeGroup CR. - name: csi - # filesystemName is the metadata name of the CephFilesystem CR where the subvolume group will be created - filesystemName: ceph-filesystem - # reference https://docs.ceph.com/en/latest/cephfs/fs-volumes/#pinning-subvolumes-and-subvolume-groups - # only one out of (export, distributed, random) can be set at a time - # by default pinning is set with value: distributed=1 - # for disabling default values set (distributed=0) - pinning: - distributed: 1 # distributed=<0, 1> (disabled=0) - # export: # export=<0-256> (disabled=-1) - # random: # random=[0.0, 1.0](disabled=0.0) ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/cephobjectstore.yaml -kind: CephObjectStore -apiVersion: ceph.rook.io/v1 -metadata: - name: ceph-objectstore - namespace: rook-ceph # namespace:cluster -spec: - dataPool: - erasureCoded: - codingChunks: 1 - dataChunks: 2 - failureDomain: host - parameters: - bulk: "true" - gateway: - instances: 1 - port: 80 - priorityClassName: system-cluster-critical - resources: - requests: - cpu: 1000m - memory: 1Gi - hosting: - dnsNames: - - objects.alexlebens.dev - - objects.alexlebens.net - metadataPool: - failureDomain: host - replicated: - size: 3 - preservePoolsOnDelete: true ---- -# Source: rook-ceph/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ceph-rgw-cloudflared-secret - namespace: rook-ceph - labels: - app.kubernetes.io/name: ceph-rgw-cloudflared-secret - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/part-of: rook-ceph -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/ceph-rgw - metadataPolicy: None - property: token ---- -# Source: rook-ceph/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-rook-ceph - namespace: rook-ceph - labels: - app.kubernetes.io/name: http-route-rook-ceph - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/part-of: rook-ceph -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - ceph.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: rook-ceph-mgr-dashboard - port: 7000 - weight: 100 ---- -# Source: rook-ceph/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-rook-ceph-rgw - namespace: rook-ceph - labels: - app.kubernetes.io/name: http-route-rook-ceph-rgw - app.kubernetes.io/instance: rook-ceph - app.kubernetes.io/part-of: rook-ceph -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - objects.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: rook-ceph-rgw-ceph-objectstore - port: 80 - weight: 100 ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/prometheusrules.yaml -kind: PrometheusRule -apiVersion: monitoring.coreos.com/v1 -metadata: - labels: - prometheus: rook-prometheus - role: alert-rules - name: prometheus-ceph-rules - namespace: rook-ceph -spec: - groups: - - name: cluster health - rules: - - alert: CephHealthError - annotations: - description: The cluster state has been HEALTH_ERROR for more than 5 minutes. - Please check 'ceph health detail' for more information. - summary: Ceph is in the ERROR state - expr: ceph_health_status == 2 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.2.1 - severity: critical - type: ceph_default - - alert: CephHealthWarning - annotations: - description: The cluster state has been HEALTH_WARN for more than 15 minutes. - Please check 'ceph health detail' for more information. - summary: Ceph is in the WARNING state - expr: ceph_health_status == 1 - for: 15m - labels: - severity: warning - type: ceph_default - - name: mon - rules: - - alert: CephMonDownQuorumAtRisk - annotations: - description: '{{ $min := query "floor(count(ceph_mon_metadata) / 2) + 1" | first - | value }}Quorum requires a majority of monitors (x {{ $min }}) to be active. - Without quorum the cluster will become inoperable, affecting all services and - connected clients. The following monitors are down: {{- range query "(ceph_mon_quorum_status - == 0) + on(ceph_daemon) group_left(hostname) (ceph_mon_metadata * 0)" }} - {{ - .Labels.ceph_daemon }} on {{ .Labels.hostname }} {{- end }}' - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-down - summary: Monitor quorum is at risk - expr: | - ( - (ceph_health_detail{name="MON_DOWN"} == 1) * on() ( - count(ceph_mon_quorum_status == 1) == bool (floor(count(ceph_mon_metadata) / 2) + 1) - ) - ) == 1 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.3.1 - severity: critical - type: ceph_default - - alert: CephMonDown - annotations: - description: | - {{ $down := query "count(ceph_mon_quorum_status == 0)" | first | value }}{{ $s := "" }}{{ if gt $down 1.0 }}{{ $s = "s" }}{{ end }}You have {{ $down }} monitor{{ $s }} down. Quorum is still intact, but the loss of an additional monitor will make your cluster inoperable. The following monitors are down: {{- range query "(ceph_mon_quorum_status == 0) + on(ceph_daemon) group_left(hostname) (ceph_mon_metadata * 0)" }} - {{ .Labels.ceph_daemon }} on {{ .Labels.hostname }} {{- end }} - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-down - summary: One or more monitors down - expr: | - count(ceph_mon_quorum_status == 0) <= (count(ceph_mon_metadata) - floor(count(ceph_mon_metadata) / 2) + 1) - for: 30s - labels: - severity: warning - type: ceph_default - - alert: CephMonDiskspaceCritical - annotations: - description: The free space available to a monitor's store is critically low. - You should increase the space available to the monitor(s). The default directory - is /var/lib/ceph/mon-*/data/store.db on traditional deployments, and /var/lib/rook/mon-*/data/store.db - on the mon pod's worker node for Rook. Look for old, rotated versions of *.log - and MANIFEST*. Do NOT touch any *.sst files. Also check any other directories - under /var/lib/rook and other directories on the same filesystem, often /var/log - and /var/tmp are culprits. Your monitor hosts are; {{- range query "ceph_mon_metadata"}} - - {{ .Labels.hostname }} {{- end }} - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-disk-crit - summary: Filesystem space on at least one monitor is critically low - expr: ceph_health_detail{name="MON_DISK_CRIT"} == 1 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.3.2 - severity: critical - type: ceph_default - - alert: CephMonDiskspaceLow - annotations: - description: The space available to a monitor's store is approaching full (>70% - is the default). You should increase the space available to the monitor(s). - The default directory is /var/lib/ceph/mon-*/data/store.db on traditional deployments, - and /var/lib/rook/mon-*/data/store.db on the mon pod's worker node for Rook. - Look for old, rotated versions of *.log and MANIFEST*. Do NOT touch any *.sst - files. Also check any other directories under /var/lib/rook and other directories - on the same filesystem, often /var/log and /var/tmp are culprits. Your monitor - hosts are; {{- range query "ceph_mon_metadata"}} - {{ .Labels.hostname }} {{- - end }} - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-disk-low - summary: Drive space on at least one monitor is approaching full - expr: ceph_health_detail{name="MON_DISK_LOW"} == 1 - for: 5m - labels: - severity: warning - type: ceph_default - - alert: CephMonClockSkew - annotations: - description: Ceph monitors rely on closely synchronized time to maintain quorum - and cluster consistency. This event indicates that the time on at least one - mon has drifted too far from the lead mon. Review cluster status with ceph -s. - This will show which monitors are affected. Check the time sync status on each - monitor host with 'ceph time-sync-status' and the state and peers of your ntpd - or chrony daemon. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-clock-skew - summary: Clock skew detected among monitors - expr: ceph_health_detail{name="MON_CLOCK_SKEW"} == 1 - for: 1m - labels: - severity: warning - type: ceph_default - - name: osd - rules: - - alert: CephOSDDownHigh - annotations: - description: '{{ $value | humanize }}% or {{ with query "count(ceph_osd_up == - 0)" }}{{ . | first | value }}{{ end }} of {{ with query "count(ceph_osd_up)" - }}{{ . | first | value }}{{ end }} OSDs are down (>= 10%). The following OSDs - are down: {{- range query "(ceph_osd_up * on(ceph_daemon) group_left(hostname) - ceph_osd_metadata) == 0" }} - {{ .Labels.ceph_daemon }} on {{ .Labels.hostname - }} {{- end }}' - summary: More than 10% of OSDs are down - expr: count(ceph_osd_up == 0) / count(ceph_osd_up) * 100 >= 10 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.4.1 - severity: critical - type: ceph_default - - alert: CephOSDHostDown - annotations: - description: 'The following OSDs are down: {{- range query "(ceph_osd_up * on(ceph_daemon) - group_left(hostname) ceph_osd_metadata) == 0" }} - {{ .Labels.hostname }} : - {{ .Labels.ceph_daemon }} {{- end }}' - summary: An OSD host is offline - expr: ceph_health_detail{name="OSD_HOST_DOWN"} == 1 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.4.8 - severity: warning - type: ceph_default - - alert: CephOSDDown - annotations: - description: | - {{ $num := query "count(ceph_osd_up == 0)" | first | value }}{{ $s := "" }}{{ if gt $num 1.0 }}{{ $s = "s" }}{{ end }}{{ $num }} OSD{{ $s }} down for over 5mins. The following OSD{{ $s }} {{ if eq $s "" }}is{{ else }}are{{ end }} down: {{- range query "(ceph_osd_up * on(ceph_daemon) group_left(hostname) ceph_osd_metadata) == 0"}} - {{ .Labels.ceph_daemon }} on {{ .Labels.hostname }} {{- end }} - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-down - summary: An OSD has been marked down - expr: ceph_health_detail{name="OSD_DOWN"} == 1 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.4.2 - severity: warning - type: ceph_default - - alert: CephOSDNearFull - annotations: - description: One or more OSDs have reached the NEARFULL threshold. Use 'ceph health - detail' and 'ceph osd df' to identify the problem. To resolve, add capacity - to the affected OSD's failure domain, restore down/out OSDs, or delete unwanted - data. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-nearfull - summary: OSD(s) running low on free space (NEARFULL) - expr: ceph_health_detail{name="OSD_NEARFULL"} == 1 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.4.3 - severity: warning - type: ceph_default - - alert: CephOSDFull - annotations: - description: An OSD has reached the FULL threshold. Writes to pools that share - the affected OSD will be blocked. Use 'ceph health detail' and 'ceph osd df' - to identify the problem. To resolve, add capacity to the affected OSD's failure - domain, restore down/out OSDs, or delete unwanted data. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-full - summary: OSD full, writes blocked - expr: ceph_health_detail{name="OSD_FULL"} > 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.4.6 - severity: critical - type: ceph_default - - alert: CephOSDBackfillFull - annotations: - description: An OSD has reached the BACKFILL FULL threshold. This will prevent - rebalance operations from completing. Use 'ceph health detail' and 'ceph osd - df' to identify the problem. To resolve, add capacity to the affected OSD's - failure domain, restore down/out OSDs, or delete unwanted data. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-backfillfull - summary: OSD(s) too full for backfill operations - expr: ceph_health_detail{name="OSD_BACKFILLFULL"} > 0 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephOSDTooManyRepairs - annotations: - description: Reads from an OSD have used a secondary PG to return data to the - client, indicating a potential failing drive. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-too-many-repairs - summary: OSD reports a high number of read errors - expr: ceph_health_detail{name="OSD_TOO_MANY_REPAIRS"} == 1 - for: 30s - labels: - severity: warning - type: ceph_default - - alert: CephOSDTimeoutsPublicNetwork - annotations: - description: OSD heartbeats on the cluster's 'public' network (frontend) are running - slow. Investigate the network for latency or loss issues. Use 'ceph health detail' - to show the affected OSDs. - summary: Network issues delaying OSD heartbeats (public network) - expr: ceph_health_detail{name="OSD_SLOW_PING_TIME_FRONT"} == 1 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephOSDTimeoutsClusterNetwork - annotations: - description: OSD heartbeats on the cluster's 'cluster' network (backend) are slow. - Investigate the network for latency issues on this subnet. Use 'ceph health - detail' to show the affected OSDs. - summary: Network issues delaying OSD heartbeats (cluster network) - expr: ceph_health_detail{name="OSD_SLOW_PING_TIME_BACK"} == 1 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephOSDInternalDiskSizeMismatch - annotations: - description: One or more OSDs have an internal inconsistency between metadata - and the size of the device. This could lead to the OSD(s) crashing in future. - You should redeploy the affected OSDs. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#bluestore-disk-size-mismatch - summary: OSD size inconsistency error - expr: ceph_health_detail{name="BLUESTORE_DISK_SIZE_MISMATCH"} == 1 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephDeviceFailurePredicted - annotations: - description: The device health module has determined that one or more devices - will fail soon. To review device status use 'ceph device ls'. To show a specific - device use 'ceph device info '. Mark the OSD out so that data may migrate - to other OSDs. Once the OSD has drained, destroy the OSD, replace the device, - and redeploy the OSD. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#id2 - summary: Device(s) predicted to fail soon - expr: ceph_health_detail{name="DEVICE_HEALTH"} == 1 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephDeviceFailurePredictionTooHigh - annotations: - description: The device health module has determined that devices predicted to - fail can not be remediated automatically, since too many OSDs would be removed - from the cluster to ensure performance and availability. Prevent data integrity - issues by adding new OSDs so that data may be relocated. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#device-health-toomany - summary: Too many devices are predicted to fail, unable to resolve - expr: ceph_health_detail{name="DEVICE_HEALTH_TOOMANY"} == 1 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.4.7 - severity: critical - type: ceph_default - - alert: CephDeviceFailureRelocationIncomplete - annotations: - description: "The device health module has determined that one or more devices - will fail soon, but the normal process of relocating the data on the device - to other OSDs in the cluster is blocked. \nEnsure that the cluster has available - free space. It may be necessary to add capacity to the cluster to allow data - from the failing device to successfully migrate, or to enable the balancer." - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#device-health-in-use - summary: Device failure is predicted, but unable to relocate data - expr: ceph_health_detail{name="DEVICE_HEALTH_IN_USE"} == 1 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephOSDFlapping - annotations: - description: OSD {{ $labels.ceph_daemon }} on {{ $labels.hostname }} was marked - down and back up {{ $value | humanize }} times once a minute for 5 minutes. - This may indicate a network issue (latency, packet loss, MTU mismatch) on the - cluster network, or the public network if no cluster network is deployed. Check - the network stats on the listed host(s). - documentation: https://docs.ceph.com/en/latest/rados/troubleshooting/troubleshooting-osd#flapping-osds - summary: Network issues are causing OSDs to flap (mark each other down) - expr: (rate(ceph_osd_up[5m]) * on(ceph_daemon) group_left(hostname) ceph_osd_metadata) - * 60 > 1 - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.4.4 - severity: warning - type: ceph_default - - alert: CephOSDReadErrors - annotations: - description: An OSD has encountered read errors, but the OSD has recovered by - retrying the reads. This may indicate an issue with hardware or the kernel. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#bluestore-spurious-read-errors - summary: Device read errors detected - expr: ceph_health_detail{name="BLUESTORE_SPURIOUS_READ_ERRORS"} == 1 - for: 30s - labels: - severity: warning - type: ceph_default - - alert: CephPGImbalance - annotations: - description: OSD {{ $labels.ceph_daemon }} on {{ $labels.hostname }} deviates - by more than 30% from average PG count. - summary: PGs are not balanced across OSDs - expr: | - abs( - ((ceph_osd_numpg > 0) - on (job) group_left avg(ceph_osd_numpg > 0) by (job)) / - on (job) group_left avg(ceph_osd_numpg > 0) by (job) - ) * on (ceph_daemon) group_left(hostname) ceph_osd_metadata > 0.30 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.4.5 - severity: warning - type: ceph_default - - name: mds - rules: - - alert: CephFilesystemDamaged - annotations: - description: Filesystem metadata has been corrupted. Data may be inaccessible. - Analyze metrics from the MDS daemon admin socket, or escalate to support. - documentation: https://docs.ceph.com/en/latest/cephfs/health-messages#cephfs-health-messages - summary: CephFS filesystem is damaged. - expr: ceph_health_detail{name="MDS_DAMAGE"} > 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.5.1 - severity: critical - type: ceph_default - - alert: CephFilesystemOffline - annotations: - description: All MDS ranks are unavailable. The MDS daemons managing metadata - are down, rendering the filesystem offline. - documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-all-down - summary: CephFS filesystem is offline - expr: ceph_health_detail{name="MDS_ALL_DOWN"} > 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.5.3 - severity: critical - type: ceph_default - - alert: CephFilesystemDegraded - annotations: - description: One or more metadata daemons (MDS ranks) are failed or in a damaged - state. At best the filesystem is partially available, at worst the filesystem - is completely unusable. - documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#fs-degraded - summary: CephFS filesystem is degraded - expr: ceph_health_detail{name="FS_DEGRADED"} > 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.5.4 - severity: critical - type: ceph_default - - alert: CephFilesystemMDSRanksLow - annotations: - description: The filesystem's 'max_mds' setting defines the number of MDS ranks - in the filesystem. The current number of active MDS daemons is less than this - value. - documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-up-less-than-max - summary: Ceph MDS daemon count is lower than configured - expr: ceph_health_detail{name="MDS_UP_LESS_THAN_MAX"} > 0 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephFilesystemInsufficientStandby - annotations: - description: The minimum number of standby daemons required by standby_count_wanted - is less than the current number of standby daemons. Adjust the standby count - or increase the number of MDS daemons. - documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-insufficient-standby - summary: Ceph filesystem standby daemons too few - expr: ceph_health_detail{name="MDS_INSUFFICIENT_STANDBY"} > 0 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephFilesystemFailureNoStandby - annotations: - description: An MDS daemon has failed, leaving only one active rank and no available - standby. Investigate the cause of the failure or add a standby MDS. - documentation: https://docs.ceph.com/en/latest/cephfs/health-messages/#fs-with-failed-mds - summary: MDS daemon failed, no further standby available - expr: ceph_health_detail{name="FS_WITH_FAILED_MDS"} > 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.5.5 - severity: critical - type: ceph_default - - alert: CephFilesystemReadOnly - annotations: - description: The filesystem has switched to READ ONLY due to an unexpected error - when writing to the metadata pool. Either analyze the output from the MDS daemon - admin socket, or escalate to support. - documentation: https://docs.ceph.com/en/latest/cephfs/health-messages#cephfs-health-messages - summary: CephFS filesystem in read only mode due to write error(s) - expr: ceph_health_detail{name="MDS_HEALTH_READ_ONLY"} > 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.5.2 - severity: critical - type: ceph_default - - name: mgr - rules: - - alert: CephMgrModuleCrash - annotations: - description: One or more mgr modules have crashed and have yet to be acknowledged - by an administrator. A crashed module may impact functionality within the cluster. - Use the 'ceph crash' command to determine which module has failed, and archive - it to acknowledge the failure. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#recent-mgr-module-crash - summary: A manager module has recently crashed - expr: ceph_health_detail{name="RECENT_MGR_MODULE_CRASH"} == 1 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.6.1 - severity: critical - type: ceph_default - - alert: CephMgrPrometheusModuleInactive - annotations: - description: The mgr/prometheus module at {{ $labels.instance }} is unreachable. - This could mean that the module has been disabled or the mgr daemon itself is - down. Without the mgr/prometheus module metrics and alerts will no longer function. - Open a shell to an admin node or toolbox pod and use 'ceph -s' to to determine - whether the mgr is active. If the mgr is not active, restart it, otherwise you - can determine module status with 'ceph mgr module ls'. If it is not listed as - enabled, enable it with 'ceph mgr module enable prometheus'. - summary: The mgr/prometheus module is not available - expr: up{job="ceph"} == 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.6.2 - severity: critical - type: ceph_default - - name: pgs - rules: - - alert: CephPGsInactive - annotations: - description: '{{ $value }} PGs have been inactive for more than 5 minutes in pool - {{ $labels.name }}. Inactive placement groups are not able to serve read/write - requests.' - summary: One or more placement groups are inactive - expr: ceph_pool_metadata * on(pool_id,instance) group_left() (ceph_pg_total - ceph_pg_active) - > 0 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.7.1 - severity: critical - type: ceph_default - - alert: CephPGsUnclean - annotations: - description: '{{ $value }} PGs have been unclean for more than 15 minutes in pool - {{ $labels.name }}. Unclean PGs have not recovered from a previous failure.' - summary: One or more placement groups are marked unclean - expr: ceph_pool_metadata * on(pool_id,instance) group_left() (ceph_pg_total - ceph_pg_clean) - > 0 - for: 15m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.7.2 - severity: warning - type: ceph_default - - alert: CephPGsDamaged - annotations: - description: During data consistency checks (scrub), at least one PG has been - flagged as being damaged or inconsistent. Check to see which PG is affected, - and attempt a manual repair if necessary. To list problematic placement groups, - use 'rados list-inconsistent-pg '. To repair PGs use the 'ceph pg repair - ' command. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-damaged - summary: Placement group damaged, manual intervention needed - expr: ceph_health_detail{name=~"PG_DAMAGED|OSD_SCRUB_ERRORS"} == 1 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.7.4 - severity: critical - type: ceph_default - - alert: CephPGRecoveryAtRisk - annotations: - description: Data redundancy is at risk since one or more OSDs are at or above - the 'full' threshold. Add more capacity to the cluster, restore down/out OSDs, - or delete unwanted data. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-recovery-full - summary: OSDs are too full for recovery - expr: ceph_health_detail{name="PG_RECOVERY_FULL"} == 1 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.7.5 - severity: critical - type: ceph_default - - alert: CephPGUnavailableBlockingIO - annotations: - description: Data availability is reduced, impacting the cluster's ability to - service I/O. One or more placement groups (PGs) are in a state that blocks I/O. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-availability - summary: PG is unavailable, blocking I/O - expr: ((ceph_health_detail{name="PG_AVAILABILITY"} == 1) - scalar(ceph_health_detail{name="OSD_DOWN"})) - == 1 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.7.3 - severity: critical - type: ceph_default - - alert: CephPGBackfillAtRisk - annotations: - description: Data redundancy may be at risk due to lack of free space within the - cluster. One or more OSDs have reached the 'backfillfull' threshold. Add more - capacity, or delete unwanted data. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-backfill-full - summary: Backfill operations are blocked due to lack of free space - expr: ceph_health_detail{name="PG_BACKFILL_FULL"} == 1 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.7.6 - severity: critical - type: ceph_default - - alert: CephPGNotScrubbed - annotations: - description: 'One or more PGs have not been scrubbed recently. Scrubs check metadata - integrity, protecting against bit-rot. They check that metadata is consistent - across data replicas. When PGs miss their scrub interval, it may indicate that - the scrub window is too small, or PGs were not in a ''clean'' state during the - scrub window. You can manually initiate a scrub with: ceph pg scrub ' - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-not-scrubbed - summary: Placement group(s) have not been scrubbed - expr: ceph_health_detail{name="PG_NOT_SCRUBBED"} == 1 - for: 5m - labels: - severity: warning - type: ceph_default - - alert: CephPGsHighPerOSD - annotations: - description: |- - The number of placement groups per OSD is too high (exceeds the mon_max_pg_per_osd setting). - Check that the pg_autoscaler has not been disabled for any pools with 'ceph osd pool autoscale-status', and that the profile selected is appropriate. You may also adjust the target_size_ratio of a pool to guide the autoscaler based on the expected relative size of the pool ('ceph osd pool set cephfs.cephfs.meta target_size_ratio .1') or set the pg_autoscaler mode to 'warn' and adjust pg_num appropriately for one or more pools. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks/#too-many-pgs - summary: Placement groups per OSD is too high - expr: ceph_health_detail{name="TOO_MANY_PGS"} == 1 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: CephPGNotDeepScrubbed - annotations: - description: One or more PGs have not been deep scrubbed recently. Deep scrubs - protect against bit-rot. They compare data replicas to ensure consistency. When - PGs miss their deep scrub interval, it may indicate that the window is too small - or PGs were not in a 'clean' state during the deep-scrub window. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-not-deep-scrubbed - summary: Placement group(s) have not been deep scrubbed - expr: ceph_health_detail{name="PG_NOT_DEEP_SCRUBBED"} == 1 - for: 5m - labels: - severity: warning - type: ceph_default - - name: nodes - rules: - - alert: CephNodeRootFilesystemFull - annotations: - description: 'Root volume is dangerously full: {{ $value | humanize }}% free.' - summary: Root filesystem is dangerously full - expr: node_filesystem_avail_bytes{mountpoint="/"} / node_filesystem_size_bytes{mountpoint="/"} - * 100 < 5 - for: 5m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.8.1 - severity: critical - type: ceph_default - - alert: CephNodeNetworkPacketDrops - annotations: - description: Node {{ $labels.instance }} experiences packet drop > 0.5% or > 10 - packets/s on interface {{ $labels.device }}. - summary: One or more NICs reports packet drops - expr: | - ( - rate(node_network_receive_drop_total{device!="lo"}[1m]) + - rate(node_network_transmit_drop_total{device!="lo"}[1m]) - ) / ( - rate(node_network_receive_packets_total{device!="lo"}[1m]) + - rate(node_network_transmit_packets_total{device!="lo"}[1m]) - ) >= 0.0050000000000000001 and ( - rate(node_network_receive_drop_total{device!="lo"}[1m]) + - rate(node_network_transmit_drop_total{device!="lo"}[1m]) - ) >= 10 - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.8.2 - severity: warning - type: ceph_default - - alert: CephNodeNetworkPacketErrors - annotations: - description: Node {{ $labels.instance }} experiences packet errors > 0.01% or - > 10 packets/s on interface {{ $labels.device }}. - summary: One or more NICs reports packet errors - expr: | - ( - rate(node_network_receive_errs_total{device!="lo"}[1m]) + - rate(node_network_transmit_errs_total{device!="lo"}[1m]) - ) / ( - rate(node_network_receive_packets_total{device!="lo"}[1m]) + - rate(node_network_transmit_packets_total{device!="lo"}[1m]) - ) >= 0.0001 or ( - rate(node_network_receive_errs_total{device!="lo"}[1m]) + - rate(node_network_transmit_errs_total{device!="lo"}[1m]) - ) >= 10 - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.8.3 - severity: warning - type: ceph_default - - alert: CephNodeNetworkBondDegraded - annotations: - description: Bond {{ $labels.master }} is degraded on Node {{ $labels.instance - }}. - summary: Degraded Bond on Node {{ $labels.instance }} - expr: | - node_bonding_slaves - node_bonding_active != 0 - labels: - severity: warning - type: ceph_default - - alert: CephNodeInconsistentMTU - annotations: - description: Node {{ $labels.instance }} has a different MTU size ({{ $value }}) - than the median of devices named {{ $labels.device }}. - summary: MTU settings across Ceph hosts are inconsistent - expr: node_network_mtu_bytes * (node_network_up{device!="lo"} > 0) == scalar( max - by (device) (node_network_mtu_bytes * (node_network_up{device!="lo"} > 0)) != quantile - by (device) (.5, node_network_mtu_bytes * (node_network_up{device!="lo"} > 0)) )or - node_network_mtu_bytes * (node_network_up{device!="lo"} > 0) == scalar( min - by (device) (node_network_mtu_bytes * (node_network_up{device!="lo"} > 0)) != quantile - by (device) (.5, node_network_mtu_bytes * (node_network_up{device!="lo"} > 0)) ) - labels: - severity: warning - type: ceph_default - - name: pools - rules: - - alert: CephPoolGrowthWarning - annotations: - description: Pool '{{ $labels.name }}' will be full in less than 5 days assuming - the average fill-up rate of the past 48 hours. - summary: Pool growth rate may soon exceed capacity - expr: (predict_linear(ceph_pool_percent_used[2d], 3600 * 24 * 5) * on(pool_id, instance, - pod) group_right() ceph_pool_metadata) >= 95 - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.9.2 - severity: warning - type: ceph_default - - alert: CephPoolBackfillFull - annotations: - description: A pool is approaching the near full threshold, which will prevent - recovery/backfill operations from completing. Consider adding more capacity. - summary: Free space in a pool is too low for recovery/backfill - expr: ceph_health_detail{name="POOL_BACKFILLFULL"} > 0 - labels: - severity: warning - type: ceph_default - - alert: CephPoolFull - annotations: - description: A pool has reached its MAX quota, or OSDs supporting the pool have - reached the FULL threshold. Until this is resolved, writes to the pool will - be blocked. Pool Breakdown (top 5) {{- range query "topk(5, sort_desc(ceph_pool_percent_used - * on(pool_id) group_right ceph_pool_metadata))" }} - {{ .Labels.name }} at {{ - .Value }}% {{- end }} Increase the pool's quota, or add capacity to the cluster - first then increase the pool's quota (e.g. ceph osd pool set quota - max_bytes ) - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#pool-full - summary: Pool is full - writes are blocked - expr: ceph_health_detail{name="POOL_FULL"} > 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.9.1 - severity: critical - type: ceph_default - - alert: CephPoolNearFull - annotations: - description: A pool has exceeded the warning (percent full) threshold, or OSDs - supporting the pool have reached the NEARFULL threshold. Writes may continue, - but you are at risk of the pool going read-only if more capacity isn't made - available. Determine the affected pool with 'ceph df detail', looking at QUOTA - BYTES and STORED. Increase the pool's quota, or add capacity to the cluster - first then increase the pool's quota (e.g. ceph osd pool set quota - max_bytes ). Also ensure that the balancer is active. - summary: One or more Ceph pools are nearly full - expr: ceph_health_detail{name="POOL_NEAR_FULL"} > 0 - for: 5m - labels: - severity: warning - type: ceph_default - - name: healthchecks - rules: - - alert: CephSlowOps - annotations: - description: '{{ $value }} OSD requests are taking too long to process (osd_op_complaint_time - exceeded)' - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#slow-ops - summary: OSD operations are slow to complete - expr: ceph_healthcheck_slow_ops > 0 - for: 30s - labels: - severity: warning - type: ceph_default - - alert: CephDaemonSlowOps - annotations: - description: '{{ $labels.ceph_daemon }} operations are taking too long to process - (complaint time exceeded)' - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#slow-ops - summary: '{{ $labels.ceph_daemon }} operations are slow to complete' - expr: ceph_daemon_health_metrics{type="SLOW_OPS"} > 0 - for: 30s - labels: - severity: warning - type: ceph_default - - name: hardware - rules: - - alert: HardwareStorageError - annotations: - description: Some storage devices are in error. Check `ceph health detail`. - summary: Storage devices error(s) detected - expr: ceph_health_detail{name="HARDWARE_STORAGE"} > 0 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.13.1 - severity: critical - type: ceph_default - - alert: HardwareMemoryError - annotations: - description: DIMM error(s) detected. Check `ceph health detail`. - summary: DIMM error(s) detected - expr: ceph_health_detail{name="HARDWARE_MEMORY"} > 0 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.13.2 - severity: critical - type: ceph_default - - alert: HardwareProcessorError - annotations: - description: Processor error(s) detected. Check `ceph health detail`. - summary: Processor error(s) detected - expr: ceph_health_detail{name="HARDWARE_PROCESSOR"} > 0 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.13.3 - severity: critical - type: ceph_default - - alert: HardwareNetworkError - annotations: - description: Network error(s) detected. Check `ceph health detail`. - summary: Network error(s) detected - expr: ceph_health_detail{name="HARDWARE_NETWORK"} > 0 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.13.4 - severity: critical - type: ceph_default - - alert: HardwarePowerError - annotations: - description: Power supply error(s) detected. Check `ceph health detail`. - summary: Power supply error(s) detected - expr: ceph_health_detail{name="HARDWARE_POWER"} > 0 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.13.5 - severity: critical - type: ceph_default - - alert: HardwareFanError - annotations: - description: Fan error(s) detected. Check `ceph health detail`. - summary: Fan error(s) detected - expr: ceph_health_detail{name="HARDWARE_FANS"} > 0 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.13.6 - severity: critical - type: ceph_default - - name: PrometheusServer - rules: - - alert: PrometheusJobMissing - annotations: - description: The prometheus job that scrapes from Ceph MGR is no longer defined, - this will effectively mean you'll have no metrics or alerts for the cluster. Please - review the job definitions in the prometheus.yml file of the prometheus instance. - summary: The scrape job for Ceph MGR is missing from Prometheus - expr: absent(up{job="rook-ceph-mgr"}) - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.12.1 - severity: critical - type: ceph_default - - alert: PrometheusJobExporterMissing - annotations: - description: The prometheus job that scrapes from Ceph Exporter is no longer defined, - this will effectively mean you'll have no metrics or alerts for the cluster. Please - review the job definitions in the prometheus.yml file of the prometheus instance. - summary: The scrape job for Ceph Exporter is missing from Prometheus - expr: sum(absent(up{job="rook-ceph-exporter"})) and sum(ceph_osd_metadata{ceph_version=~"^ceph - version (1[89]|[2-9][0-9]).*"}) > 0 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.12.1 - severity: critical - type: ceph_default - - name: rados - rules: - - alert: CephObjectMissing - annotations: - description: The latest version of a RADOS object can not be found, even though - all OSDs are up. I/O requests for this object from clients will block (hang). - Resolving this issue may require the object to be rolled back to a prior version - manually, and manually verified. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks#object-unfound - summary: Object(s) marked UNFOUND - expr: (ceph_health_detail{name="OBJECT_UNFOUND"} == 1) * on() (count(ceph_osd_up - == 1) == bool count(ceph_osd_metadata)) == 1 - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.10.1 - severity: critical - type: ceph_default - - name: generic - rules: - - alert: CephDaemonCrash - annotations: - description: One or more daemons have crashed recently, and need to be acknowledged. - This notification ensures that software crashes do not go unseen. To acknowledge - a crash, use the 'ceph crash archive ' command. - documentation: https://docs.ceph.com/en/latest/rados/operations/health-checks/#recent-crash - summary: One or more Ceph daemons have crashed, and are pending acknowledgement - expr: ceph_health_detail{name="RECENT_CRASH"} == 1 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.1.2 - severity: critical - type: ceph_default - - name: rbdmirror - rules: - - alert: CephRBDMirrorImagesPerDaemonHigh - annotations: - description: Number of image replications per daemon is not supposed to go beyond - threshold 100 - summary: Number of image replications are now above 100 - expr: sum by (ceph_daemon, namespace) (ceph_rbd_mirror_snapshot_image_snapshots) - > 100 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.10.2 - severity: critical - type: ceph_default - - alert: CephRBDMirrorImagesNotInSync - annotations: - description: Both local and remote RBD mirror images should be in sync. - summary: Some of the RBD mirror images are not in sync with the remote counter - parts. - expr: sum by (ceph_daemon, image, namespace, pool) (topk by (ceph_daemon, image, - namespace, pool) (1, ceph_rbd_mirror_snapshot_image_local_timestamp) - topk by - (ceph_daemon, image, namespace, pool) (1, ceph_rbd_mirror_snapshot_image_remote_timestamp)) - != 0 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.10.3 - severity: critical - type: ceph_default - - alert: CephRBDMirrorImagesNotInSyncVeryHigh - annotations: - description: More than 10% of the images have synchronization problems - summary: Number of unsynchronized images are very high. - expr: count by (ceph_daemon) ((topk by (ceph_daemon, image, namespace, pool) (1, - ceph_rbd_mirror_snapshot_image_local_timestamp) - topk by (ceph_daemon, image, - namespace, pool) (1, ceph_rbd_mirror_snapshot_image_remote_timestamp)) != 0) > - (sum by (ceph_daemon) (ceph_rbd_mirror_snapshot_snapshots)*.1) - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.10.4 - severity: critical - type: ceph_default - - alert: CephRBDMirrorImageTransferBandwidthHigh - annotations: - description: Detected a heavy increase in bandwidth for rbd replications (over - 80%) in the last 30 min. This might not be a problem, but it is good to review - the number of images being replicated simultaneously - summary: The replication network usage has been increased over 80% in the last - 30 minutes. Review the number of images being replicated. This alert will be - cleaned automatically after 30 minutes - expr: rate(ceph_rbd_mirror_journal_replay_bytes[30m]) > 0.80 - for: 1m - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.10.5 - severity: warning - type: ceph_default - - name: nvmeof - rules: - - alert: NVMeoFSubsystemNamespaceLimit - annotations: - description: Subsystems have a max namespace limit defined at creation time. This - alert means that no more namespaces can be added to {{ $labels.nqn }} - summary: '{{ $labels.nqn }} subsystem has reached its maximum number of namespaces ' - expr: (count by(nqn) (ceph_nvmeof_subsystem_namespace_metadata)) >= ceph_nvmeof_subsystem_namespace_limit - for: 1m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFTooManyGateways - annotations: - description: You may create many gateways, but 4 is the tested limit - summary: 'Max supported gateways exceeded ' - expr: count(ceph_nvmeof_gateway_info) > 4.00 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFMaxGatewayGroupSize - annotations: - description: You may create many gateways in a gateway group, but 2 is the tested - limit - summary: 'Max gateways within a gateway group ({{ $labels.group }}) exceeded ' - expr: count by(group) (ceph_nvmeof_gateway_info) > 2.00 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFSingleGatewayGroup - annotations: - description: Although a single member gateway group is valid, it should only be - used for test purposes - summary: 'The gateway group {{ $labels.group }} consists of a single gateway - - HA is not possible ' - expr: count by(group) (ceph_nvmeof_gateway_info) == 1 - for: 5m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFHighGatewayCPU - annotations: - description: Typically, high CPU may indicate degraded performance. Consider increasing - the number of reactor cores - summary: 'CPU used by {{ $labels.instance }} NVMe-oF Gateway is high ' - expr: label_replace(avg by(instance) (rate(ceph_nvmeof_reactor_seconds_total{mode="busy"}[1m])),"instance","$1","instance","(.*):.*") - > 80.00 - for: 10m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFGatewayOpenSecurity - annotations: - description: It is good practice to ensure subsystems use host security to reduce - the risk of unexpected data loss - summary: 'Subsystem {{ $labels.nqn }} has been defined without host level security ' - expr: ceph_nvmeof_subsystem_metadata{allow_any_host="yes"} - for: 5m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFTooManySubsystems - annotations: - description: Although you may continue to create subsystems in {{ $labels.gateway_host - }}, the configuration may not be supported - summary: 'The number of subsystems defined to the gateway exceeds supported values ' - expr: count by(gateway_host) (label_replace(ceph_nvmeof_subsystem_metadata,"gateway_host","$1","instance","(.*):.*")) - > 16.00 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFVersionMismatch - annotations: - description: This may indicate an issue with deployment. Check cephadm logs - summary: 'The cluster has different NVMe-oF gateway releases active ' - expr: count(count by(version) (ceph_nvmeof_gateway_info)) > 1 - for: 1h - labels: - severity: warning - type: ceph_default - - alert: NVMeoFHighClientCount - annotations: - description: The supported limit for clients connecting to a subsystem is 32 - summary: 'The number of clients connected to {{ $labels.nqn }} is too high ' - expr: ceph_nvmeof_subsystem_host_count > 32.00 - for: 1m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFHighHostCPU - annotations: - description: High CPU on a gateway host can lead to CPU contention and performance - degradation - summary: 'The CPU is high ({{ $value }}%) on NVMeoF Gateway host ({{ $labels.host - }}) ' - expr: 100-((100*(avg by(host) (label_replace(rate(node_cpu_seconds_total{mode="idle"}[5m]),"host","$1","instance","(.*):.*")) - * on(host) group_right label_replace(ceph_nvmeof_gateway_info,"host","$1","instance","(.*):.*")))) - >= 80.00 - for: 10m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFInterfaceDown - annotations: - description: A NIC used by one or more subsystems is in a down state - summary: 'Network interface {{ $labels.device }} is down ' - expr: ceph_nvmeof_subsystem_listener_iface_info{operstate="down"} - for: 30s - labels: - oid: 1.3.6.1.4.1.50495.1.2.1.14.1 - severity: warning - type: ceph_default - - alert: NVMeoFInterfaceDuplex - annotations: - description: Until this is resolved, performance from the gateway will be degraded - summary: 'Network interface {{ $labels.device }} is not running in full duplex - mode ' - expr: ceph_nvmeof_subsystem_listener_iface_info{duplex!="full"} - for: 30s - labels: - severity: warning - type: ceph_default - - alert: NVMeoFHighReadLatency - annotations: - description: High latencies may indicate a constraint within the cluster e.g. - CPU, network. Please investigate - summary: The average read latency over the last 5 mins has reached 10 ms or more - on {{ $labels.gateway }} - expr: label_replace((avg by(instance) ((rate(ceph_nvmeof_bdev_read_seconds_total[1m]) - / rate(ceph_nvmeof_bdev_reads_completed_total[1m])))),"gateway","$1","instance","(.*):.*") - > 0.01 - for: 5m - labels: - severity: warning - type: ceph_default - - alert: NVMeoFHighWriteLatency - annotations: - description: High latencies may indicate a constraint within the cluster e.g. - CPU, network. Please investigate - summary: The average write latency over the last 5 mins has reached 20 ms or more - on {{ $labels.gateway }} - expr: label_replace((avg by(instance) ((rate(ceph_nvmeof_bdev_write_seconds_total[5m]) - / rate(ceph_nvmeof_bdev_writes_completed_total[5m])))),"gateway","$1","instance","(.*):.*") - > 0.02 - for: 5m - labels: - severity: warning - type: ceph_default ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/volumesnapshotclass.yaml -kind: VolumeSnapshotClass -apiVersion: snapshot.storage.k8s.io/v1 -metadata: - name: ceph-filesystem - annotations: - snapshot.storage.kubernetes.io/is-default-class: "false" -driver: rook-ceph.cephfs.csi.ceph.com -parameters: - clusterID: rook-ceph - csi.storage.k8s.io/snapshotter-secret-name: rook-csi-cephfs-provisioner - csi.storage.k8s.io/snapshotter-secret-namespace: rook-ceph -deletionPolicy: Delete ---- -# Source: rook-ceph/charts/rook-ceph-cluster/templates/volumesnapshotclass.yaml -kind: VolumeSnapshotClass -apiVersion: snapshot.storage.k8s.io/v1 -metadata: - name: ceph-blockpool-snapshot - annotations: - snapshot.storage.kubernetes.io/is-default-class: "true" -driver: rook-ceph.rbd.csi.ceph.com -parameters: - clusterID: rook-ceph - csi.storage.k8s.io/snapshotter-secret-name: rook-csi-rbd-provisioner - csi.storage.k8s.io/snapshotter-secret-namespace: rook-ceph -deletionPolicy: Delete diff --git a/clusters/cl01tl/manifests/roundcube/roundcube.yaml b/clusters/cl01tl/manifests/roundcube/roundcube.yaml deleted file mode 100644 index ae25ad2ed..000000000 --- a/clusters/cl01tl/manifests/roundcube/roundcube.yaml +++ /dev/null @@ -1,1005 +0,0 @@ ---- -# Source: roundcube/charts/roundcube/templates/common.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: roundcube - labels: - app.kubernetes.io/instance: roundcube - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: roundcube - helm.sh/chart: roundcube-4.4.0 - namespace: roundcube -data: - default.conf: | - server { - listen 80 default_server; - server_name _; - root /var/www/html; - - location / { - try_files $uri /index.php$is_args$args; - } - - location ~ \.php(/|$) { - try_files $uri =404; - fastcgi_pass roundcube:9000; - fastcgi_read_timeout 300; - proxy_read_timeout 300; - fastcgi_split_path_info ^(.+\.php)(/.*)$; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; - fastcgi_param DOCUMENT_ROOT $realpath_root; - internal; - } - - client_max_body_size 6m; - - error_log /var/log/nginx/error.log; - access_log /var/log/nginx/access.log; - } ---- -# Source: roundcube/charts/roundcube/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: roundcube-data - labels: - app.kubernetes.io/instance: roundcube - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: roundcube - helm.sh/chart: roundcube-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: roundcube -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: roundcube/charts/roundcube/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: roundcube - labels: - app.kubernetes.io/instance: roundcube - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: roundcube - app.kubernetes.io/service: roundcube - helm.sh/chart: roundcube-4.4.0 - namespace: roundcube -spec: - type: ClusterIP - ports: - - port: 9000 - targetPort: 9000 - protocol: TCP - name: mail - - port: 80 - targetPort: 80 - protocol: TCP - name: web - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: roundcube - app.kubernetes.io/name: roundcube ---- -# Source: roundcube/charts/roundcube/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: roundcube-main - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: roundcube - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: roundcube - helm.sh/chart: roundcube-4.4.0 - namespace: roundcube -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: roundcube - app.kubernetes.io/instance: roundcube - template: - metadata: - annotations: - checksum/configMaps: fb5b79e14a16673def67423a38952ae1855171d07a8332d9e863febcd28fce92 - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: roundcube - app.kubernetes.io/name: roundcube - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: ROUNDCUBEMAIL_DB_TYPE - value: pgsql - - name: ROUNDCUBEMAIL_DB_HOST - valueFrom: - secretKeyRef: - key: host - name: roundcube-postgresql-17-cluster-app - - name: ROUNDCUBEMAIL_DB_NAME - valueFrom: - secretKeyRef: - key: dbname - name: roundcube-postgresql-17-cluster-app - - name: ROUNDCUBEMAIL_DB_USER - valueFrom: - secretKeyRef: - key: user - name: roundcube-postgresql-17-cluster-app - - name: ROUNDCUBEMAIL_DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: roundcube-postgresql-17-cluster-app - - name: ROUNDCUBEMAIL_DES_KEY - valueFrom: - secretKeyRef: - key: DES_KEY - name: roundcube-key-secret - - name: ROUNDCUBEMAIL_DEFAULT_HOST - value: stalwart.stalwart - - name: ROUNDCUBEMAIL_DEFAULT_PORT - value: "143" - - name: ROUNDCUBEMAIL_SMTP_SERVER - value: stalwart.stalwart - - name: ROUNDCUBEMAIL_SMTP_PORT - value: "25" - - name: ROUNDCUBEMAIL_SKIN - value: elastic - - name: ROUNDCUBEMAIL_PLUGINS - value: archive,zipdownload,newmail_notifier - image: roundcube/roundcubemail:1.6.11-fpm-alpine - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /var/www/html - name: data - - mountPath: /tmp/roundcube-temp - name: temp - - env: - - name: NGINX_HOST - value: mail.alexlebens.net - - name: NGINX_PHP_CGI - value: roundcube.roundcube:9000 - image: nginx:1.29.3-alpine - imagePullPolicy: IfNotPresent - name: nginx - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /etc/nginx/conf.d/default.conf - mountPropagation: None - name: config - readOnly: true - subPath: default.conf - - mountPath: /var/www/html - name: data - volumes: - - configMap: - name: roundcube-config - name: config - - name: data - persistentVolumeClaim: - claimName: roundcube-data - - emptyDir: {} - name: temp ---- -# Source: roundcube/charts/roundcube/templates/common.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: roundcube-cleandb - labels: - app.kubernetes.io/controller: cleandb - app.kubernetes.io/instance: roundcube - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: roundcube - helm.sh/chart: roundcube-4.4.0 - namespace: roundcube -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "30 4 * * *" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - annotations: - checksum/configMaps: fb5b79e14a16673def67423a38952ae1855171d07a8332d9e863febcd28fce92 - labels: - app.kubernetes.io/controller: cleandb - app.kubernetes.io/instance: roundcube - app.kubernetes.io/name: roundcube - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - containers: - - args: - - bin/cleandb.sh - env: - - name: ROUNDCUBEMAIL_DB_TYPE - value: pgsql - - name: ROUNDCUBEMAIL_DB_HOST - valueFrom: - secretKeyRef: - key: host - name: roundcube-postgresql-17-cluster-app - - name: ROUNDCUBEMAIL_DB_NAME - valueFrom: - secretKeyRef: - key: dbname - name: roundcube-postgresql-17-cluster-app - - name: ROUNDCUBEMAIL_DB_USER - valueFrom: - secretKeyRef: - key: user - name: roundcube-postgresql-17-cluster-app - - name: ROUNDCUBEMAIL_DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: roundcube-postgresql-17-cluster-app - - name: ROUNDCUBEMAIL_DES_KEY - valueFrom: - secretKeyRef: - key: DES_KEY - name: roundcube-key-secret - - name: ROUNDCUBEMAIL_DEFAULT_HOST - value: tls://stalwart.stalwart - - name: ROUNDCUBEMAIL_SMTP_SERVER - value: tls://stalwart.stalwart - - name: ROUNDCUBEMAIL_SKIN - value: elastic - - name: ROUNDCUBEMAIL_PLUGINS - value: archive,zipdownload,newmail_notifier - image: roundcube/roundcubemail:1.6.11-fpm-alpine - imagePullPolicy: IfNotPresent - name: backup - resources: - requests: - cpu: 100m - memory: 128Mi ---- -# Source: roundcube/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: roundcube-postgresql-17-cluster - namespace: roundcube - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: roundcube-postgresql-17 - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "roundcube-postgresql-17-external-backup" - serverName: "roundcube-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "roundcube-postgresql-17-garage-local-backup" - serverName: "roundcube-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "roundcube-postgresql-17-recovery" - serverName: roundcube-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: roundcube-postgresql-17-backup-1 - - externalClusters: - - name: roundcube-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "roundcube-postgresql-17-recovery" - serverName: roundcube-postgresql-17-backup-1 ---- -# Source: roundcube/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: roundcube-key-secret - namespace: roundcube - labels: - app.kubernetes.io/name: roundcube-key-secret - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: DES_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/roundcube/key - metadataPolicy: None - property: DES_KEY ---- -# Source: roundcube/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: roundcube-data-backup-secret - namespace: roundcube - labels: - app.kubernetes.io/name: roundcube-data-backup-secret - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/roundcube/roundcube-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: roundcube/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: roundcube-postgresql-17-cluster-backup-secret - namespace: roundcube - labels: - app.kubernetes.io/name: roundcube-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: roundcube/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: roundcube-postgresql-17-cluster-backup-secret-garage - namespace: roundcube - labels: - app.kubernetes.io/name: roundcube-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: roundcube/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-mail - namespace: roundcube - labels: - app.kubernetes.io/name: http-route-mail - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - mail.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: roundcube - port: 80 - weight: 100 ---- -# Source: roundcube/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "roundcube-postgresql-17-external-backup" - namespace: roundcube - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: roundcube-postgresql-17 - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/roundcube/roundcube-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: roundcube-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: roundcube-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: roundcube/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "roundcube-postgresql-17-garage-local-backup" - namespace: roundcube - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: roundcube-postgresql-17 - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/roundcube/roundcube-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: roundcube-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: roundcube-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: roundcube-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: roundcube/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "roundcube-postgresql-17-recovery" - namespace: roundcube - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: roundcube-postgresql-17 - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/roundcube/roundcube-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: roundcube-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: roundcube-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: roundcube/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: roundcube-postgresql-17-alert-rules - namespace: roundcube - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: roundcube-postgresql-17 - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/roundcube-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="roundcube"} - cnpg_pg_replication_is_wal_receiver_up{namespace="roundcube"}) < 1 - for: 5m - labels: - severity: critical - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="roundcube"} - cnpg_pg_replication_is_wal_receiver_up{namespace="roundcube"}) < 2 - for: 5m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "roundcube/roundcube-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="roundcube", pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="roundcube", pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "roundcube/roundcube-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="roundcube", pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="roundcube", pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "roundcube/roundcube-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="roundcube",pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "roundcube/roundcube-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="roundcube", pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "roundcube/roundcube-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "roundcube/roundcube-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="roundcube", persistentvolumeclaim=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "roundcube/roundcube-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="roundcube",pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "roundcube/roundcube-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="roundcube", pod=~"roundcube-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: roundcube - cnpg_cluster: roundcube-postgresql-17-cluster ---- -# Source: roundcube/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: roundcube-data-backup-source - namespace: roundcube - labels: - app.kubernetes.io/name: roundcube-data-backup-source - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube -spec: - sourcePVC: roundcube-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: roundcube-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: roundcube/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "roundcube-postgresql-17-daily-backup-scheduled-backup" - namespace: roundcube - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: roundcube-postgresql-17 - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: roundcube-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "roundcube-postgresql-17-external-backup" ---- -# Source: roundcube/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "roundcube-postgresql-17-live-backup-scheduled-backup" - namespace: roundcube - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: roundcube-postgresql-17 - app.kubernetes.io/instance: roundcube - app.kubernetes.io/part-of: roundcube - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: roundcube-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "roundcube-postgresql-17-garage-local-backup" diff --git a/clusters/cl01tl/manifests/s3-exporter/s3-exporter.yaml b/clusters/cl01tl/manifests/s3-exporter/s3-exporter.yaml deleted file mode 100644 index c3e86fb39..000000000 --- a/clusters/cl01tl/manifests/s3-exporter/s3-exporter.yaml +++ /dev/null @@ -1,559 +0,0 @@ ---- -# Source: s3-exporter/charts/s3-exporter/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: s3-exporter-digital-ocean - labels: - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/service: s3-exporter-digital-ocean - helm.sh/chart: s3-exporter-4.4.0 - namespace: s3-exporter -spec: - type: ClusterIP - ports: - - port: 9655 - targetPort: 9655 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: digital-ocean - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/name: s3-exporter ---- -# Source: s3-exporter/charts/s3-exporter/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: s3-exporter-garage-local - labels: - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/service: s3-exporter-garage-local - helm.sh/chart: s3-exporter-4.4.0 - namespace: s3-exporter -spec: - type: ClusterIP - ports: - - port: 9655 - targetPort: 9655 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: garage-local - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/name: s3-exporter ---- -# Source: s3-exporter/charts/s3-exporter/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: s3-exporter-garage-remote - labels: - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/service: s3-exporter-garage-remote - helm.sh/chart: s3-exporter-4.4.0 - namespace: s3-exporter -spec: - type: ClusterIP - ports: - - port: 9655 - targetPort: 9655 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: garage-remote - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/name: s3-exporter ---- -# Source: s3-exporter/charts/s3-exporter/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: s3-exporter-ceph-directus - labels: - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/service: s3-exporter-ceph-directus - helm.sh/chart: s3-exporter-4.4.0 - namespace: s3-exporter -spec: - type: ClusterIP - ports: - - port: 9655 - targetPort: 9655 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: ceph-directus - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/name: s3-exporter ---- -# Source: s3-exporter/charts/s3-exporter/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: s3-exporter-ceph-directus - labels: - app.kubernetes.io/controller: ceph-directus - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: s3-exporter - helm.sh/chart: s3-exporter-4.4.0 - namespace: s3-exporter -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: ceph-directus - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/instance: s3-exporter - template: - metadata: - labels: - app.kubernetes.io/controller: ceph-directus - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/name: s3-exporter - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: S3_NAME - value: ceph-directus - - name: S3_ENDPOINT - valueFrom: - secretKeyRef: - key: BUCKET_HOST - name: s3-ceph-directus-secret - - name: S3_ACCESS_KEY - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: s3-ceph-directus-secret - - name: S3_SECRET_KEY - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: s3-ceph-directus-secret - - name: S3_REGION - value: us-east-1 - - name: LOG_LEVEL - value: info - - name: S3_FORCE_PATH_STYLE - value: "true" - image: molu8bits/s3bucket_exporter:1.0.2 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 64Mi ---- -# Source: s3-exporter/charts/s3-exporter/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: s3-exporter-digital-ocean - labels: - app.kubernetes.io/controller: digital-ocean - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: s3-exporter - helm.sh/chart: s3-exporter-4.4.0 - namespace: s3-exporter -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: digital-ocean - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/instance: s3-exporter - template: - metadata: - labels: - app.kubernetes.io/controller: digital-ocean - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/name: s3-exporter - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: S3_NAME - value: digital-ocean - - name: S3_ENDPOINT - value: https://nyc3.digitaloceanspaces.com - - name: S3_ACCESS_KEY - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: s3-do-home-infra-secret - - name: S3_SECRET_KEY - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: s3-do-home-infra-secret - - name: S3_REGION - valueFrom: - secretKeyRef: - key: AWS_REGION - name: s3-do-home-infra-secret - - name: LOG_LEVEL - value: info - - name: S3_FORCE_PATH_STYLE - value: "false" - image: molu8bits/s3bucket_exporter:1.0.2 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 64Mi ---- -# Source: s3-exporter/charts/s3-exporter/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: s3-exporter-garage-local - labels: - app.kubernetes.io/controller: garage-local - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: s3-exporter - helm.sh/chart: s3-exporter-4.4.0 - namespace: s3-exporter -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: garage-local - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/instance: s3-exporter - template: - metadata: - labels: - app.kubernetes.io/controller: garage-local - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/name: s3-exporter - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: S3_NAME - value: garage-local - - name: S3_ENDPOINT - value: http://garage-main.garage:3900 - - name: S3_ACCESS_KEY - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: s3-garage-secret - - name: S3_SECRET_KEY - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: s3-garage-secret - - name: S3_REGION - value: us-east-1 - - name: LOG_LEVEL - value: debug - - name: S3_FORCE_PATH_STYLE - value: "true" - image: molu8bits/s3bucket_exporter:1.0.2 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 64Mi ---- -# Source: s3-exporter/charts/s3-exporter/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: s3-exporter-garage-remote - labels: - app.kubernetes.io/controller: garage-remote - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: s3-exporter - helm.sh/chart: s3-exporter-4.4.0 - namespace: s3-exporter -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: garage-remote - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/instance: s3-exporter - template: - metadata: - labels: - app.kubernetes.io/controller: garage-remote - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/name: s3-exporter - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: S3_NAME - value: garage-remote - - name: S3_ENDPOINT - value: https://garage-ps10rp.boreal-beaufort.ts.net:3900 - - name: S3_ACCESS_KEY - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: s3-garage-secret - - name: S3_SECRET_KEY - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: s3-garage-secret - - name: S3_REGION - value: us-east-1 - - name: LOG_LEVEL - value: debug - - name: S3_FORCE_PATH_STYLE - value: "true" - image: molu8bits/s3bucket_exporter:1.0.2 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 64Mi ---- -# Source: s3-exporter/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: s3-do-home-infra-secret - namespace: s3-exporter - labels: - app.kubernetes.io/name: s3-do-home-infra-secret - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/part-of: s3-exporter -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/all-access - metadataPolicy: None - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/all-access - metadataPolicy: None - property: AWS_SECRET_ACCESS_KEY - - secretKey: AWS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/prometheus-exporter - metadataPolicy: None - property: AWS_REGION ---- -# Source: s3-exporter/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: s3-ceph-directus-secret - namespace: s3-exporter - labels: - app.kubernetes.io/name: s3-ceph-directus-secret - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/part-of: s3-exporter -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/ceph - metadataPolicy: None - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/ceph - metadataPolicy: None - property: AWS_SECRET_ACCESS_KEY - - secretKey: BUCKET_HOST - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/directus/ceph - metadataPolicy: None - property: BUCKET_HOST ---- -# Source: s3-exporter/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: s3-garage-secret - namespace: s3-exporter - labels: - app.kubernetes.io/name: s3-garage-secret - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/part-of: s3-exporter -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/s3-exporter - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/s3-exporter - metadataPolicy: None - property: ACCESS_SECRET_KEY ---- -# Source: s3-exporter/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: s3-exporter-digital-ocean - namespace: s3-exporter - labels: - app.kubernetes.io/name: s3-exporter-digital-ocean - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/part-of: s3-exporter -spec: - selector: - matchLabels: - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/service: s3-exporter-digital-ocean - endpoints: - - port: metrics - interval: 5m - scrapeTimeout: 120s - path: /metrics ---- -# Source: s3-exporter/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: s3-exporter-ceph-directus - namespace: s3-exporter - labels: - app.kubernetes.io/name: s3-exporter-ceph-directus - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/part-of: s3-exporter -spec: - selector: - matchLabels: - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/service: s3-exporter-ceph-directus - endpoints: - - port: metrics - interval: 5m - scrapeTimeout: 120s - path: /metrics ---- -# Source: s3-exporter/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: s3-exporter-garage-local - namespace: s3-exporter - labels: - app.kubernetes.io/name: s3-exporter-garage-local - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/part-of: s3-exporter -spec: - selector: - matchLabels: - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/service: s3-exporter-garage-local - endpoints: - - port: metrics - interval: 5m - scrapeTimeout: 120s - path: /metrics ---- -# Source: s3-exporter/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: s3-exporter-garage-remote - namespace: s3-exporter - labels: - app.kubernetes.io/name: s3-exporter-garage-remote - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/part-of: s3-exporter -spec: - selector: - matchLabels: - app.kubernetes.io/name: s3-exporter - app.kubernetes.io/instance: s3-exporter - app.kubernetes.io/service: s3-exporter-garage-remote - endpoints: - - port: metrics - interval: 5m - scrapeTimeout: 120s - path: /metrics diff --git a/clusters/cl01tl/manifests/searxng/searxng.yaml b/clusters/cl01tl/manifests/searxng/searxng.yaml deleted file mode 100644 index 731f2d2df..000000000 --- a/clusters/cl01tl/manifests/searxng/searxng.yaml +++ /dev/null @@ -1,435 +0,0 @@ ---- -# Source: searxng/charts/searxng/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: searxng-api-data - labels: - app.kubernetes.io/instance: searxng - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: searxng - helm.sh/chart: searxng-4.4.0 - namespace: searxng -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: searxng/charts/searxng/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: searxng-browser-data - labels: - app.kubernetes.io/instance: searxng - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: searxng - helm.sh/chart: searxng-4.4.0 - namespace: searxng -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: searxng/charts/searxng/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: searxng-api - labels: - app.kubernetes.io/instance: searxng - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: searxng - app.kubernetes.io/service: searxng-api - helm.sh/chart: searxng-4.4.0 - namespace: searxng -spec: - type: ClusterIP - ports: - - port: 8080 - targetPort: 8080 - protocol: TCP - name: mail - selector: - app.kubernetes.io/controller: api - app.kubernetes.io/instance: searxng - app.kubernetes.io/name: searxng ---- -# Source: searxng/charts/searxng/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: searxng-browser - labels: - app.kubernetes.io/instance: searxng - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: searxng - app.kubernetes.io/service: searxng-browser - helm.sh/chart: searxng-4.4.0 - namespace: searxng -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8080 - protocol: TCP - name: mail - selector: - app.kubernetes.io/controller: browser - app.kubernetes.io/instance: searxng - app.kubernetes.io/name: searxng ---- -# Source: searxng/charts/searxng/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: searxng-api - labels: - app.kubernetes.io/controller: api - app.kubernetes.io/instance: searxng - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: searxng - helm.sh/chart: searxng-4.4.0 - namespace: searxng -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: api - app.kubernetes.io/name: searxng - app.kubernetes.io/instance: searxng - template: - metadata: - labels: - app.kubernetes.io/controller: api - app.kubernetes.io/instance: searxng - app.kubernetes.io/name: searxng - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: SEARXNG_BASE_URL - value: http://searxng-api.searxng:8080 - - name: SEARXNG_QUERY_URL - value: http://searxng-api.searxng:8080/search?q= - - name: SEARXNG_HOSTNAME - value: searxng-api.searxng - - name: UWSGI_WORKERS - value: "4" - - name: UWSGI_THREADS - value: "4" - - name: ENABLE_RAG_WEB_SEARCH - value: "true" - - name: RAG_WEB_SEARCH_ENGINE - value: searxng - - name: RAG_WEB_SEARCH_RESULT_COUNT - value: "3" - - name: RAG_WEB_SEARCH_CONCURRENT_REQUESTS - value: "10" - image: searxng/searxng:latest@sha256:09dfc123bd7c118ed086471b42d17ed57964827beffeb8d7f012dae3d2608545 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /etc/searxng - name: api-data - - mountPath: /etc/searxng/settings.yml - mountPropagation: None - name: config - readOnly: true - subPath: settings.yml - - mountPath: /etc/searxng/limiter.toml - mountPropagation: None - name: config - readOnly: true - subPath: limiter.toml - volumes: - - name: api-data - persistentVolumeClaim: - claimName: searxng-api-data - - name: config - secret: - secretName: searxng-api-config-secret ---- -# Source: searxng/charts/searxng/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: searxng-browser - labels: - app.kubernetes.io/controller: browser - app.kubernetes.io/instance: searxng - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: searxng - helm.sh/chart: searxng-4.4.0 - namespace: searxng -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: browser - app.kubernetes.io/name: searxng - app.kubernetes.io/instance: searxng - template: - metadata: - labels: - app.kubernetes.io/controller: browser - app.kubernetes.io/instance: searxng - app.kubernetes.io/name: searxng - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: SEARXNG_BASE_URL - value: https://searxng.alexlebens.net/ - - name: SEARXNG_QUERY_URL - value: https://searxng.alexlebens.net/search?q= - - name: SEARXNG_HOSTNAME - value: searxng.alexlebens.net - - name: SEARXNG_REDIS_URL - value: redis://redis-replication-searxng-master.searxng:6379/0 - - name: UWSGI_WORKERS - value: "4" - - name: UWSGI_THREADS - value: "4" - image: searxng/searxng:latest@sha256:09dfc123bd7c118ed086471b42d17ed57964827beffeb8d7f012dae3d2608545 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /etc/searxng - name: browser-data - volumes: - - name: browser-data - persistentVolumeClaim: - claimName: searxng-browser-data ---- -# Source: searxng/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: searxng-api-config-secret - namespace: searxng - labels: - app.kubernetes.io/name: searxng-api-config-secret - app.kubernetes.io/instance: searxng - app.kubernetes.io/part-of: searxng -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: settings.yml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/searxng/api/config - metadataPolicy: None - property: settings.yml - - secretKey: limiter.toml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/searxng/api/config - metadataPolicy: None - property: limiter.toml ---- -# Source: searxng/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: searxng-browser-data-backup-secret - namespace: searxng - labels: - app.kubernetes.io/name: searxng-browser-data-backup-secret - app.kubernetes.io/instance: searxng - app.kubernetes.io/part-of: searxng -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/searxng/searxng-browser-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: searxng/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-searxng - namespace: searxng - labels: - app.kubernetes.io/name: http-route-searxng - app.kubernetes.io/instance: searxng - app.kubernetes.io/part-of: searxng -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - searxng.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: searxng-browser - port: 80 - weight: 100 ---- -# Source: searxng/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-searxng - namespace: searxng - labels: - app.kubernetes.io/name: redis-replication-searxng - app.kubernetes.io/instance: searxng - app.kubernetes.io/part-of: searxng -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: searxng/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: searxng-browser-data-backup-source - namespace: searxng - labels: - app.kubernetes.io/name: searxng-browser-data-backup-source - app.kubernetes.io/instance: searxng - app.kubernetes.io/part-of: searxng -spec: - sourcePVC: searxng-browser-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: searxng-browser-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: searxng/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-searxng - namespace: searxng - labels: - app.kubernetes.io/name: redis-replication-searxng - app.kubernetes.io/instance: searxng - app.kubernetes.io/part-of: searxng - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/shelly-plug/shelly-plug.yaml b/clusters/cl01tl/manifests/shelly-plug/shelly-plug.yaml deleted file mode 100644 index e22c7be1b..000000000 --- a/clusters/cl01tl/manifests/shelly-plug/shelly-plug.yaml +++ /dev/null @@ -1,185 +0,0 @@ ---- -# Source: shelly-plug/charts/shelly-plug/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: shelly-plug - labels: - app.kubernetes.io/instance: shelly-plug - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: shelly-plug - helm.sh/chart: shelly-plug-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: shelly-plug -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "1Gi" - storageClassName: "ceph-block" ---- -# Source: shelly-plug/charts/shelly-plug/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: shelly-plug - labels: - app.kubernetes.io/instance: shelly-plug - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: shelly-plug - app.kubernetes.io/service: shelly-plug - helm.sh/chart: shelly-plug-4.4.0 - namespace: shelly-plug -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: shelly-plug - app.kubernetes.io/name: shelly-plug ---- -# Source: shelly-plug/charts/shelly-plug/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: shelly-plug - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: shelly-plug - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: shelly-plug - helm.sh/chart: shelly-plug-4.4.0 - namespace: shelly-plug -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: shelly-plug - app.kubernetes.io/instance: shelly-plug - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: shelly-plug - app.kubernetes.io/name: shelly-plug - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - initContainers: - - command: - - /bin/sh - - -ec - - | - cd /var/www/html - if [ -d ".git" ]; then - echo "Git repository found. Pulling latest changes..." - git pull - else - echo "Not a git repository. Initializing ..." - git init - git remote add origin https://github.com/geerlingguy/shelly-plug-prometheus.git - git fetch origin - git checkout origin/master -ft - fi - image: alpine/git:latest - imagePullPolicy: IfNotPresent - name: init-fetch-repo - resources: - requests: - cpu: 10m - memory: 128Mi - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /var/www/html - name: script - containers: - - env: - - name: SHELLY_HOSTNAME - value: it05sp.alexlebens.net - - name: SHELLY_GENERATION - value: "2" - envFrom: - - secretRef: - name: shelly-plug-config-secret - image: php:8.4.15-apache-bookworm - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 64Mi - volumeMounts: - - mountPath: /var/www/html - name: script - volumes: - - name: script - persistentVolumeClaim: - claimName: shelly-plug ---- -# Source: shelly-plug/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: shelly-plug-config-secret - namespace: shelly-plug - labels: - app.kubernetes.io/name: shelly-plug-config-secret - app.kubernetes.io/instance: shelly-plug - app.kubernetes.io/part-of: shelly-plug -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: SHELLY_HTTP_USERNAME - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /shelly-plug/auth/it05sp - metadataPolicy: None - property: SHELLY_HTTP_USERNAME - - secretKey: SHELLY_HTTP_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /shelly-plug/auth/it05sp - metadataPolicy: None - property: SHELLY_HTTP_PASSWORD ---- -# Source: shelly-plug/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: shelly-plug - namespace: shelly-plug - labels: - app.kubernetes.io/name: shelly-plug - app.kubernetes.io/instance: shelly-plug - app.kubernetes.io/part-of: shelly-plug -spec: - selector: - matchLabels: - app.kubernetes.io/name: shelly-plug - app.kubernetes.io/instance: shelly-plug - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 10s - path: /metrics diff --git a/clusters/cl01tl/manifests/site-documentation/site-documentation.yaml b/clusters/cl01tl/manifests/site-documentation/site-documentation.yaml deleted file mode 100644 index 58ede33d3..000000000 --- a/clusters/cl01tl/manifests/site-documentation/site-documentation.yaml +++ /dev/null @@ -1,153 +0,0 @@ ---- -# Source: site-documentation/charts/site-documentation/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: site-documentation - labels: - app.kubernetes.io/instance: site-documentation - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: site-documentation - app.kubernetes.io/service: site-documentation - helm.sh/chart: site-documentation-4.4.0 - namespace: site-documentation -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 4321 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-documentation - app.kubernetes.io/name: site-documentation ---- -# Source: site-documentation/charts/cloudflared-site/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: site-documentation-cloudflared-site - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-documentation - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared-site - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-site-1.23.1 - namespace: site-documentation -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared-site - app.kubernetes.io/instance: site-documentation - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-documentation - app.kubernetes.io/name: cloudflared-site - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: site-documentation-cloudflared-api-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: site-documentation/charts/site-documentation/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: site-documentation - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-documentation - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: site-documentation - helm.sh/chart: site-documentation-4.4.0 - namespace: site-documentation -spec: - revisionHistoryLimit: 3 - replicas: 3 - strategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: site-documentation - app.kubernetes.io/instance: site-documentation - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-documentation - app.kubernetes.io/name: site-documentation - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - image: harbor.alexlebens.net/images/site-documentation:0.0.4 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: site-documentation/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: site-documentation-cloudflared-api-secret - namespace: site-documentation - labels: - app.kubernetes.io/name: site-documentation-cloudflared-api-secret - app.kubernetes.io/instance: site-documentation - app.kubernetes.io/part-of: site-documentation -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/site-documentation - metadataPolicy: None - property: token diff --git a/clusters/cl01tl/manifests/site-profile/site-profile.yaml b/clusters/cl01tl/manifests/site-profile/site-profile.yaml deleted file mode 100644 index 4bffa7358..000000000 --- a/clusters/cl01tl/manifests/site-profile/site-profile.yaml +++ /dev/null @@ -1,153 +0,0 @@ ---- -# Source: site-profile/charts/site-profile/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: site-profile - labels: - app.kubernetes.io/instance: site-profile - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: site-profile - app.kubernetes.io/service: site-profile - helm.sh/chart: site-profile-4.4.0 - namespace: site-profile -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 4321 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-profile - app.kubernetes.io/name: site-profile ---- -# Source: site-profile/charts/cloudflared-site/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: site-profile-cloudflared-site - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-profile - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared-site - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-site-1.23.1 - namespace: site-profile -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared-site - app.kubernetes.io/instance: site-profile - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-profile - app.kubernetes.io/name: cloudflared-site - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: site-profile-cloudflared-api-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: site-profile/charts/site-profile/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: site-profile - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-profile - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: site-profile - helm.sh/chart: site-profile-4.4.0 - namespace: site-profile -spec: - revisionHistoryLimit: 3 - replicas: 3 - strategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: site-profile - app.kubernetes.io/instance: site-profile - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: site-profile - app.kubernetes.io/name: site-profile - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - image: harbor.alexlebens.net/images/site-profile:2.1.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: site-profile/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: site-profile-cloudflared-api-secret - namespace: site-profile - labels: - app.kubernetes.io/name: site-profile-cloudflared-api-secret - app.kubernetes.io/instance: site-profile - app.kubernetes.io/part-of: site-profile -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/site-profile - metadataPolicy: None - property: token diff --git a/clusters/cl01tl/manifests/slskd/slskd.yaml b/clusters/cl01tl/manifests/slskd/slskd.yaml deleted file mode 100644 index ed75a0450..000000000 --- a/clusters/cl01tl/manifests/slskd/slskd.yaml +++ /dev/null @@ -1,396 +0,0 @@ ---- -# Source: slskd/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: slskd - labels: - app.kubernetes.io/name: slskd - app.kubernetes.io/instance: slskd - app.kubernetes.io/part-of: slskd - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: slskd/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: slskd-nfs-storage - namespace: slskd - labels: - app.kubernetes.io/name: slskd-nfs-storage - app.kubernetes.io/instance: slskd - app.kubernetes.io/part-of: slskd -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: slskd/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: slskd-nfs-storage - namespace: slskd - labels: - app.kubernetes.io/name: slskd-nfs-storage - app.kubernetes.io/instance: slskd - app.kubernetes.io/part-of: slskd -spec: - volumeName: slskd-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: slskd/charts/slskd/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: slskd - labels: - app.kubernetes.io/instance: slskd - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: slskd - app.kubernetes.io/service: slskd - helm.sh/chart: slskd-4.4.0 - namespace: slskd -spec: - type: ClusterIP - ports: - - port: 5030 - targetPort: 5030 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: slskd - app.kubernetes.io/name: slskd ---- -# Source: slskd/charts/slskd/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: slskd-main - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: slskd - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: slskd - helm.sh/chart: slskd-4.4.0 - namespace: slskd -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: slskd - app.kubernetes.io/instance: slskd - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: slskd - app.kubernetes.io/name: slskd - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - initContainers: - - args: - - -ec - - | - sysctl -w net.ipv4.ip_forward=1; - sysctl -w net.ipv6.conf.all.disable_ipv6=1 - command: - - /bin/sh - image: busybox:1.37.0 - imagePullPolicy: IfNotPresent - name: init-sysctl - resources: - requests: - cpu: 10m - memory: 128Mi - securityContext: - privileged: true - containers: - - env: - - name: VPN_SERVICE_PROVIDER - value: protonvpn - - name: VPN_TYPE - value: wireguard - - name: WIREGUARD_PRIVATE_KEY - valueFrom: - secretKeyRef: - key: private-key - name: slskd-wireguard-conf - - name: VPN_PORT_FORWARDING - value: "on" - - name: PORT_FORWARD_ONLY - value: "on" - - name: FIREWALL_OUTBOUND_SUBNETS - value: 192.168.1.0/24,10.244.0.0/16 - - name: FIREWALL_INPUT_PORTS - value: 5030,50300 - - name: DOT - value: "off" - image: ghcr.io/qdm12/gluetun:v3.40.3@sha256:ef4a44819a60469682c7b5e69183e6401171891feaa60186652d292c59e41b30 - imagePullPolicy: IfNotPresent - name: gluetun - resources: - limits: - devic.es/tun: "1" - requests: - cpu: 10m - devic.es/tun: "1" - memory: 128Mi - securityContext: - capabilities: - add: - - NET_ADMIN - - SYS_MODULE - privileged: true - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - - name: SLSKD_UMASK - value: "0" - image: slskd/slskd:0.24.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 512Mi - volumeMounts: - - mountPath: /mnt/store - name: data - - mountPath: /app/slskd.yml - mountPropagation: None - name: slskd-config - readOnly: true - subPath: slskd.yml - volumes: - - name: data - persistentVolumeClaim: - claimName: slskd-nfs-storage - - name: slskd-config - secret: - secretName: slskd-config-secret ---- -# Source: slskd/charts/slskd/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: slskd-soularr - labels: - app.kubernetes.io/controller: soularr - app.kubernetes.io/instance: slskd - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: slskd - helm.sh/chart: slskd-4.4.0 - namespace: slskd -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: soularr - app.kubernetes.io/name: slskd - app.kubernetes.io/instance: slskd - template: - metadata: - labels: - app.kubernetes.io/controller: soularr - app.kubernetes.io/instance: slskd - app.kubernetes.io/name: slskd - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - - name: SCRIPT_INTERVAL - value: "300" - image: mrusse08/soularr:latest@sha256:71a0b9e5a522d76bb0ffdb6d720d681fde22417b3a5acc9ecae61c89d05d8afc - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /mnt/store - name: data - - mountPath: /data/config.ini - mountPropagation: None - name: soularr-config - readOnly: true - subPath: config.ini - volumes: - - name: data - persistentVolumeClaim: - claimName: slskd-nfs-storage - - name: soularr-config - secret: - secretName: soularr-config-secret ---- -# Source: slskd/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: slskd-config-secret - namespace: slskd - labels: - app.kubernetes.io/name: slskd-config-secret - app.kubernetes.io/instance: slskd - app.kubernetes.io/part-of: slskd -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: slskd.yml - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/slskd/config - metadataPolicy: None - property: slskd.yml ---- -# Source: slskd/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: soularr-config-secret - namespace: slskd - labels: - app.kubernetes.io/name: soularr-config-secret - app.kubernetes.io/instance: slskd - app.kubernetes.io/part-of: slskd -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config.ini - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/slskd/soularr - metadataPolicy: None - property: config.ini ---- -# Source: slskd/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: slskd-wireguard-conf - namespace: slskd - labels: - app.kubernetes.io/name: slskd-wireguard-conf - app.kubernetes.io/instance: slskd - app.kubernetes.io/part-of: slskd -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: private-key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /protonvpn/conf/cl01tl - metadataPolicy: None - property: private-key ---- -# Source: slskd/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-slskd - namespace: slskd - labels: - app.kubernetes.io/name: http-route-slskd - app.kubernetes.io/instance: slskd - app.kubernetes.io/part-of: slskd -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - slskd.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: slskd - port: 5030 - weight: 100 ---- -# Source: slskd/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: slskd - namespace: slskd - labels: - app.kubernetes.io/name: slskd - app.kubernetes.io/instance: slskd - app.kubernetes.io/part-of: slskd -spec: - selector: - matchLabels: - app.kubernetes.io/name: slskd - app.kubernetes.io/instance: slskd - endpoints: - - port: http - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/snapshot-controller/snapshot-controller.yaml b/clusters/cl01tl/manifests/snapshot-controller/snapshot-controller.yaml deleted file mode 100644 index 7cda60963..000000000 --- a/clusters/cl01tl/manifests/snapshot-controller/snapshot-controller.yaml +++ /dev/null @@ -1,2478 +0,0 @@ ---- -# Source: snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotclasses.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/1337" - controller-gen.kubebuilder.io/version: v0.15.0 - name: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io -spec: - group: groupsnapshot.storage.k8s.io - names: - kind: VolumeGroupSnapshotClass - listKind: VolumeGroupSnapshotClassList - plural: volumegroupsnapshotclasses - shortNames: - - vgsclass - - vgsclasses - singular: volumegroupsnapshotclass - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .driver - name: Driver - type: string - - description: Determines whether a VolumeGroupSnapshotContent created through - the VolumeGroupSnapshotClass should be deleted when its bound VolumeGroupSnapshot - is deleted. - jsonPath: .deletionPolicy - name: DeletionPolicy - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - VolumeGroupSnapshotClass specifies parameters that a underlying storage system - uses when creating a volume group snapshot. A specific VolumeGroupSnapshotClass - is used by specifying its name in a VolumeGroupSnapshot object. - VolumeGroupSnapshotClasses are non-namespaced. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - deletionPolicy: - description: |- - DeletionPolicy determines whether a VolumeGroupSnapshotContent created - through the VolumeGroupSnapshotClass should be deleted when its bound - VolumeGroupSnapshot is deleted. - Supported values are "Retain" and "Delete". - "Retain" means that the VolumeGroupSnapshotContent and its physical group - snapshot on underlying storage system are kept. - "Delete" means that the VolumeGroupSnapshotContent and its physical group - snapshot on underlying storage system are deleted. - Required. - enum: - - Delete - - Retain - type: string - driver: - description: |- - Driver is the name of the storage driver expected to handle this VolumeGroupSnapshotClass. - Required. - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - parameters: - additionalProperties: - type: string - description: |- - Parameters is a key-value map with storage driver specific parameters for - creating group snapshots. - These values are opaque to Kubernetes and are passed directly to the driver. - type: object - required: - - deletionPolicy - - driver - type: object - served: true - storage: false - subresources: {} - - additionalPrinterColumns: - - jsonPath: .driver - name: Driver - type: string - - description: Determines whether a VolumeGroupSnapshotContent created through - the VolumeGroupSnapshotClass should be deleted when its bound VolumeGroupSnapshot - is deleted. - jsonPath: .deletionPolicy - name: DeletionPolicy - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: |- - VolumeGroupSnapshotClass specifies parameters that a underlying storage system - uses when creating a volume group snapshot. A specific VolumeGroupSnapshotClass - is used by specifying its name in a VolumeGroupSnapshot object. - VolumeGroupSnapshotClasses are non-namespaced. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - deletionPolicy: - description: |- - DeletionPolicy determines whether a VolumeGroupSnapshotContent created - through the VolumeGroupSnapshotClass should be deleted when its bound - VolumeGroupSnapshot is deleted. - Supported values are "Retain" and "Delete". - "Retain" means that the VolumeGroupSnapshotContent and its physical group - snapshot on underlying storage system are kept. - "Delete" means that the VolumeGroupSnapshotContent and its physical group - snapshot on underlying storage system are deleted. - Required. - enum: - - Delete - - Retain - type: string - x-kubernetes-validations: - - message: deletionPolicy is immutable once set - rule: self == oldSelf - driver: - description: |- - Driver is the name of the storage driver expected to handle this VolumeGroupSnapshotClass. - Required. - type: string - x-kubernetes-validations: - - message: driver is immutable once set - rule: self == oldSelf - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - parameters: - additionalProperties: - type: string - description: |- - Parameters is a key-value map with storage driver specific parameters for - creating group snapshots. - These values are opaque to Kubernetes and are passed directly to the driver. - type: object - x-kubernetes-validations: - - message: parameters are immutable once set - rule: self == oldSelf - required: - - deletionPolicy - - driver - type: object - served: true - storage: true - subresources: {} - ---- -# Source: snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotcontents.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/1337" - controller-gen.kubebuilder.io/version: v0.15.0 - name: volumegroupsnapshotcontents.groupsnapshot.storage.k8s.io -spec: - group: groupsnapshot.storage.k8s.io - names: - kind: VolumeGroupSnapshotContent - listKind: VolumeGroupSnapshotContentList - plural: volumegroupsnapshotcontents - shortNames: - - vgsc - - vgscs - singular: volumegroupsnapshotcontent - scope: Cluster - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1"] - clientConfig: - service: - namespace: default - name: snapshot-conversion-webhook-service - path: /convert - versions: - - additionalPrinterColumns: - - description: Indicates if all the individual snapshots in the group are ready - to be used to restore a group of volumes. - jsonPath: .status.readyToUse - name: ReadyToUse - type: boolean - - description: Determines whether this VolumeGroupSnapshotContent and its physical - group snapshot on the underlying storage system should be deleted when its - bound VolumeGroupSnapshot is deleted. - jsonPath: .spec.deletionPolicy - name: DeletionPolicy - type: string - - description: Name of the CSI driver used to create the physical group snapshot - on the underlying storage system. - jsonPath: .spec.driver - name: Driver - type: string - - description: Name of the VolumeGroupSnapshotClass from which this group snapshot - was (or will be) created. - jsonPath: .spec.volumeGroupSnapshotClassName - name: VolumeGroupSnapshotClass - type: string - - description: Namespace of the VolumeGroupSnapshot object to which this VolumeGroupSnapshotContent - object is bound. - jsonPath: .spec.volumeGroupSnapshotRef.namespace - name: VolumeGroupSnapshotNamespace - type: string - - description: Name of the VolumeGroupSnapshot object to which this VolumeGroupSnapshotContent - object is bound. - jsonPath: .spec.volumeGroupSnapshotRef.name - name: VolumeGroupSnapshot - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - VolumeGroupSnapshotContent represents the actual "on-disk" group snapshot object - in the underlying storage system - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Spec defines properties of a VolumeGroupSnapshotContent created by the underlying storage system. - Required. - properties: - deletionPolicy: - description: |- - DeletionPolicy determines whether this VolumeGroupSnapshotContent and the - physical group snapshot on the underlying storage system should be deleted - when the bound VolumeGroupSnapshot is deleted. - Supported values are "Retain" and "Delete". - "Retain" means that the VolumeGroupSnapshotContent and its physical group - snapshot on underlying storage system are kept. - "Delete" means that the VolumeGroupSnapshotContent and its physical group - snapshot on underlying storage system are deleted. - For dynamically provisioned group snapshots, this field will automatically - be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field - defined in the corresponding VolumeGroupSnapshotClass. - For pre-existing snapshots, users MUST specify this field when creating the - VolumeGroupSnapshotContent object. - Required. - enum: - - Delete - - Retain - type: string - driver: - description: |- - Driver is the name of the CSI driver used to create the physical group snapshot on - the underlying storage system. - This MUST be the same as the name returned by the CSI GetPluginName() call for - that driver. - Required. - type: string - source: - description: |- - Source specifies whether the snapshot is (or should be) dynamically provisioned - or already exists, and just requires a Kubernetes object representation. - This field is immutable after creation. - Required. - properties: - groupSnapshotHandles: - description: |- - GroupSnapshotHandles specifies the CSI "group_snapshot_id" of a pre-existing - group snapshot and a list of CSI "snapshot_id" of pre-existing snapshots - on the underlying storage system for which a Kubernetes object - representation was (or should be) created. - This field is immutable. - properties: - volumeGroupSnapshotHandle: - description: |- - VolumeGroupSnapshotHandle specifies the CSI "group_snapshot_id" of a pre-existing - group snapshot on the underlying storage system for which a Kubernetes object - representation was (or should be) created. - This field is immutable. - Required. - type: string - volumeSnapshotHandles: - description: |- - VolumeSnapshotHandles is a list of CSI "snapshot_id" of pre-existing - snapshots on the underlying storage system for which Kubernetes objects - representation were (or should be) created. - This field is immutable. - Required. - items: - type: string - type: array - required: - - volumeGroupSnapshotHandle - - volumeSnapshotHandles - type: object - x-kubernetes-validations: - - message: groupSnapshotHandles is immutable - rule: self == oldSelf - volumeHandles: - description: |- - VolumeHandles is a list of volume handles on the backend to be snapshotted - together. It is specified for dynamic provisioning of the VolumeGroupSnapshot. - This field is immutable. - items: - type: string - type: array - x-kubernetes-validations: - - message: volumeHandles is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: volumeHandles is required once set - rule: '!has(oldSelf.volumeHandles) || has(self.volumeHandles)' - - message: groupSnapshotHandles is required once set - rule: '!has(oldSelf.groupSnapshotHandles) || has(self.groupSnapshotHandles)' - - message: exactly one of volumeHandles and groupSnapshotHandles must - be set - rule: (has(self.volumeHandles) && !has(self.groupSnapshotHandles)) - || (!has(self.volumeHandles) && has(self.groupSnapshotHandles)) - volumeGroupSnapshotClassName: - description: |- - VolumeGroupSnapshotClassName is the name of the VolumeGroupSnapshotClass from - which this group snapshot was (or will be) created. - Note that after provisioning, the VolumeGroupSnapshotClass may be deleted or - recreated with different set of values, and as such, should not be referenced - post-snapshot creation. - For dynamic provisioning, this field must be set. - This field may be unset for pre-provisioned snapshots. - type: string - volumeGroupSnapshotRef: - description: |- - VolumeGroupSnapshotRef specifies the VolumeGroupSnapshot object to which this - VolumeGroupSnapshotContent object is bound. - VolumeGroupSnapshot.Spec.VolumeGroupSnapshotContentName field must reference to - this VolumeGroupSnapshotContent's name for the bidirectional binding to be valid. - For a pre-existing VolumeGroupSnapshotContent object, name and namespace of the - VolumeGroupSnapshot object MUST be provided for binding to happen. - This field is immutable after creation. - Required. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: both volumeGroupSnapshotRef.name and volumeGroupSnapshotRef.namespace - must be set - rule: has(self.name) && has(self.__namespace__) - required: - - deletionPolicy - - driver - - source - - volumeGroupSnapshotRef - type: object - status: - description: status represents the current information of a group snapshot. - properties: - creationTime: - description: |- - CreationTime is the timestamp when the point-in-time group snapshot is taken - by the underlying storage system. - If not specified, it indicates the creation time is unknown. - If not specified, it means the readiness of a group snapshot is unknown. - The format of this field is a Unix nanoseconds time encoded as an int64. - On Unix, the command date +%s%N returns the current time in nanoseconds - since 1970-01-01 00:00:00 UTC. - This field is the source for the CreationTime field in VolumeGroupSnapshotStatus - format: date-time - type: string - error: - description: |- - Error is the last observed error during group snapshot creation, if any. - Upon success after retry, this error field will be cleared. - properties: - message: - description: |- - message is a string detailing the encountered error during snapshot - creation if specified. - NOTE: message may be logged, and it should not contain sensitive - information. - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: |- - ReadyToUse indicates if all the individual snapshots in the group are ready to be - used to restore a group of volumes. - ReadyToUse becomes true when ReadyToUse of all individual snapshots become true. - type: boolean - volumeGroupSnapshotHandle: - description: |- - VolumeGroupSnapshotHandle is a unique id returned by the CSI driver - to identify the VolumeGroupSnapshot on the storage system. - If a storage system does not provide such an id, the - CSI driver can choose to return the VolumeGroupSnapshot name. - type: string - volumeSnapshotHandlePairList: - description: |- - VolumeSnapshotHandlePairList is a list of CSI "volume_id" and "snapshot_id" - pair returned by the CSI driver to identify snapshots and their source volumes - on the storage system. - items: - description: VolumeSnapshotHandlePair defines a pair of a source - volume handle and a snapshot handle - properties: - snapshotHandle: - description: |- - SnapshotHandle is a unique id returned by the CSI driver to identify a volume - snapshot on the storage system - Required. - type: string - volumeHandle: - description: |- - VolumeHandle is a unique id returned by the CSI driver to identify a volume - on the storage system - Required. - type: string - required: - - snapshotHandle - - volumeHandle - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: Indicates if all the individual snapshots in the group are ready - to be used to restore a group of volumes. - jsonPath: .status.readyToUse - name: ReadyToUse - type: boolean - - description: Determines whether this VolumeGroupSnapshotContent and its physical - group snapshot on the underlying storage system should be deleted when its - bound VolumeGroupSnapshot is deleted. - jsonPath: .spec.deletionPolicy - name: DeletionPolicy - type: string - - description: Name of the CSI driver used to create the physical group snapshot - on the underlying storage system. - jsonPath: .spec.driver - name: Driver - type: string - - description: Name of the VolumeGroupSnapshotClass from which this group snapshot - was (or will be) created. - jsonPath: .spec.volumeGroupSnapshotClassName - name: VolumeGroupSnapshotClass - type: string - - description: Namespace of the VolumeGroupSnapshot object to which this VolumeGroupSnapshotContent - object is bound. - jsonPath: .spec.volumeGroupSnapshotRef.namespace - name: VolumeGroupSnapshotNamespace - type: string - - description: Name of the VolumeGroupSnapshot object to which this VolumeGroupSnapshotContent - object is bound. - jsonPath: .spec.volumeGroupSnapshotRef.name - name: VolumeGroupSnapshot - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: |- - VolumeGroupSnapshotContent represents the actual "on-disk" group snapshot object - in the underlying storage system - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Spec defines properties of a VolumeGroupSnapshotContent created by the underlying storage system. - Required. - properties: - deletionPolicy: - description: |- - DeletionPolicy determines whether this VolumeGroupSnapshotContent and the - physical group snapshot on the underlying storage system should be deleted - when the bound VolumeGroupSnapshot is deleted. - Supported values are "Retain" and "Delete". - "Retain" means that the VolumeGroupSnapshotContent and its physical group - snapshot on underlying storage system are kept. - "Delete" means that the VolumeGroupSnapshotContent and its physical group - snapshot on underlying storage system are deleted. - For dynamically provisioned group snapshots, this field will automatically - be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field - defined in the corresponding VolumeGroupSnapshotClass. - For pre-existing snapshots, users MUST specify this field when creating the - VolumeGroupSnapshotContent object. - Required. - enum: - - Delete - - Retain - type: string - driver: - description: |- - Driver is the name of the CSI driver used to create the physical group snapshot on - the underlying storage system. - This MUST be the same as the name returned by the CSI GetPluginName() call for - that driver. - Required. - type: string - x-kubernetes-validations: - - message: driver is immutable once set - rule: self == oldSelf - source: - description: |- - Source specifies whether the snapshot is (or should be) dynamically provisioned - or already exists, and just requires a Kubernetes object representation. - This field is immutable after creation. - Required. - properties: - groupSnapshotHandles: - description: |- - GroupSnapshotHandles specifies the CSI "group_snapshot_id" of a pre-existing - group snapshot and a list of CSI "snapshot_id" of pre-existing snapshots - on the underlying storage system for which a Kubernetes object - representation was (or should be) created. - This field is immutable. - properties: - volumeGroupSnapshotHandle: - description: |- - VolumeGroupSnapshotHandle specifies the CSI "group_snapshot_id" of a pre-existing - group snapshot on the underlying storage system for which a Kubernetes object - representation was (or should be) created. - This field is immutable. - Required. - type: string - volumeSnapshotHandles: - description: |- - VolumeSnapshotHandles is a list of CSI "snapshot_id" of pre-existing - snapshots on the underlying storage system for which Kubernetes objects - representation were (or should be) created. - This field is immutable. - Required. - items: - type: string - type: array - required: - - volumeGroupSnapshotHandle - - volumeSnapshotHandles - type: object - x-kubernetes-validations: - - message: groupSnapshotHandles is immutable - rule: self == oldSelf - volumeHandles: - description: |- - VolumeHandles is a list of volume handles on the backend to be snapshotted - together. It is specified for dynamic provisioning of the VolumeGroupSnapshot. - This field is immutable. - items: - type: string - type: array - x-kubernetes-validations: - - message: volumeHandles is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: volumeHandles is required once set - rule: '!has(oldSelf.volumeHandles) || has(self.volumeHandles)' - - message: groupSnapshotHandles is required once set - rule: '!has(oldSelf.groupSnapshotHandles) || has(self.groupSnapshotHandles)' - - message: exactly one of volumeHandles and groupSnapshotHandles must - be set - rule: (has(self.volumeHandles) && !has(self.groupSnapshotHandles)) - || (!has(self.volumeHandles) && has(self.groupSnapshotHandles)) - volumeGroupSnapshotClassName: - description: |- - VolumeGroupSnapshotClassName is the name of the VolumeGroupSnapshotClass from - which this group snapshot was (or will be) created. - Note that after provisioning, the VolumeGroupSnapshotClass may be deleted or - recreated with different set of values, and as such, should not be referenced - post-snapshot creation. - For dynamic provisioning, this field must be set. - This field may be unset for pre-provisioned snapshots. - type: string - x-kubernetes-validations: - - message: volumeGroupSnapshotClassName is immutable once set - rule: self == oldSelf - volumeGroupSnapshotRef: - description: |- - VolumeGroupSnapshotRef specifies the VolumeGroupSnapshot object to which this - VolumeGroupSnapshotContent object is bound. - VolumeGroupSnapshot.Spec.VolumeGroupSnapshotContentName field must reference to - this VolumeGroupSnapshotContent's name for the bidirectional binding to be valid. - For a pre-existing VolumeGroupSnapshotContent object, name and namespace of the - VolumeGroupSnapshot object MUST be provided for binding to happen. - This field is immutable after creation. - Required. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: both volumeGroupSnapshotRef.name and volumeGroupSnapshotRef.namespace - must be set - rule: has(self.name) && has(self.__namespace__) - - message: volumeGroupSnapshotRef.name and volumeGroupSnapshotRef.namespace - are immutable - rule: self.name == oldSelf.name && self.__namespace__ == oldSelf.__namespace__ - - message: volumeGroupSnapshotRef.uid is immutable once set - rule: '!has(oldSelf.uid) || (has(self.uid) && self.uid == oldSelf.uid)' - required: - - deletionPolicy - - driver - - source - - volumeGroupSnapshotRef - type: object - status: - description: status represents the current information of a group snapshot. - properties: - creationTime: - description: |- - CreationTime is the timestamp when the point-in-time group snapshot is taken - by the underlying storage system. - If not specified, it indicates the creation time is unknown. - If not specified, it means the readiness of a group snapshot is unknown. - This field is the source for the CreationTime field in VolumeGroupSnapshotStatus - format: date-time - type: string - error: - description: |- - Error is the last observed error during group snapshot creation, if any. - Upon success after retry, this error field will be cleared. - properties: - message: - description: |- - message is a string detailing the encountered error during snapshot - creation if specified. - NOTE: message may be logged, and it should not contain sensitive - information. - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: |- - ReadyToUse indicates if all the individual snapshots in the group are ready to be - used to restore a group of volumes. - ReadyToUse becomes true when ReadyToUse of all individual snapshots become true. - type: boolean - volumeGroupSnapshotHandle: - description: |- - VolumeGroupSnapshotHandle is a unique id returned by the CSI driver - to identify the VolumeGroupSnapshot on the storage system. - If a storage system does not provide such an id, the - CSI driver can choose to return the VolumeGroupSnapshot name. - type: string - x-kubernetes-validations: - - message: volumeGroupSnapshotHandle is immutable once set - rule: self == oldSelf - volumeSnapshotInfoList: - description: |- - This field is introduced in v1beta2 - It is replacing VolumeSnapshotHandlePairList - VolumeSnapshotInfoList is a list of snapshot information returned by - by the CSI driver to identify snapshots on the storage system. - items: - description: |- - The VolumeSnapshotInfo struct is added in v1beta2 - VolumeSnapshotInfo contains information for a snapshot - properties: - creationTime: - description: |- - creationTime is the timestamp when the point-in-time snapshot is taken - by the underlying storage system. - format: int64 - type: integer - readyToUse: - description: ReadyToUse indicates if the snapshot is ready to - be used to restore a volume. - type: boolean - restoreSize: - description: |- - RestoreSize represents the minimum size of volume required to create a volume - from this snapshot. - format: int64 - type: integer - snapshotHandle: - description: SnapshotHandle is the CSI "snapshot_id" of this - snapshot on the underlying storage system. - type: string - volumeHandle: - description: |- - VolumeHandle specifies the CSI "volume_id" of the volume from which this snapshot - was taken from. - type: string - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshots.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/1337" - controller-gen.kubebuilder.io/version: v0.15.0 - name: volumegroupsnapshots.groupsnapshot.storage.k8s.io -spec: - group: groupsnapshot.storage.k8s.io - names: - kind: VolumeGroupSnapshot - listKind: VolumeGroupSnapshotList - plural: volumegroupsnapshots - shortNames: - - vgs - singular: volumegroupsnapshot - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Indicates if all the individual snapshots in the group are ready - to be used to restore a group of volumes. - jsonPath: .status.readyToUse - name: ReadyToUse - type: boolean - - description: The name of the VolumeGroupSnapshotClass requested by the VolumeGroupSnapshot. - jsonPath: .spec.volumeGroupSnapshotClassName - name: VolumeGroupSnapshotClass - type: string - - description: Name of the VolumeGroupSnapshotContent object to which the VolumeGroupSnapshot - object intends to bind to. Please note that verification of binding actually - requires checking both VolumeGroupSnapshot and VolumeGroupSnapshotContent - to ensure both are pointing at each other. Binding MUST be verified prior - to usage of this object. - jsonPath: .status.boundVolumeGroupSnapshotContentName - name: VolumeGroupSnapshotContent - type: string - - description: Timestamp when the point-in-time group snapshot was taken by the - underlying storage system. - jsonPath: .status.creationTime - name: CreationTime - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - VolumeGroupSnapshot is a user's request for creating either a point-in-time - group snapshot or binding to a pre-existing group snapshot. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Spec defines the desired characteristics of a group snapshot requested by a user. - Required. - properties: - source: - description: |- - Source specifies where a group snapshot will be created from. - This field is immutable after creation. - Required. - properties: - selector: - description: |- - Selector is a label query over persistent volume claims that are to be - grouped together for snapshotting. - This labelSelector will be used to match the label added to a PVC. - If the label is added or removed to a volume after a group snapshot - is created, the existing group snapshots won't be modified. - Once a VolumeGroupSnapshotContent is created and the sidecar starts to process - it, the volume list will not change with retries. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: selector is immutable - rule: self == oldSelf - volumeGroupSnapshotContentName: - description: |- - VolumeGroupSnapshotContentName specifies the name of a pre-existing VolumeGroupSnapshotContent - object representing an existing volume group snapshot. - This field should be set if the volume group snapshot already exists and - only needs a representation in Kubernetes. - This field is immutable. - type: string - x-kubernetes-validations: - - message: volumeGroupSnapshotContentName is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: selector is required once set - rule: '!has(oldSelf.selector) || has(self.selector)' - - message: volumeGroupSnapshotContentName is required once set - rule: '!has(oldSelf.volumeGroupSnapshotContentName) || has(self.volumeGroupSnapshotContentName)' - - message: exactly one of selector and volumeGroupSnapshotContentName - must be set - rule: (has(self.selector) && !has(self.volumeGroupSnapshotContentName)) - || (!has(self.selector) && has(self.volumeGroupSnapshotContentName)) - volumeGroupSnapshotClassName: - description: |- - VolumeGroupSnapshotClassName is the name of the VolumeGroupSnapshotClass - requested by the VolumeGroupSnapshot. - VolumeGroupSnapshotClassName may be left nil to indicate that the default - class will be used. - Empty string is not allowed for this field. - type: string - x-kubernetes-validations: - - message: volumeGroupSnapshotClassName must not be the empty string - when set - rule: size(self) > 0 - required: - - source - type: object - status: - description: |- - Status represents the current information of a group snapshot. - Consumers must verify binding between VolumeGroupSnapshot and - VolumeGroupSnapshotContent objects is successful (by validating that both - VolumeGroupSnapshot and VolumeGroupSnapshotContent point to each other) before - using this object. - properties: - boundVolumeGroupSnapshotContentName: - description: |- - BoundVolumeGroupSnapshotContentName is the name of the VolumeGroupSnapshotContent - object to which this VolumeGroupSnapshot object intends to bind to. - If not specified, it indicates that the VolumeGroupSnapshot object has not - been successfully bound to a VolumeGroupSnapshotContent object yet. - NOTE: To avoid possible security issues, consumers must verify binding between - VolumeGroupSnapshot and VolumeGroupSnapshotContent objects is successful - (by validating that both VolumeGroupSnapshot and VolumeGroupSnapshotContent - point at each other) before using this object. - type: string - creationTime: - description: |- - CreationTime is the timestamp when the point-in-time group snapshot is taken - by the underlying storage system. - If not specified, it may indicate that the creation time of the group snapshot - is unknown. - The format of this field is a Unix nanoseconds time encoded as an int64. - On Unix, the command date +%s%N returns the current time in nanoseconds - since 1970-01-01 00:00:00 UTC. - This field is updated based on the CreationTime field in VolumeGroupSnapshotContentStatus - format: date-time - type: string - error: - description: |- - Error is the last observed error during group snapshot creation, if any. - This field could be helpful to upper level controllers (i.e., application - controller) to decide whether they should continue on waiting for the group - snapshot to be created based on the type of error reported. - The snapshot controller will keep retrying when an error occurs during the - group snapshot creation. Upon success, this error field will be cleared. - properties: - message: - description: |- - message is a string detailing the encountered error during snapshot - creation if specified. - NOTE: message may be logged, and it should not contain sensitive - information. - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: |- - ReadyToUse indicates if all the individual snapshots in the group are ready - to be used to restore a group of volumes. - ReadyToUse becomes true when ReadyToUse of all individual snapshots become true. - If not specified, it means the readiness of a group snapshot is unknown. - type: boolean - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: Indicates if all the individual snapshots in the group are ready - to be used to restore a group of volumes. - jsonPath: .status.readyToUse - name: ReadyToUse - type: boolean - - description: The name of the VolumeGroupSnapshotClass requested by the VolumeGroupSnapshot. - jsonPath: .spec.volumeGroupSnapshotClassName - name: VolumeGroupSnapshotClass - type: string - - description: Name of the VolumeGroupSnapshotContent object to which the VolumeGroupSnapshot - object intends to bind to. Please note that verification of binding actually - requires checking both VolumeGroupSnapshot and VolumeGroupSnapshotContent - to ensure both are pointing at each other. Binding MUST be verified prior - to usage of this object. - jsonPath: .status.boundVolumeGroupSnapshotContentName - name: VolumeGroupSnapshotContent - type: string - - description: Timestamp when the point-in-time group snapshot was taken by the - underlying storage system. - jsonPath: .status.creationTime - name: CreationTime - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: |- - VolumeGroupSnapshot is a user's request for creating either a point-in-time - group snapshot or binding to a pre-existing group snapshot. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Spec defines the desired characteristics of a group snapshot requested by a user. - Required. - properties: - source: - description: |- - Source specifies where a group snapshot will be created from. - This field is immutable after creation. - Required. - properties: - selector: - description: |- - Selector is a label query over persistent volume claims that are to be - grouped together for snapshotting. - This labelSelector will be used to match the label added to a PVC. - If the label is added or removed to a volume after a group snapshot - is created, the existing group snapshots won't be modified. - Once a VolumeGroupSnapshotContent is created and the sidecar starts to process - it, the volume list will not change with retries. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: selector is immutable - rule: self == oldSelf - volumeGroupSnapshotContentName: - description: |- - VolumeGroupSnapshotContentName specifies the name of a pre-existing VolumeGroupSnapshotContent - object representing an existing volume group snapshot. - This field should be set if the volume group snapshot already exists and - only needs a representation in Kubernetes. - This field is immutable. - type: string - x-kubernetes-validations: - - message: volumeGroupSnapshotContentName is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: selector is required once set - rule: '!has(oldSelf.selector) || has(self.selector)' - - message: volumeGroupSnapshotContentName is required once set - rule: '!has(oldSelf.volumeGroupSnapshotContentName) || has(self.volumeGroupSnapshotContentName)' - - message: exactly one of selector and volumeGroupSnapshotContentName - must be set - rule: (has(self.selector) && !has(self.volumeGroupSnapshotContentName)) - || (!has(self.selector) && has(self.volumeGroupSnapshotContentName)) - volumeGroupSnapshotClassName: - description: |- - VolumeGroupSnapshotClassName is the name of the VolumeGroupSnapshotClass - requested by the VolumeGroupSnapshot. - VolumeGroupSnapshotClassName may be left nil to indicate that the default - class will be used. - Empty string is not allowed for this field. - type: string - x-kubernetes-validations: - - message: volumeGroupSnapshotClassName must not be the empty string - when set - rule: size(self) > 0 - required: - - source - type: object - status: - description: |- - Status represents the current information of a group snapshot. - Consumers must verify binding between VolumeGroupSnapshot and - VolumeGroupSnapshotContent objects is successful (by validating that both - VolumeGroupSnapshot and VolumeGroupSnapshotContent point to each other) before - using this object. - properties: - boundVolumeGroupSnapshotContentName: - description: |- - BoundVolumeGroupSnapshotContentName is the name of the VolumeGroupSnapshotContent - object to which this VolumeGroupSnapshot object intends to bind to. - If not specified, it indicates that the VolumeGroupSnapshot object has not - been successfully bound to a VolumeGroupSnapshotContent object yet. - NOTE: To avoid possible security issues, consumers must verify binding between - VolumeGroupSnapshot and VolumeGroupSnapshotContent objects is successful - (by validating that both VolumeGroupSnapshot and VolumeGroupSnapshotContent - point at each other) before using this object. - type: string - x-kubernetes-validations: - - message: boundVolumeGroupSnapshotContentName is immutable once set - rule: self == oldSelf - creationTime: - description: |- - CreationTime is the timestamp when the point-in-time group snapshot is taken - by the underlying storage system. - If not specified, it may indicate that the creation time of the group snapshot - is unknown. - This field is updated based on the CreationTime field in VolumeGroupSnapshotContentStatus - format: date-time - type: string - error: - description: |- - Error is the last observed error during group snapshot creation, if any. - This field could be helpful to upper level controllers (i.e., application - controller) to decide whether they should continue on waiting for the group - snapshot to be created based on the type of error reported. - The snapshot controller will keep retrying when an error occurs during the - group snapshot creation. Upon success, this error field will be cleared. - properties: - message: - description: |- - message is a string detailing the encountered error during snapshot - creation if specified. - NOTE: message may be logged, and it should not contain sensitive - information. - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: |- - ReadyToUse indicates if all the individual snapshots in the group are ready - to be used to restore a group of volumes. - ReadyToUse becomes true when ReadyToUse of all individual snapshots become true. - If not specified, it means the readiness of a group snapshot is unknown. - type: boolean - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -# Source: snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotclasses.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" - controller-gen.kubebuilder.io/version: v0.15.0 - name: volumesnapshotclasses.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshotClass - listKind: VolumeSnapshotClassList - plural: volumesnapshotclasses - shortNames: - - vsclass - - vsclasses - singular: volumesnapshotclass - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .driver - name: Driver - type: string - - description: Determines whether a VolumeSnapshotContent created through the - VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. - jsonPath: .deletionPolicy - name: DeletionPolicy - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - VolumeSnapshotClass specifies parameters that a underlying storage system uses when - creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its - name in a VolumeSnapshot object. - VolumeSnapshotClasses are non-namespaced - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - deletionPolicy: - description: |- - deletionPolicy determines whether a VolumeSnapshotContent created through - the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. - Supported values are "Retain" and "Delete". - "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. - "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. - Required. - enum: - - Delete - - Retain - type: string - driver: - description: |- - driver is the name of the storage driver that handles this VolumeSnapshotClass. - Required. - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - parameters: - additionalProperties: - type: string - description: |- - parameters is a key-value map with storage driver specific parameters for creating snapshots. - These values are opaque to Kubernetes. - type: object - required: - - deletionPolicy - - driver - type: object - served: true - storage: true - subresources: {} - - additionalPrinterColumns: - - jsonPath: .driver - name: Driver - type: string - - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. - jsonPath: .deletionPolicy - name: DeletionPolicy - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - # This indicates the v1beta1 version of the custom resource is deprecated. - # API requests to this version receive a warning in the server response. - deprecated: true - # This overrides the default warning returned to clients making v1beta1 API requests. - deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" - schema: - openAPIV3Schema: - description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - deletionPolicy: - description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. - enum: - - Delete - - Retain - type: string - driver: - description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - parameters: - additionalProperties: - type: string - description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. - type: object - required: - - deletionPolicy - - driver - type: object - served: false - storage: false - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# Source: snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotcontents.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" - name: volumesnapshotcontents.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshotContent - listKind: VolumeSnapshotContentList - plural: volumesnapshotcontents - shortNames: - - vsc - - vscs - singular: volumesnapshotcontent - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Indicates if the snapshot is ready to be used to restore a volume. - jsonPath: .status.readyToUse - name: ReadyToUse - type: boolean - - description: Represents the complete size of the snapshot in bytes - jsonPath: .status.restoreSize - name: RestoreSize - type: integer - - description: Determines whether this VolumeSnapshotContent and its physical - snapshot on the underlying storage system should be deleted when its bound - VolumeSnapshot is deleted. - jsonPath: .spec.deletionPolicy - name: DeletionPolicy - type: string - - description: Name of the CSI driver used to create the physical snapshot on - the underlying storage system. - jsonPath: .spec.driver - name: Driver - type: string - - description: Name of the VolumeSnapshotClass to which this snapshot belongs. - jsonPath: .spec.volumeSnapshotClassName - name: VolumeSnapshotClass - type: string - - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent - object is bound. - jsonPath: .spec.volumeSnapshotRef.name - name: VolumeSnapshot - type: string - - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent - object is bound. - jsonPath: .spec.volumeSnapshotRef.namespace - name: VolumeSnapshotNamespace - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - VolumeSnapshotContent represents the actual "on-disk" snapshot object in the - underlying storage system - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec defines properties of a VolumeSnapshotContent created by the underlying storage system. - Required. - properties: - deletionPolicy: - description: |- - deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on - the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. - Supported values are "Retain" and "Delete". - "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. - "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. - For dynamically provisioned snapshots, this field will automatically be filled in by the - CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding - VolumeSnapshotClass. - For pre-existing snapshots, users MUST specify this field when creating the - VolumeSnapshotContent object. - Required. - enum: - - Delete - - Retain - type: string - driver: - description: |- - driver is the name of the CSI driver used to create the physical snapshot on - the underlying storage system. - This MUST be the same as the name returned by the CSI GetPluginName() call for - that driver. - Required. - type: string - source: - description: |- - source specifies whether the snapshot is (or should be) dynamically provisioned - or already exists, and just requires a Kubernetes object representation. - This field is immutable after creation. - Required. - properties: - snapshotHandle: - description: |- - snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on - the underlying storage system for which a Kubernetes object representation - was (or should be) created. - This field is immutable. - type: string - x-kubernetes-validations: - - message: snapshotHandle is immutable - rule: self == oldSelf - volumeHandle: - description: |- - volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot - should be dynamically taken from. - This field is immutable. - type: string - x-kubernetes-validations: - - message: volumeHandle is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: volumeHandle is required once set - rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' - - message: snapshotHandle is required once set - rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' - - message: exactly one of volumeHandle and snapshotHandle must be - set - rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) - && has(self.snapshotHandle)) - sourceVolumeMode: - description: |- - SourceVolumeMode is the mode of the volume whose snapshot is taken. - Can be either “Filesystem” or “Block”. - If not specified, it indicates the source volume's mode is unknown. - This field is immutable. - This field is an alpha field. - type: string - x-kubernetes-validations: - - message: sourceVolumeMode is immutable - rule: self == oldSelf - volumeSnapshotClassName: - description: |- - name of the VolumeSnapshotClass from which this snapshot was (or will be) - created. - Note that after provisioning, the VolumeSnapshotClass may be deleted or - recreated with different set of values, and as such, should not be referenced - post-snapshot creation. - type: string - volumeSnapshotRef: - description: |- - volumeSnapshotRef specifies the VolumeSnapshot object to which this - VolumeSnapshotContent object is bound. - VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to - this VolumeSnapshotContent's name for the bidirectional binding to be valid. - For a pre-existing VolumeSnapshotContent object, name and namespace of the - VolumeSnapshot object MUST be provided for binding to happen. - This field is immutable after creation. - Required. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - x-kubernetes-validations: - - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace - must be set - rule: has(self.name) && has(self.__namespace__) - required: - - deletionPolicy - - driver - - source - - volumeSnapshotRef - type: object - x-kubernetes-validations: - - message: sourceVolumeMode is required once set - rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' - status: - description: status represents the current information of a snapshot. - properties: - creationTime: - description: |- - creationTime is the timestamp when the point-in-time snapshot is taken - by the underlying storage system. - In dynamic snapshot creation case, this field will be filled in by the - CSI snapshotter sidecar with the "creation_time" value returned from CSI - "CreateSnapshot" gRPC call. - For a pre-existing snapshot, this field will be filled with the "creation_time" - value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. - If not specified, it indicates the creation time is unknown. - The format of this field is a Unix nanoseconds time encoded as an int64. - On Unix, the command `date +%s%N` returns the current time in nanoseconds - since 1970-01-01 00:00:00 UTC. - format: int64 - type: integer - error: - description: |- - error is the last observed error during snapshot creation, if any. - Upon success after retry, this error field will be cleared. - properties: - message: - description: |- - message is a string detailing the encountered error during snapshot - creation if specified. - NOTE: message may be logged, and it should not contain sensitive - information. - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: |- - readyToUse indicates if a snapshot is ready to be used to restore a volume. - In dynamic snapshot creation case, this field will be filled in by the - CSI snapshotter sidecar with the "ready_to_use" value returned from CSI - "CreateSnapshot" gRPC call. - For a pre-existing snapshot, this field will be filled with the "ready_to_use" - value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, - otherwise, this field will be set to "True". - If not specified, it means the readiness of a snapshot is unknown. - type: boolean - restoreSize: - description: |- - restoreSize represents the complete size of the snapshot in bytes. - In dynamic snapshot creation case, this field will be filled in by the - CSI snapshotter sidecar with the "size_bytes" value returned from CSI - "CreateSnapshot" gRPC call. - For a pre-existing snapshot, this field will be filled with the "size_bytes" - value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. - When restoring a volume from this snapshot, the size of the volume MUST NOT - be smaller than the restoreSize if it is specified, otherwise the restoration will fail. - If not specified, it indicates that the size is unknown. - format: int64 - minimum: 0 - type: integer - snapshotHandle: - description: |- - snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. - If not specified, it indicates that dynamic snapshot creation has either failed - or it is still in progress. - type: string - volumeGroupSnapshotHandle: - description: |- - VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot - on the underlying storage system. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: Indicates if the snapshot is ready to be used to restore a volume. - jsonPath: .status.readyToUse - name: ReadyToUse - type: boolean - - description: Represents the complete size of the snapshot in bytes - jsonPath: .status.restoreSize - name: RestoreSize - type: integer - - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. - jsonPath: .spec.deletionPolicy - name: DeletionPolicy - type: string - - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. - jsonPath: .spec.driver - name: Driver - type: string - - description: Name of the VolumeSnapshotClass to which this snapshot belongs. - jsonPath: .spec.volumeSnapshotClassName - name: VolumeSnapshotClass - type: string - - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. - jsonPath: .spec.volumeSnapshotRef.name - name: VolumeSnapshot - type: string - - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. - jsonPath: .spec.volumeSnapshotRef.namespace - name: VolumeSnapshotNamespace - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - # This indicates the v1beta1 version of the custom resource is deprecated. - # API requests to this version receive a warning in the server response. - deprecated: true - # This overrides the default warning returned to clients making v1beta1 API requests. - deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" - schema: - openAPIV3Schema: - description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. - properties: - deletionPolicy: - description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. - enum: - - Delete - - Retain - type: string - driver: - description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. - type: string - source: - description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. - properties: - snapshotHandle: - description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. - type: string - volumeHandle: - description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. - type: string - type: object - volumeSnapshotClassName: - description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. - type: string - volumeSnapshotRef: - description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - required: - - deletionPolicy - - driver - - source - - volumeSnapshotRef - type: object - status: - description: status represents the current information of a snapshot. - properties: - creationTime: - description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. - format: int64 - type: integer - error: - description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. - properties: - message: - description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. - type: boolean - restoreSize: - description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. - format: int64 - minimum: 0 - type: integer - snapshotHandle: - description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. - type: string - type: object - required: - - spec - type: object - served: false - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# Source: snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshots.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" - name: volumesnapshots.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshot - listKind: VolumeSnapshotList - plural: volumesnapshots - shortNames: - - vs - singular: volumesnapshot - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Indicates if the snapshot is ready to be used to restore a volume. - jsonPath: .status.readyToUse - name: ReadyToUse - type: boolean - - description: If a new snapshot needs to be created, this contains the name of - the source PVC from which this snapshot was (or will be) created. - jsonPath: .spec.source.persistentVolumeClaimName - name: SourcePVC - type: string - - description: If a snapshot already exists, this contains the name of the existing - VolumeSnapshotContent object representing the existing snapshot. - jsonPath: .spec.source.volumeSnapshotContentName - name: SourceSnapshotContent - type: string - - description: Represents the minimum size of volume required to rehydrate from - this snapshot. - jsonPath: .status.restoreSize - name: RestoreSize - type: string - - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. - jsonPath: .spec.volumeSnapshotClassName - name: SnapshotClass - type: string - - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot - object intends to bind to. Please note that verification of binding actually - requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure - both are pointing at each other. Binding MUST be verified prior to usage of - this object. - jsonPath: .status.boundVolumeSnapshotContentName - name: SnapshotContent - type: string - - description: Timestamp when the point-in-time snapshot was taken by the underlying - storage system. - jsonPath: .status.creationTime - name: CreationTime - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - VolumeSnapshot is a user's request for either creating a point-in-time - snapshot of a persistent volume, or binding to a pre-existing snapshot. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec defines the desired characteristics of a snapshot requested by a user. - More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots - Required. - properties: - source: - description: |- - source specifies where a snapshot will be created from. - This field is immutable after creation. - Required. - properties: - persistentVolumeClaimName: - description: |- - persistentVolumeClaimName specifies the name of the PersistentVolumeClaim - object representing the volume from which a snapshot should be created. - This PVC is assumed to be in the same namespace as the VolumeSnapshot - object. - This field should be set if the snapshot does not exists, and needs to be - created. - This field is immutable. - type: string - x-kubernetes-validations: - - message: persistentVolumeClaimName is immutable - rule: self == oldSelf - volumeSnapshotContentName: - description: |- - volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent - object representing an existing volume snapshot. - This field should be set if the snapshot already exists and only needs a representation in Kubernetes. - This field is immutable. - type: string - x-kubernetes-validations: - - message: volumeSnapshotContentName is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: persistentVolumeClaimName is required once set - rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' - - message: volumeSnapshotContentName is required once set - rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' - - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName - must be set - rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) - || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) - volumeSnapshotClassName: - description: |- - VolumeSnapshotClassName is the name of the VolumeSnapshotClass - requested by the VolumeSnapshot. - VolumeSnapshotClassName may be left nil to indicate that the default - SnapshotClass should be used. - A given cluster may have multiple default Volume SnapshotClasses: one - default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, - VolumeSnapshotSource will be checked to figure out what the associated - CSI Driver is, and the default VolumeSnapshotClass associated with that - CSI Driver will be used. If more than one VolumeSnapshotClass exist for - a given CSI Driver and more than one have been marked as default, - CreateSnapshot will fail and generate an event. - Empty string is not allowed for this field. - type: string - x-kubernetes-validations: - - message: volumeSnapshotClassName must not be the empty string when - set - rule: size(self) > 0 - required: - - source - type: object - status: - description: |- - status represents the current information of a snapshot. - Consumers must verify binding between VolumeSnapshot and - VolumeSnapshotContent objects is successful (by validating that both - VolumeSnapshot and VolumeSnapshotContent point at each other) before - using this object. - properties: - boundVolumeSnapshotContentName: - description: |- - boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent - object to which this VolumeSnapshot object intends to bind to. - If not specified, it indicates that the VolumeSnapshot object has not been - successfully bound to a VolumeSnapshotContent object yet. - NOTE: To avoid possible security issues, consumers must verify binding between - VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that - both VolumeSnapshot and VolumeSnapshotContent point at each other) before using - this object. - type: string - creationTime: - description: |- - creationTime is the timestamp when the point-in-time snapshot is taken - by the underlying storage system. - In dynamic snapshot creation case, this field will be filled in by the - snapshot controller with the "creation_time" value returned from CSI - "CreateSnapshot" gRPC call. - For a pre-existing snapshot, this field will be filled with the "creation_time" - value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. - If not specified, it may indicate that the creation time of the snapshot is unknown. - format: date-time - type: string - error: - description: |- - error is the last observed error during snapshot creation, if any. - This field could be helpful to upper level controllers(i.e., application controller) - to decide whether they should continue on waiting for the snapshot to be created - based on the type of error reported. - The snapshot controller will keep retrying when an error occurs during the - snapshot creation. Upon success, this error field will be cleared. - properties: - message: - description: |- - message is a string detailing the encountered error during snapshot - creation if specified. - NOTE: message may be logged, and it should not contain sensitive - information. - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: |- - readyToUse indicates if the snapshot is ready to be used to restore a volume. - In dynamic snapshot creation case, this field will be filled in by the - snapshot controller with the "ready_to_use" value returned from CSI - "CreateSnapshot" gRPC call. - For a pre-existing snapshot, this field will be filled with the "ready_to_use" - value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, - otherwise, this field will be set to "True". - If not specified, it means the readiness of a snapshot is unknown. - type: boolean - restoreSize: - type: string - description: |- - restoreSize represents the minimum size of volume required to create a volume - from this snapshot. - In dynamic snapshot creation case, this field will be filled in by the - snapshot controller with the "size_bytes" value returned from CSI - "CreateSnapshot" gRPC call. - For a pre-existing snapshot, this field will be filled with the "size_bytes" - value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. - When restoring a volume from this snapshot, the size of the volume MUST NOT - be smaller than the restoreSize if it is specified, otherwise the restoration will fail. - If not specified, it indicates that the size is unknown. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - volumeGroupSnapshotName: - description: |- - VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this - VolumeSnapshot is a part of. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: Indicates if the snapshot is ready to be used to restore a volume. - jsonPath: .status.readyToUse - name: ReadyToUse - type: boolean - - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. - jsonPath: .spec.source.persistentVolumeClaimName - name: SourcePVC - type: string - - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. - jsonPath: .spec.source.volumeSnapshotContentName - name: SourceSnapshotContent - type: string - - description: Represents the minimum size of volume required to rehydrate from this snapshot. - jsonPath: .status.restoreSize - name: RestoreSize - type: string - - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. - jsonPath: .spec.volumeSnapshotClassName - name: SnapshotClass - type: string - - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. - jsonPath: .status.boundVolumeSnapshotContentName - name: SnapshotContent - type: string - - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. - jsonPath: .status.creationTime - name: CreationTime - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - # This indicates the v1beta1 version of the custom resource is deprecated. - # API requests to this version receive a warning in the server response. - deprecated: true - # This overrides the default warning returned to clients making v1beta1 API requests. - deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" - schema: - openAPIV3Schema: - description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' - properties: - source: - description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. - properties: - persistentVolumeClaimName: - description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. - type: string - volumeSnapshotContentName: - description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. - type: string - type: object - volumeSnapshotClassName: - description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' - type: string - required: - - source - type: object - status: - description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. - properties: - boundVolumeSnapshotContentName: - description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' - type: string - creationTime: - description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. - format: date-time - type: string - error: - description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. - properties: - message: - description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. - type: boolean - restoreSize: - type: string - description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - required: - - spec - type: object - served: false - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# Source: snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: snapshot-controller - namespace: snapshot-controller - labels: - helm.sh/chart: snapshot-controller-4.2.0 - app.kubernetes.io/name: snapshot-controller - app.kubernetes.io/instance: snapshot-controller - app.kubernetes.io/version: "v8.4.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update", "patch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotcontents/status"] - verbs: ["patch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshots"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshots/status"] - verbs: ["update", "patch"] ---- -# Source: snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller -subjects: - - kind: ServiceAccount - name: snapshot-controller - namespace: snapshot-controller -roleRef: - kind: ClusterRole - name: snapshot-controller - apiGroup: rbac.authorization.k8s.io ---- -# Source: snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller - namespace: snapshot-controller -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -# Source: snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller - namespace: snapshot-controller -subjects: - - kind: ServiceAccount - name: snapshot-controller -roleRef: - kind: Role - name: snapshot-controller - apiGroup: rbac.authorization.k8s.io ---- -# Source: snapshot-controller/charts/snapshot-controller/templates/service_controller.yaml -apiVersion: v1 -kind: Service -metadata: - name: snapshot-controller - namespace: snapshot-controller - labels: - helm.sh/chart: snapshot-controller-4.2.0 - app.kubernetes.io/name: snapshot-controller - app.kubernetes.io/instance: snapshot-controller - app.kubernetes.io/version: "v8.4.0" - app.kubernetes.io/managed-by: Helm -spec: - clusterIP: None - ports: - - port: 8080 - targetPort: 8080 - name: http - selector: - app.kubernetes.io/name: snapshot-controller - app.kubernetes.io/instance: snapshot-controller ---- -# Source: snapshot-controller/charts/snapshot-controller/templates/deployment_controller.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: snapshot-controller - namespace: snapshot-controller - labels: - helm.sh/chart: snapshot-controller-4.2.0 - app.kubernetes.io/name: snapshot-controller - app.kubernetes.io/instance: snapshot-controller - app.kubernetes.io/version: "v8.4.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 3 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: snapshot-controller - app.kubernetes.io/instance: snapshot-controller - template: - metadata: - labels: - app.kubernetes.io/name: snapshot-controller - app.kubernetes.io/instance: snapshot-controller - spec: - serviceAccountName: snapshot-controller - securityContext: - {} - containers: - - name: snapshot-controller - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - image: "registry.k8s.io/sig-storage/snapshot-controller:v8.4.0" - imagePullPolicy: IfNotPresent - args: - - --http-endpoint=:8080 - - --leader-election=true - - --leader-election-namespace=snapshot-controller - ports: - - name: http - containerPort: 8080 - protocol: TCP - readinessProbe: - httpGet: - port: http - path: /healthz/leader-election - scheme: HTTP - livenessProbe: - httpGet: - port: http - path: /healthz/leader-election - scheme: HTTP - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - requests: - cpu: 50m - memory: 128Mi - hostNetwork: false - dnsPolicy: ClusterFirst ---- -# Source: snapshot-controller/charts/snapshot-controller/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: snapshot-controller - namespace: snapshot-controller - labels: - helm.sh/chart: snapshot-controller-4.2.0 - app.kubernetes.io/name: snapshot-controller - app.kubernetes.io/instance: snapshot-controller - app.kubernetes.io/version: "v8.4.0" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: snapshot-controller - app.kubernetes.io/instance: snapshot-controller - endpoints: - - port: http - path: /metrics diff --git a/clusters/cl01tl/manifests/sonarr-4k/sonarr-4k.yaml b/clusters/cl01tl/manifests/sonarr-4k/sonarr-4k.yaml deleted file mode 100644 index ec5868854..000000000 --- a/clusters/cl01tl/manifests/sonarr-4k/sonarr-4k.yaml +++ /dev/null @@ -1,928 +0,0 @@ ---- -# Source: sonarr-4k/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: sonarr-4k-nfs-storage - namespace: sonarr-4k - labels: - app.kubernetes.io/name: sonarr-4k-nfs-storage - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: sonarr-4k/charts/sonarr-4k/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: sonarr-4k-config - labels: - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr-4k - helm.sh/chart: sonarr-4k-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: sonarr-4k -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "20Gi" - storageClassName: "ceph-block" ---- -# Source: sonarr-4k/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: sonarr-4k-nfs-storage - namespace: sonarr-4k - labels: - app.kubernetes.io/name: sonarr-4k-nfs-storage - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - volumeName: sonarr-4k-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: sonarr-4k/charts/sonarr-4k/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: sonarr-4k - labels: - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr-4k - app.kubernetes.io/service: sonarr-4k - helm.sh/chart: sonarr-4k-4.4.0 - namespace: sonarr-4k -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8989 - protocol: TCP - name: http - - port: 9794 - targetPort: 9794 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/name: sonarr-4k ---- -# Source: sonarr-4k/charts/sonarr-4k/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sonarr-4k - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr-4k - helm.sh/chart: sonarr-4k-4.4.0 - namespace: sonarr-4k -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: sonarr-4k - app.kubernetes.io/instance: sonarr-4k - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/name: sonarr-4k - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/sonarr:4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - args: - - sonarr - env: - - name: URL - value: http://localhost - - name: CONFIG - value: /config/config.xml - - name: PORT - value: "9794" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "false" - image: ghcr.io/onedr0p/exportarr:v2.3.0 - imagePullPolicy: IfNotPresent - name: metrics - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - readOnly: true - volumes: - - name: config - persistentVolumeClaim: - claimName: sonarr-4k-config - - name: media - persistentVolumeClaim: - claimName: sonarr-4k-nfs-storage ---- -# Source: sonarr-4k/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: sonarr4-4k-postgresql-17-cluster - namespace: sonarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-4k-postgresql-17 - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "sonarr4-4k-postgresql-17-external-backup" - serverName: "sonarr4-4k-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "sonarr4-4k-postgresql-17-garage-local-backup" - serverName: "sonarr4-4k-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-4k-postgresql-17-recovery" - serverName: sonarr4-4k-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 512Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: sonarr4-4k-postgresql-17-backup-1 - - externalClusters: - - name: sonarr4-4k-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "sonarr4-4k-postgresql-17-recovery" - serverName: sonarr4-4k-postgresql-17-backup-1 ---- -# Source: sonarr-4k/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-4k-config-backup-secret - namespace: sonarr-4k - labels: - app.kubernetes.io/name: sonarr-4k-config-backup-secret - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/sonarr4-4k/sonarr4-4k-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: sonarr-4k/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-4k-postgresql-17-cluster-backup-secret - namespace: sonarr-4k - labels: - app.kubernetes.io/name: sonarr-4k-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: sonarr-4k/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-4k-postgresql-17-cluster-backup-secret-garage - namespace: sonarr-4k - labels: - app.kubernetes.io/name: sonarr-4k-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: sonarr-4k/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-sonarr-4k - namespace: sonarr-4k - labels: - app.kubernetes.io/name: http-route-sonarr-4k - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - sonarr-4k.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: sonarr-4k - port: 80 - weight: 100 ---- -# Source: sonarr-4k/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-4k-postgresql-17-external-backup" - namespace: sonarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-4k-postgresql-17 - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/sonarr4-4k/sonarr4-4k-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: sonarr-4k-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-4k-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: sonarr-4k/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-4k-postgresql-17-garage-local-backup" - namespace: sonarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-4k-postgresql-17 - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/sonarr-4k/sonarr4-4k-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: sonarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: sonarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: sonarr-4k/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-4k-postgresql-17-recovery" - namespace: sonarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-4k-postgresql-17 - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/sonarr-4k/sonarr4-4k-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: sonarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-4k-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: sonarr-4k/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: sonarr4-4k-postgresql-17-alert-rules - namespace: sonarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-4k-postgresql-17 - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/sonarr4-4k-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="sonarr-4k"} - cnpg_pg_replication_is_wal_receiver_up{namespace="sonarr-4k"}) < 1 - for: 5m - labels: - severity: critical - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="sonarr-4k"} - cnpg_pg_replication_is_wal_receiver_up{namespace="sonarr-4k"}) < 2 - for: 5m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "sonarr-4k/sonarr4-4k-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="sonarr-4k", pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="sonarr-4k", pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "sonarr-4k/sonarr4-4k-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="sonarr-4k", pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="sonarr-4k", pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "sonarr-4k/sonarr4-4k-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="sonarr-4k",pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "sonarr-4k/sonarr4-4k-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="sonarr-4k", pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "sonarr-4k/sonarr4-4k-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "sonarr-4k/sonarr4-4k-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="sonarr-4k", persistentvolumeclaim=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "sonarr-4k/sonarr4-4k-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="sonarr-4k",pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "sonarr-4k/sonarr4-4k-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="sonarr-4k", pod=~"sonarr4-4k-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: sonarr-4k - cnpg_cluster: sonarr4-4k-postgresql-17-cluster ---- -# Source: sonarr-4k/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: sonarr-4k - namespace: sonarr-4k - labels: - app.kubernetes.io/name: sonarr-4k - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - groups: - - name: sonarr-4k - rules: - - alert: ExportarrAbsent - annotations: - description: Sonarr 4K Exportarr has disappeared from Prometheus - service discovery. - summary: Exportarr is down. - expr: | - absent(up{job=~".*sonarr-4k.*"} == 1) - for: 5m - labels: - severity: critical - - alert: Sonarr4KDown - annotations: - description: Sonarr 4K service is down. - summary: Sonarr 4K is down. - expr: | - sonarr_4k_system_status{job=~".*sonarr-4k.*"} == 0 - for: 5m - labels: - severity: critical ---- -# Source: sonarr-4k/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: sonarr-4k-config-backup-source - namespace: sonarr-4k - labels: - app.kubernetes.io/name: sonarr-4k-config-backup-source - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - sourcePVC: sonarr-4k-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: sonarr-4k-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: sonarr-4k/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "sonarr4-4k-postgresql-17-daily-backup-scheduled-backup" - namespace: sonarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-4k-postgresql-17 - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: sonarr4-4k-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-4k-postgresql-17-external-backup" ---- -# Source: sonarr-4k/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "sonarr4-4k-postgresql-17-live-backup-scheduled-backup" - namespace: sonarr-4k - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-4k-postgresql-17 - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: sonarr4-4k-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-4k-postgresql-17-garage-local-backup" ---- -# Source: sonarr-4k/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: sonarr-4k - namespace: sonarr-4k - labels: - app.kubernetes.io/name: sonarr-4k - app.kubernetes.io/instance: sonarr-4k - app.kubernetes.io/part-of: sonarr-4k -spec: - selector: - matchLabels: - app.kubernetes.io/name: sonarr-4k - app.kubernetes.io/instance: sonarr-4k - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/sonarr-anime/sonarr-anime.yaml b/clusters/cl01tl/manifests/sonarr-anime/sonarr-anime.yaml deleted file mode 100644 index 5829d11ff..000000000 --- a/clusters/cl01tl/manifests/sonarr-anime/sonarr-anime.yaml +++ /dev/null @@ -1,928 +0,0 @@ ---- -# Source: sonarr-anime/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: sonarr-anime-nfs-storage - namespace: sonarr-anime - labels: - app.kubernetes.io/name: sonarr-anime-nfs-storage - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: sonarr-anime/charts/sonarr-anime/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: sonarr-anime-config - labels: - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr-anime - helm.sh/chart: sonarr-anime-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: sonarr-anime -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "20Gi" - storageClassName: "ceph-block" ---- -# Source: sonarr-anime/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: sonarr-anime-nfs-storage - namespace: sonarr-anime - labels: - app.kubernetes.io/name: sonarr-anime-nfs-storage - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - volumeName: sonarr-anime-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: sonarr-anime/charts/sonarr-anime/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: sonarr-anime - labels: - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr-anime - app.kubernetes.io/service: sonarr-anime - helm.sh/chart: sonarr-anime-4.4.0 - namespace: sonarr-anime -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8989 - protocol: TCP - name: http - - port: 9794 - targetPort: 9794 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/name: sonarr-anime ---- -# Source: sonarr-anime/charts/sonarr-anime/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sonarr-anime - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr-anime - helm.sh/chart: sonarr-anime-4.4.0 - namespace: sonarr-anime -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: sonarr-anime - app.kubernetes.io/instance: sonarr-anime - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/name: sonarr-anime - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/sonarr:4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - args: - - sonarr - env: - - name: URL - value: http://localhost - - name: CONFIG - value: /config/config.xml - - name: PORT - value: "9794" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "false" - image: ghcr.io/onedr0p/exportarr:v2.3.0 - imagePullPolicy: IfNotPresent - name: metrics - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - readOnly: true - volumes: - - name: config - persistentVolumeClaim: - claimName: sonarr-anime-config - - name: media - persistentVolumeClaim: - claimName: sonarr-anime-nfs-storage ---- -# Source: sonarr-anime/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: sonarr4-anime-postgresql-17-cluster - namespace: sonarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-anime-postgresql-17 - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "sonarr4-anime-postgresql-17-external-backup" - serverName: "sonarr4-anime-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "sonarr4-anime-postgresql-17-garage-local-backup" - serverName: "sonarr4-anime-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-anime-postgresql-17-recovery" - serverName: sonarr4-anime-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 512Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: sonarr4-anime-postgresql-17-backup-1 - - externalClusters: - - name: sonarr4-anime-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "sonarr4-anime-postgresql-17-recovery" - serverName: sonarr4-anime-postgresql-17-backup-1 ---- -# Source: sonarr-anime/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-anime-config-backup-secret - namespace: sonarr-anime - labels: - app.kubernetes.io/name: sonarr-anime-config-backup-secret - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/sonarr4-anime/sonarr4-anime-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: sonarr-anime/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-anime-postgresql-17-cluster-backup-secret - namespace: sonarr-anime - labels: - app.kubernetes.io/name: sonarr-anime-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: sonarr-anime/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-anime-postgresql-17-cluster-backup-secret-garage - namespace: sonarr-anime - labels: - app.kubernetes.io/name: sonarr-anime-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: sonarr-anime/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-sonarr-anime - namespace: sonarr-anime - labels: - app.kubernetes.io/name: http-route-sonarr-anime - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - sonarr-anime.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: sonarr-anime - port: 80 - weight: 100 ---- -# Source: sonarr-anime/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-anime-postgresql-17-external-backup" - namespace: sonarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-anime-postgresql-17 - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/sonarr4-anime/sonarr4-anime-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: sonarr-anime-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-anime-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: sonarr-anime/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-anime-postgresql-17-garage-local-backup" - namespace: sonarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-anime-postgresql-17 - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/sonarr-anime/sonarr4-anime-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: sonarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: sonarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: sonarr-anime/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-anime-postgresql-17-recovery" - namespace: sonarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-anime-postgresql-17 - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/sonarr-anime/sonarr4-anime-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: sonarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-anime-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: sonarr-anime/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: sonarr4-anime-postgresql-17-alert-rules - namespace: sonarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-anime-postgresql-17 - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/sonarr4-anime-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="sonarr-anime"} - cnpg_pg_replication_is_wal_receiver_up{namespace="sonarr-anime"}) < 1 - for: 5m - labels: - severity: critical - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="sonarr-anime"} - cnpg_pg_replication_is_wal_receiver_up{namespace="sonarr-anime"}) < 2 - for: 5m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "sonarr-anime/sonarr4-anime-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="sonarr-anime", pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="sonarr-anime", pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "sonarr-anime/sonarr4-anime-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="sonarr-anime", pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="sonarr-anime", pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "sonarr-anime/sonarr4-anime-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="sonarr-anime",pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "sonarr-anime/sonarr4-anime-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="sonarr-anime", pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "sonarr-anime/sonarr4-anime-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "sonarr-anime/sonarr4-anime-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="sonarr-anime", persistentvolumeclaim=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "sonarr-anime/sonarr4-anime-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="sonarr-anime",pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "sonarr-anime/sonarr4-anime-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="sonarr-anime", pod=~"sonarr4-anime-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: sonarr-anime - cnpg_cluster: sonarr4-anime-postgresql-17-cluster ---- -# Source: sonarr-anime/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: sonarr-anime - namespace: sonarr-anime - labels: - app.kubernetes.io/name: sonarr-anime - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - groups: - - name: sonarr-anime - rules: - - alert: ExportarrAbsent - annotations: - description: Sonarr Anime Exportarr has disappeared from Prometheus - service discovery. - summary: Exportarr is down. - expr: | - absent(up{job=~".*sonarr-anime.*"} == 1) - for: 5m - labels: - severity: critical - - alert: SonarrAnimeDown - annotations: - description: Sonarr Anime service is down. - summary: Sonarr Anime is down. - expr: | - sonarr_anime_system_status{job=~".*sonarr-anime.*"} == 0 - for: 5m - labels: - severity: critical ---- -# Source: sonarr-anime/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: sonarr-anime-config-backup-source - namespace: sonarr-anime - labels: - app.kubernetes.io/name: sonarr-anime-config-backup-source - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - sourcePVC: sonarr-anime-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: sonarr-anime-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: sonarr-anime/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "sonarr4-anime-postgresql-17-daily-backup-scheduled-backup" - namespace: sonarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-anime-postgresql-17 - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: sonarr4-anime-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-anime-postgresql-17-external-backup" ---- -# Source: sonarr-anime/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "sonarr4-anime-postgresql-17-live-backup-scheduled-backup" - namespace: sonarr-anime - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-anime-postgresql-17 - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: sonarr4-anime-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-anime-postgresql-17-garage-local-backup" ---- -# Source: sonarr-anime/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: sonarr-anime - namespace: sonarr-anime - labels: - app.kubernetes.io/name: sonarr-anime - app.kubernetes.io/instance: sonarr-anime - app.kubernetes.io/part-of: sonarr-anime -spec: - selector: - matchLabels: - app.kubernetes.io/name: sonarr-anime - app.kubernetes.io/instance: sonarr-anime - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/sonarr/sonarr.yaml b/clusters/cl01tl/manifests/sonarr/sonarr.yaml deleted file mode 100644 index a2725e49c..000000000 --- a/clusters/cl01tl/manifests/sonarr/sonarr.yaml +++ /dev/null @@ -1,928 +0,0 @@ ---- -# Source: sonarr/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: sonarr-nfs-storage - namespace: sonarr - labels: - app.kubernetes.io/name: sonarr-nfs-storage - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: sonarr/charts/sonarr/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: sonarr-config - labels: - app.kubernetes.io/instance: sonarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr - helm.sh/chart: sonarr-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: sonarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "20Gi" - storageClassName: "ceph-block" ---- -# Source: sonarr/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: sonarr-nfs-storage - namespace: sonarr - labels: - app.kubernetes.io/name: sonarr-nfs-storage - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - volumeName: sonarr-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: sonarr/charts/sonarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: sonarr - labels: - app.kubernetes.io/instance: sonarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr - app.kubernetes.io/service: sonarr - helm.sh/chart: sonarr-4.4.0 - namespace: sonarr -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8989 - protocol: TCP - name: http - - port: 9794 - targetPort: 9794 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr - app.kubernetes.io/name: sonarr ---- -# Source: sonarr/charts/sonarr/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sonarr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: sonarr - helm.sh/chart: sonarr-4.4.0 - namespace: sonarr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: sonarr - app.kubernetes.io/instance: sonarr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: sonarr - app.kubernetes.io/name: sonarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - securityContext: - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1000" - - name: PGID - value: "1000" - image: ghcr.io/linuxserver/sonarr:4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /mnt/store - name: media - - args: - - sonarr - env: - - name: URL - value: http://localhost - - name: CONFIG - value: /config/config.xml - - name: PORT - value: "9794" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "false" - image: ghcr.io/onedr0p/exportarr:v2.3.0 - imagePullPolicy: IfNotPresent - name: metrics - resources: - requests: - cpu: 10m - memory: 256Mi - volumeMounts: - - mountPath: /config - name: config - readOnly: true - volumes: - - name: config - persistentVolumeClaim: - claimName: sonarr-config - - name: media - persistentVolumeClaim: - claimName: sonarr-nfs-storage ---- -# Source: sonarr/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: sonarr4-postgresql-17-cluster - namespace: sonarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-postgresql-17 - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "sonarr4-postgresql-17-external-backup" - serverName: "sonarr4-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "sonarr4-postgresql-17-garage-local-backup" - serverName: "sonarr4-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-postgresql-17-recovery" - serverName: sonarr4-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 200m - memory: 1Gi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: sonarr4-postgresql-17-backup-1 - - externalClusters: - - name: sonarr4-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "sonarr4-postgresql-17-recovery" - serverName: sonarr4-postgresql-17-backup-1 ---- -# Source: sonarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-config-backup-secret - namespace: sonarr - labels: - app.kubernetes.io/name: sonarr-config-backup-secret - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/sonarr4/sonarr4-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: sonarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-postgresql-17-cluster-backup-secret - namespace: sonarr - labels: - app.kubernetes.io/name: sonarr-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: sonarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: sonarr-postgresql-17-cluster-backup-secret-garage - namespace: sonarr - labels: - app.kubernetes.io/name: sonarr-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: sonarr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-sonarr - namespace: sonarr - labels: - app.kubernetes.io/name: http-route-sonarr - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - sonarr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: sonarr - port: 80 - weight: 100 ---- -# Source: sonarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-postgresql-17-external-backup" - namespace: sonarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-postgresql-17 - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/sonarr4/sonarr4-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: sonarr-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: sonarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-postgresql-17-garage-local-backup" - namespace: sonarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-postgresql-17 - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/sonarr/sonarr4-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: sonarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: sonarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: sonarr/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "sonarr4-postgresql-17-recovery" - namespace: sonarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-postgresql-17 - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/sonarr/sonarr4-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: sonarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: sonarr-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: sonarr/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: sonarr4-postgresql-17-alert-rules - namespace: sonarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-postgresql-17 - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/sonarr4-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="sonarr"} - cnpg_pg_replication_is_wal_receiver_up{namespace="sonarr"}) < 1 - for: 5m - labels: - severity: critical - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="sonarr"} - cnpg_pg_replication_is_wal_receiver_up{namespace="sonarr"}) < 2 - for: 5m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "sonarr/sonarr4-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="sonarr", pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="sonarr", pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "sonarr/sonarr4-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="sonarr", pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="sonarr", pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "sonarr/sonarr4-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="sonarr",pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "sonarr/sonarr4-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="sonarr", pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "sonarr/sonarr4-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "sonarr/sonarr4-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="sonarr", persistentvolumeclaim=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "sonarr/sonarr4-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="sonarr",pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "sonarr/sonarr4-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="sonarr", pod=~"sonarr4-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: sonarr - cnpg_cluster: sonarr4-postgresql-17-cluster ---- -# Source: sonarr/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: sonarr - namespace: sonarr - labels: - app.kubernetes.io/name: sonarr - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - groups: - - name: sonarr - rules: - - alert: ExportarrAbsent - annotations: - description: Sonarr Exportarr has disappeared from Prometheus - service discovery. - summary: Exportarr is down. - expr: | - absent(up{job=~".*sonarr.*"} == 1) - for: 5m - labels: - severity: critical - - alert: SonarrDown - annotations: - description: Sonarr service is down. - summary: Sonarr is down. - expr: | - sonarr_system_status{job=~".*sonarr.*"} == 0 - for: 5m - labels: - severity: critical ---- -# Source: sonarr/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: sonarr-config-backup-source - namespace: sonarr - labels: - app.kubernetes.io/name: sonarr-config-backup-source - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - sourcePVC: sonarr-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: sonarr-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: sonarr/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "sonarr4-postgresql-17-daily-backup-scheduled-backup" - namespace: sonarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-postgresql-17 - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: sonarr4-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-postgresql-17-external-backup" ---- -# Source: sonarr/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "sonarr4-postgresql-17-live-backup-scheduled-backup" - namespace: sonarr - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: sonarr4-postgresql-17 - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: sonarr4-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "sonarr4-postgresql-17-garage-local-backup" ---- -# Source: sonarr/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: sonarr - namespace: sonarr - labels: - app.kubernetes.io/name: sonarr - app.kubernetes.io/instance: sonarr - app.kubernetes.io/part-of: sonarr -spec: - selector: - matchLabels: - app.kubernetes.io/name: sonarr - app.kubernetes.io/instance: sonarr - endpoints: - - port: metrics - interval: 3m - scrapeTimeout: 1m - path: /metrics diff --git a/clusters/cl01tl/manifests/speedtest-exporter/speedtest-exporter.yaml b/clusters/cl01tl/manifests/speedtest-exporter/speedtest-exporter.yaml deleted file mode 100644 index f1e7ac18a..000000000 --- a/clusters/cl01tl/manifests/speedtest-exporter/speedtest-exporter.yaml +++ /dev/null @@ -1,103 +0,0 @@ ---- -# Source: speedtest-exporter/charts/speedtest-exporter/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: speedtest-exporter - labels: - helm.sh/chart: speedtest-exporter-0.1.2 - app.kubernetes.io/name: speedtest-exporter - app.kubernetes.io/instance: speedtest-exporter - app.kubernetes.io/version: "v3.5.4" - app.kubernetes.io/managed-by: Helm ---- -# Source: speedtest-exporter/charts/speedtest-exporter/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: speedtest-exporter - labels: - helm.sh/chart: speedtest-exporter-0.1.2 - app.kubernetes.io/name: speedtest-exporter - app.kubernetes.io/instance: speedtest-exporter - app.kubernetes.io/version: "v3.5.4" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 9798 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: speedtest-exporter - app.kubernetes.io/instance: speedtest-exporter ---- -# Source: speedtest-exporter/charts/speedtest-exporter/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: speedtest-exporter - labels: - helm.sh/chart: speedtest-exporter-0.1.2 - app.kubernetes.io/name: speedtest-exporter - app.kubernetes.io/instance: speedtest-exporter - app.kubernetes.io/version: "v3.5.4" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: speedtest-exporter - app.kubernetes.io/instance: speedtest-exporter - template: - metadata: - labels: - app.kubernetes.io/name: speedtest-exporter - app.kubernetes.io/instance: speedtest-exporter - spec: - serviceAccountName: speedtest-exporter - securityContext: - {} - containers: - - name: speedtest-exporter - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - image: "ghcr.io/miguelndecarvalho/speedtest-exporter:v3.5.4" - imagePullPolicy: IfNotPresent - ports: - - name: http - containerPort: 9798 - protocol: TCP - resources: - {} ---- -# Source: speedtest-exporter/charts/speedtest-exporter/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: speedtest-exporter - namespace: speedtest-exporter - labels: - helm.sh/chart: speedtest-exporter-0.1.2 - app.kubernetes.io/name: speedtest-exporter - app.kubernetes.io/instance: speedtest-exporter - app.kubernetes.io/version: "v3.5.4" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: speedtest-exporter - app.kubernetes.io/instance: speedtest-exporter - endpoints: - - port: http - interval: 180m - scrapeTimeout: 2m - namespaceSelector: - matchNames: - - speedtest-exporter diff --git a/clusters/cl01tl/manifests/stack/stack.yaml b/clusters/cl01tl/manifests/stack/stack.yaml deleted file mode 100644 index c904c88cd..000000000 --- a/clusters/cl01tl/manifests/stack/stack.yaml +++ /dev/null @@ -1,284 +0,0 @@ ---- -# Source: stack/templates/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: stack-cl01tl - namespace: argocd - labels: - app.kubernetes.io/name: stack-cl01tl - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: http://gitea-http.gitea:3000/alexlebens/infrastructure - targetRevision: manifests - path: clusters/cl01tl/manifests/stack - destination: - name: in-cluster - namespace: argocd - revisionHistoryLimit: 3 - syncPolicy: - automated: - prune: true - selfHeal: false - retry: - limit: 3 - backoff: - duration: 1m - factor: 2 - maxDuration: 15m - syncOptions: - - CreateNamespace=false - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - - PruneLast=true - - RespectIgnoreDifferences=true ---- -# Source: stack/templates/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: cilium - namespace: argocd - labels: - app.kubernetes.io/name: cilium - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: http://gitea-http.gitea:3000/alexlebens/infrastructure - targetRevision: manifests - path: clusters/cl01tl/manifests/cilium - destination: - name: in-cluster - namespace: kube-system - revisionHistoryLimit: 3 - ignoreDifferences: - - group: monitoring.coreos.com - kind: ServiceMonitor - jqPathExpressions: - - .spec.endpoints[]?.relabelings[]?.action - syncPolicy: - automated: - prune: true - selfHeal: false - retry: - limit: 3 - backoff: - duration: 1m - factor: 2 - maxDuration: 15m - syncOptions: - - CreateNamespace=false - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - - PruneLast=true - - RespectIgnoreDifferences=true ---- -# Source: stack/templates/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: coredns - namespace: argocd - labels: - app.kubernetes.io/name: coredns - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: http://gitea-http.gitea:3000/alexlebens/infrastructure - targetRevision: manifests - path: clusters/cl01tl/manifests/coredns - destination: - name: in-cluster - namespace: kube-system - revisionHistoryLimit: 3 - syncPolicy: - automated: - prune: true - selfHeal: true - retry: - limit: 3 - backoff: - duration: 1m - factor: 2 - maxDuration: 15m - syncOptions: - - CreateNamespace=false - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - - PruneLast=true ---- -# Source: stack/templates/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: metrics-server - namespace: argocd - labels: - app.kubernetes.io/name: metrics-server - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: http://gitea-http.gitea:3000/alexlebens/infrastructure - targetRevision: manifests - path: clusters/cl01tl/manifests/metrics-server - destination: - name: in-cluster - namespace: kube-system - revisionHistoryLimit: 3 - syncPolicy: - automated: - prune: true - selfHeal: true - retry: - limit: 3 - backoff: - duration: 1m - factor: 2 - maxDuration: 15m - syncOptions: - - CreateNamespace=false - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - - PruneLast=true ---- -# Source: stack/templates/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: prometheus-operator-crds - namespace: argocd - labels: - app.kubernetes.io/name: prometheus-operator-crds - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: http://gitea-http.gitea:3000/alexlebens/infrastructure - targetRevision: manifests - path: clusters/cl01tl/manifests/prometheus-operator-crds - destination: - name: in-cluster - namespace: kube-system - revisionHistoryLimit: 3 - syncPolicy: - automated: - prune: true - selfHeal: false - retry: - limit: 3 - backoff: - duration: 1m - factor: 2 - maxDuration: 15m - syncOptions: - - CreateNamespace=false - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - - PruneLast=true ---- -# Source: stack/templates/application-set.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: application-set-cl01tl - namespace: argocd - labels: - app.kubernetes.io/name: application-set-cl01tl - app.kubernetes.io/instance: argocd - app.kubernetes.io/part-of: argocd -spec: - syncPolicy: - applicationsSync: create-update - preserveResourcesOnDeletion: false - generators: - - git: - repoURL: http://gitea-http.gitea:3000/alexlebens/infrastructure - revision: manifests - directories: - - path: clusters/cl01tl/manifests/* - - path: clusters/cl01tl/manifests/stack - exclude: true - - path: clusters/cl01tl/manifests/cilium - exclude: true - - path: clusters/cl01tl/manifests/coredns - exclude: true - - path: clusters/cl01tl/manifests/metrics-server - exclude: true - - path: clusters/cl01tl/manifests/prometheus-operator-crds - exclude: true - template: - metadata: - name: '{{path.basename}}' - spec: - project: default - source: - repoURL: http://gitea-http.gitea:3000/alexlebens/infrastructure - targetRevision: manifests - path: '{{path}}' - destination: - name: in-cluster - namespace: '{{path.basename}}' - revisionHistoryLimit: 3 - ignoreDifferences: - - group: "" - kind: Service - jqPathExpressions: - - .spec.externalName - - group: "apps" - kind: "Deployment" - jsonPointers: - - /spec/template/metadata/annotations/checksum~1secret - - /spec/template/metadata/annotations/checksum~1secret-core - - /spec/template/metadata/annotations/checksum~1secret-jobservice - - /spec/template/metadata/annotations/checksum~1tls - - group: "apps" - kind: "StatefulSet" - jsonPointers: - - /spec/template/metadata/annotations/checksum~1secret - - /spec/template/metadata/annotations/checksum~1tls - - group: "apps" - kind: StatefulSet - jqPathExpressions: - - .spec.volumeClaimTemplates[]?.apiVersion - - .spec.volumeClaimTemplates[]?.kind - - .spec.volumeClaimTemplates[]?.metadata.creationTimestamp - - group: "" - kind: GpuDevicePlugin - jqPathExpressions: - - .metadata.annotations[] - syncPolicy: - automated: - prune: true - selfHeal: false - retry: - limit: 3 - backoff: - duration: 1m - factor: 2 - maxDuration: 15m - syncOptions: - - CreateNamespace=true - - ApplyOutOfSyncOnly=true - - ServerSideApply=true - - PruneLast=true - - RespectIgnoreDifferences=true diff --git a/clusters/cl01tl/manifests/stalwart/stalwart.yaml b/clusters/cl01tl/manifests/stalwart/stalwart.yaml deleted file mode 100644 index c5d8d3716..000000000 --- a/clusters/cl01tl/manifests/stalwart/stalwart.yaml +++ /dev/null @@ -1,937 +0,0 @@ ---- -# Source: stalwart/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: stalwart - labels: - app.kubernetes.io/name: stalwart - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: stalwart/charts/stalwart/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: stalwart-config - labels: - app.kubernetes.io/instance: stalwart - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: stalwart - helm.sh/chart: stalwart-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: stalwart -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "10Gi" - storageClassName: "ceph-block" ---- -# Source: stalwart/charts/stalwart/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: stalwart - labels: - app.kubernetes.io/instance: stalwart - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: stalwart - app.kubernetes.io/service: stalwart - helm.sh/chart: stalwart-4.4.0 - namespace: stalwart -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8080 - protocol: TCP - name: http - - port: 143 - targetPort: 143 - protocol: TCP - name: imap - - port: 993 - targetPort: 993 - protocol: TCP - name: imaps - - port: 25 - targetPort: 25 - protocol: TCP - name: smtp - - port: 465 - targetPort: 465 - protocol: TCP - name: smtps - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: stalwart - app.kubernetes.io/name: stalwart ---- -# Source: stalwart/charts/stalwart/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: stalwart - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: stalwart - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: stalwart - helm.sh/chart: stalwart-4.4.0 - namespace: stalwart -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: stalwart - app.kubernetes.io/instance: stalwart - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: stalwart - app.kubernetes.io/name: stalwart - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - image: stalwartlabs/stalwart:v0.14.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /opt/stalwart - name: config - volumes: - - name: config - persistentVolumeClaim: - claimName: stalwart-config ---- -# Source: stalwart/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: stalwart-postgresql-17-cluster - namespace: stalwart - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: stalwart-postgresql-17 - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "stalwart-postgresql-17-external-backup" - serverName: "stalwart-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "stalwart-postgresql-17-garage-local-backup" - serverName: "stalwart-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "stalwart-postgresql-17-recovery" - serverName: stalwart-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 200m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: stalwart-postgresql-17-backup-1 - - externalClusters: - - name: stalwart-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "stalwart-postgresql-17-recovery" - serverName: stalwart-postgresql-17-backup-1 ---- -# Source: stalwart/templates/elasticsearch.yaml -apiVersion: elasticsearch.k8s.elastic.co/v1 -kind: Elasticsearch -metadata: - name: elasticsearch-stalwart - namespace: stalwart - labels: - app.kubernetes.io/name: elasticsearch-stalwart - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart -spec: - version: 8.18.0 - auth: - fileRealm: - - secretName: stalwart-elasticsearch-secret - nodeSets: - - name: default - count: 1 - config: - node.store.allow_mmap: false - volumeClaimTemplates: - - metadata: - name: elasticsearch-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - storageClassName: ceph-block ---- -# Source: stalwart/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: stalwart-elasticsearch-secret - namespace: stalwart - labels: - app.kubernetes.io/name: stalwart-elasticsearch-secret - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: username - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/stalwart/elasticsearch - metadataPolicy: None - property: username - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/stalwart/elasticsearch - metadataPolicy: None - property: password - - secretKey: roles - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/stalwart/elasticsearch - metadataPolicy: None - property: roles ---- -# Source: stalwart/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: stalwart-config-backup-secret - namespace: stalwart - labels: - app.kubernetes.io/name: stalwart-config-backup-secret - app.kubernetes.io/instance: stalwart - app.kubernetes.io/version: v0.11.8 - app.kubernetes.io/component: backup - app.kubernetes.io/part-of: stalwart -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/stalwart/stalwart-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: stalwart/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: stalwart-postgresql-17-cluster-backup-secret - namespace: stalwart - labels: - app.kubernetes.io/name: stalwart-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: stalwart - app.kubernetes.io/version: v0.11.8 - app.kubernetes.io/component: database - app.kubernetes.io/part-of: stalwart -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: stalwart/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: stalwart-postgresql-17-cluster-backup-secret-garage - namespace: stalwart - labels: - app.kubernetes.io/name: stalwart-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: stalwart/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-stalwart - namespace: stalwart - labels: - app.kubernetes.io/name: http-route-stalwart - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - stalwart.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: stalwart - port: 80 - weight: 100 ---- -# Source: stalwart/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "stalwart-postgresql-17-external-backup" - namespace: stalwart - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: stalwart-postgresql-17 - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/stalwart/stalwart-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: stalwart-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: stalwart-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: stalwart/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "stalwart-postgresql-17-garage-local-backup" - namespace: stalwart - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: stalwart-postgresql-17 - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/stalwart/stalwart-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: stalwart-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: stalwart-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: stalwart-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: stalwart/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "stalwart-postgresql-17-recovery" - namespace: stalwart - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: stalwart-postgresql-17 - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/stalwart/stalwart-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: stalwart-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: stalwart-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: stalwart/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: stalwart-postgresql-17-alert-rules - namespace: stalwart - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: stalwart-postgresql-17 - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/stalwart-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="stalwart"} - cnpg_pg_replication_is_wal_receiver_up{namespace="stalwart"}) < 1 - for: 5m - labels: - severity: critical - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="stalwart"} - cnpg_pg_replication_is_wal_receiver_up{namespace="stalwart"}) < 2 - for: 5m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "stalwart/stalwart-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="stalwart", pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="stalwart", pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "stalwart/stalwart-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="stalwart", pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="stalwart", pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "stalwart/stalwart-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="stalwart",pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "stalwart/stalwart-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="stalwart", pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "stalwart/stalwart-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "stalwart/stalwart-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="stalwart", persistentvolumeclaim=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "stalwart/stalwart-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="stalwart",pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "stalwart/stalwart-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="stalwart", pod=~"stalwart-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: stalwart - cnpg_cluster: stalwart-postgresql-17-cluster ---- -# Source: stalwart/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-stalwart - namespace: stalwart - labels: - app.kubernetes.io/name: redis-replication-stalwart - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: stalwart/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: stalwart-config-backup-source - namespace: stalwart - labels: - app.kubernetes.io/name: stalwart-config-backup-source - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart -spec: - sourcePVC: stalwart-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: stalwart-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: stalwart/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "stalwart-postgresql-17-daily-backup-scheduled-backup" - namespace: stalwart - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: stalwart-postgresql-17 - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: stalwart-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "stalwart-postgresql-17-external-backup" ---- -# Source: stalwart/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "stalwart-postgresql-17-live-backup-scheduled-backup" - namespace: stalwart - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: stalwart-postgresql-17 - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: stalwart-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "stalwart-postgresql-17-garage-local-backup" ---- -# Source: stalwart/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-stalwart - namespace: stalwart - labels: - app.kubernetes.io/name: redis-replication-stalwart - app.kubernetes.io/instance: stalwart - app.kubernetes.io/part-of: stalwart - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/tailscale-operator/tailscale-operator.yaml b/clusters/cl01tl/manifests/tailscale-operator/tailscale-operator.yaml deleted file mode 100644 index d81951218..000000000 --- a/clusters/cl01tl/manifests/tailscale-operator/tailscale-operator.yaml +++ /dev/null @@ -1,5414 +0,0 @@ ---- -# Source: tailscale-operator/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: tailscale-operator - labels: - app.kubernetes.io/name: tailscale-operator - app.kubernetes.io/instance: tailscale-operator - app.kubernetes.io/part-of: tailscale-operator - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/operator-rbac.yaml -# Copyright (c) Tailscale Inc & AUTHORS -# SPDX-License-Identifier: BSD-3-Clause - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: operator - namespace: tailscale-operator ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/proxy-rbac.yaml -# Copyright (c) Tailscale Inc & AUTHORS -# SPDX-License-Identifier: BSD-3-Clause - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: proxies - namespace: tailscale-operator ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/connector.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.0 - name: connectors.tailscale.com -spec: - group: tailscale.com - names: - kind: Connector - listKind: ConnectorList - plural: connectors - shortNames: - - cn - singular: connector - scope: Cluster - versions: - - additionalPrinterColumns: - - description: CIDR ranges exposed to tailnet by a subnet router defined via this Connector instance. - jsonPath: .status.subnetRoutes - name: SubnetRoutes - type: string - - description: Whether this Connector instance defines an exit node. - jsonPath: .status.isExitNode - name: IsExitNode - type: string - - description: Whether this Connector instance is an app connector. - jsonPath: .status.isAppConnector - name: IsAppConnector - type: string - - description: Status of the deployed Connector resources. - jsonPath: .status.conditions[?(@.type == "ConnectorReady")].reason - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Connector defines a Tailscale node that will be deployed in the cluster. The - node can be configured to act as a Tailscale subnet router and/or a Tailscale - exit node. - Connector is a cluster-scoped resource. - More info: - https://tailscale.com/kb/1441/kubernetes-operator-connector - type: object - required: - - spec - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ConnectorSpec describes the desired Tailscale component. - More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - type: object - properties: - appConnector: - description: |- - AppConnector defines whether the Connector device should act as a Tailscale app connector. A Connector that is - configured as an app connector cannot be a subnet router or an exit node. If this field is unset, the - Connector does not act as an app connector. - Note that you will need to manually configure the permissions and the domains for the app connector via the - Admin panel. - Note also that the main tested and supported use case of this config option is to deploy an app connector on - Kubernetes to access SaaS applications available on the public internet. Using the app connector to expose - cluster workloads or other internal workloads to tailnet might work, but this is not a use case that we have - tested or optimised for. - If you are using the app connector to access SaaS applications because you need a predictable egress IP that - can be whitelisted, it is also your responsibility to ensure that cluster traffic from the connector flows - via that predictable IP, for example by enforcing that cluster egress traffic is routed via an egress NAT - device with a static IP address. - https://tailscale.com/kb/1281/app-connectors - type: object - properties: - routes: - description: |- - Routes are optional preconfigured routes for the domains routed via the app connector. - If not set, routes for the domains will be discovered dynamically. - If set, the app connector will immediately be able to route traffic using the preconfigured routes, but may - also dynamically discover other routes. - https://tailscale.com/kb/1332/apps-best-practices#preconfiguration - type: array - minItems: 1 - items: - type: string - format: cidr - exitNode: - description: |- - ExitNode defines whether the Connector device should act as a Tailscale exit node. Defaults to false. - This field is mutually exclusive with the appConnector field. - https://tailscale.com/kb/1103/exit-nodes - type: boolean - hostname: - description: |- - Hostname is the tailnet hostname that should be assigned to the - Connector node. If unset, hostname defaults to -connector. Hostname can contain lower case letters, numbers and - dashes, it must not start or end with a dash and must be between 2 - and 63 characters long. This field should only be used when creating a connector - with an unspecified number of replicas, or a single replica. - type: string - pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$ - hostnamePrefix: - description: |- - HostnamePrefix specifies the hostname prefix for each - replica. Each device will have the integer number - from its StatefulSet pod appended to this prefix to form the full hostname. - HostnamePrefix can contain lower case letters, numbers and dashes, it - must not start with a dash and must be between 1 and 62 characters long. - type: string - pattern: ^[a-z0-9][a-z0-9-]{0,61}$ - proxyClass: - description: |- - ProxyClass is the name of the ProxyClass custom resource that - contains configuration options that should be applied to the - resources created for this Connector. If unset, the operator will - create resources with the default configuration. - type: string - replicas: - description: |- - Replicas specifies how many devices to create. Set this to enable - high availability for app connectors, subnet routers, or exit nodes. - https://tailscale.com/kb/1115/high-availability. Defaults to 1. - type: integer - format: int32 - minimum: 0 - subnetRouter: - description: |- - SubnetRouter defines subnet routes that the Connector device should - expose to tailnet as a Tailscale subnet router. - https://tailscale.com/kb/1019/subnets/ - If this field is unset, the device does not get configured as a Tailscale subnet router. - This field is mutually exclusive with the appConnector field. - type: object - required: - - advertiseRoutes - properties: - advertiseRoutes: - description: |- - AdvertiseRoutes refer to CIDRs that the subnet router should make - available. Route values must be strings that represent a valid IPv4 - or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. - https://tailscale.com/kb/1201/4via6-subnets/ - type: array - minItems: 1 - items: - type: string - format: cidr - tags: - description: |- - Tags that the Tailscale node will be tagged with. - Defaults to [tag:k8s]. - To autoapprove the subnet routes or exit node defined by a Connector, - you can configure Tailscale ACLs to give these tags the necessary - permissions. - See https://tailscale.com/kb/1337/acl-syntax#autoapprovers. - If you specify custom tags here, you must also make the operator an owner of these tags. - See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. - Tags cannot be changed once a Connector node has been created. - Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. - type: array - items: - type: string - pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ - x-kubernetes-validations: - - rule: has(self.subnetRouter) || (has(self.exitNode) && self.exitNode == true) || has(self.appConnector) - message: A Connector needs to have at least one of exit node, subnet router or app connector configured. - - rule: '!((has(self.subnetRouter) || (has(self.exitNode) && self.exitNode == true)) && has(self.appConnector))' - message: The appConnector field is mutually exclusive with exitNode and subnetRouter fields. - - rule: '!(has(self.hostname) && has(self.replicas) && self.replicas > 1)' - message: The hostname field cannot be specified when replicas is greater than 1. - - rule: '!(has(self.hostname) && has(self.hostnamePrefix))' - message: The hostname and hostnamePrefix fields are mutually exclusive. - status: - description: |- - ConnectorStatus describes the status of the Connector. This is set - and managed by the Tailscale operator. - type: object - properties: - conditions: - description: |- - List of status conditions to indicate the status of the Connector. - Known condition types are `ConnectorReady`. - type: array - items: - description: Condition contains details for one aspect of the current state of this API Resource. - type: object - required: - - lastTransitionTime - - message - - reason - - status - - type - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - type: string - format: date-time - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - type: string - maxLength: 32768 - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - type: integer - format: int64 - minimum: 0 - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - type: string - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - status: - description: status of the condition, one of True, False, Unknown. - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - type: string - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - devices: - description: Devices contains information on each device managed by the Connector resource. - type: array - items: - type: object - properties: - hostname: - description: |- - Hostname is the fully qualified domain name of the Connector replica. - If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the - node. - type: string - tailnetIPs: - description: |- - TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6) - assigned to the Connector replica. - type: array - items: - type: string - hostname: - description: |- - Hostname is the fully qualified domain name of the Connector node. - If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the - node. When using multiple replicas, this field will be populated with the - first replica's hostname. Use the Hostnames field for the full list - of hostnames. - type: string - isAppConnector: - description: IsAppConnector is set to true if the Connector acts as an app connector. - type: boolean - isExitNode: - description: IsExitNode is set to true if the Connector acts as an exit node. - type: boolean - subnetRoutes: - description: |- - SubnetRoutes are the routes currently exposed to tailnet via this - Connector instance. - type: string - tailnetIPs: - description: |- - TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6) - assigned to the Connector node. - type: array - items: - type: string - served: true - storage: true - subresources: - status: {} ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/dnsconfig.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.0 - name: dnsconfigs.tailscale.com -spec: - group: tailscale.com - names: - kind: DNSConfig - listKind: DNSConfigList - plural: dnsconfigs - shortNames: - - dc - singular: dnsconfig - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Service IP address of the nameserver - jsonPath: .status.nameserver.ip - name: NameserverIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - DNSConfig can be deployed to cluster to make a subset of Tailscale MagicDNS - names resolvable by cluster workloads. Use this if: A) you need to refer to - tailnet services, exposed to cluster via Tailscale Kubernetes operator egress - proxies by the MagicDNS names of those tailnet services (usually because the - services run over HTTPS) - B) you have exposed a cluster workload to the tailnet using Tailscale Ingress - and you also want to refer to the workload from within the cluster over the - Ingress's MagicDNS name (usually because you have some callback component - that needs to use the same URL as that used by a non-cluster client on - tailnet). - When a DNSConfig is applied to a cluster, Tailscale Kubernetes operator will - deploy a nameserver for ts.net DNS names and automatically populate it with records - for any Tailscale egress or Ingress proxies deployed to that cluster. - Currently you must manually update your cluster DNS configuration to add the - IP address of the deployed nameserver as a ts.net stub nameserver. - Instructions for how to do it: - https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns (for CoreDNS), - https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns (for kube-dns). - Tailscale Kubernetes operator will write the address of a Service fronting - the nameserver to dsnconfig.status.nameserver.ip. - DNSConfig is a singleton - you must not create more than one. - NB: if you want cluster workloads to be able to refer to Tailscale Ingress - using its MagicDNS name, you must also annotate the Ingress resource with - tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation to - ensure that the proxy created for the Ingress listens on its Pod IP address. - type: object - required: - - spec - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Spec describes the desired DNS configuration. - More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - type: object - required: - - nameserver - properties: - nameserver: - description: |- - Configuration for a nameserver that can resolve ts.net DNS names - associated with in-cluster proxies for Tailscale egress Services and - Tailscale Ingresses. The operator will always deploy this nameserver - when a DNSConfig is applied. - type: object - properties: - image: - description: Nameserver image. Defaults to tailscale/k8s-nameserver:unstable. - type: object - properties: - repo: - description: Repo defaults to tailscale/k8s-nameserver. - type: string - tag: - description: Tag defaults to unstable. - type: string - pod: - description: Pod configuration. - type: object - properties: - tolerations: - description: If specified, applies tolerations to the pods deployed by the DNSConfig resource. - type: array - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - type: object - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - replicas: - description: Replicas specifies how many Pods to create. Defaults to 1. - type: integer - format: int32 - minimum: 0 - service: - description: Service configuration. - type: object - properties: - clusterIP: - description: ClusterIP sets the static IP of the service used by the nameserver. - type: string - status: - description: |- - Status describes the status of the DNSConfig. This is set - and managed by the Tailscale operator. - type: object - properties: - conditions: - type: array - items: - description: Condition contains details for one aspect of the current state of this API Resource. - type: object - required: - - lastTransitionTime - - message - - reason - - status - - type - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - type: string - format: date-time - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - type: string - maxLength: 32768 - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - type: integer - format: int64 - minimum: 0 - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - type: string - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - status: - description: status of the condition, one of True, False, Unknown. - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - type: string - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - nameserver: - description: Nameserver describes the status of nameserver cluster resources. - type: object - properties: - ip: - description: |- - IP is the ClusterIP of the Service fronting the deployed ts.net nameserver. - Currently, you must manually update your cluster DNS config to add - this address as a stub nameserver for ts.net for cluster workloads to be - able to resolve MagicDNS names associated with egress or Ingress - proxies. - The IP address will change if you delete and recreate the DNSConfig. - type: string - served: true - storage: true - subresources: - status: {} ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/proxyclass.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.0 - name: proxyclasses.tailscale.com -spec: - group: tailscale.com - names: - kind: ProxyClass - listKind: ProxyClassList - plural: proxyclasses - singular: proxyclass - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Status of the ProxyClass. - jsonPath: .status.conditions[?(@.type == "ProxyClassReady")].reason - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ProxyClass describes a set of configuration parameters that can be applied to - proxy resources created by the Tailscale Kubernetes operator. - To apply a given ProxyClass to resources created for a tailscale Ingress or - Service, use tailscale.com/proxy-class= label. To apply a - given ProxyClass to resources created for a Connector, use - connector.spec.proxyClass field. - ProxyClass is a cluster scoped resource. - More info: - https://tailscale.com/kb/1445/kubernetes-operator-customization#cluster-resource-customization-using-proxyclass-custom-resource - type: object - required: - - spec - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the desired state of the ProxyClass resource. - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - type: object - properties: - metrics: - description: |- - Configuration for proxy metrics. Metrics are currently not supported - for egress proxies and for Ingress proxies that have been configured - with tailscale.com/experimental-forward-cluster-traffic-via-ingress - annotation. Note that the metrics are currently considered unstable - and will likely change in breaking ways in the future - we only - recommend that you use those for debugging purposes. - type: object - required: - - enable - properties: - enable: - description: |- - Setting enable to true will make the proxy serve Tailscale metrics - at :9002/metrics. - A metrics Service named -metrics will also be created in the operator's namespace and will - serve the metrics at :9002/metrics. - - In 1.78.x and 1.80.x, this field also serves as the default value for - .spec.statefulSet.pod.tailscaleContainer.debug.enable. From 1.82.0, both - fields will independently default to false. - - Defaults to false. - type: boolean - serviceMonitor: - description: |- - Enable to create a Prometheus ServiceMonitor for scraping the proxy's Tailscale metrics. - The ServiceMonitor will select the metrics Service that gets created when metrics are enabled. - The ingested metrics for each Service monitor will have labels to identify the proxy: - ts_proxy_type: ingress_service|ingress_resource|connector|proxygroup - ts_proxy_parent_name: name of the parent resource (i.e name of the Connector, Tailscale Ingress, Tailscale Service or ProxyGroup) - ts_proxy_parent_namespace: namespace of the parent resource (if the parent resource is not cluster scoped) - job: ts__[]_ - type: object - required: - - enable - properties: - enable: - description: If Enable is set to true, a Prometheus ServiceMonitor will be created. Enable can only be set to true if metrics are enabled. - type: boolean - labels: - description: |- - Labels to add to the ServiceMonitor. - Labels must be valid Kubernetes labels. - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - additionalProperties: - type: string - maxLength: 63 - pattern: ^(([a-zA-Z0-9][-._a-zA-Z0-9]*)?[a-zA-Z0-9])?$ - x-kubernetes-validations: - - rule: '!(has(self.serviceMonitor) && self.serviceMonitor.enable && !self.enable)' - message: ServiceMonitor can only be enabled if metrics are enabled - statefulSet: - description: |- - Configuration parameters for the proxy's StatefulSet. Tailscale - Kubernetes operator deploys a StatefulSet for each of the user - configured proxies (Tailscale Ingress, Tailscale Service, Connector). - type: object - properties: - annotations: - description: |- - Annotations that will be added to the StatefulSet created for the proxy. - Any Annotations specified here will be merged with the default annotations - applied to the StatefulSet by the Tailscale Kubernetes operator as - well as any other annotations that might have been applied by other - actors. - Annotations must be valid Kubernetes annotations. - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set - type: object - additionalProperties: - type: string - labels: - description: |- - Labels that will be added to the StatefulSet created for the proxy. - Any labels specified here will be merged with the default labels - applied to the StatefulSet by the Tailscale Kubernetes operator as - well as any other labels that might have been applied by other - actors. - Label keys and values must be valid Kubernetes label keys and values. - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - additionalProperties: - type: string - maxLength: 63 - pattern: ^(([a-zA-Z0-9][-._a-zA-Z0-9]*)?[a-zA-Z0-9])?$ - pod: - description: Configuration for the proxy Pod. - type: object - properties: - affinity: - description: |- - Proxy Pod's affinity rules. - By default, the Tailscale Kubernetes operator does not apply any affinity rules. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#affinity - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - type: array - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - x-kubernetes-map-type: atomic - x-kubernetes-list-type: atomic - x-kubernetes-map-type: atomic - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - type: integer - format: int32 - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - x-kubernetes-list-type: atomic - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - type: integer - format: int32 - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - x-kubernetes-list-type: atomic - annotations: - description: |- - Annotations that will be added to the proxy Pod. - Any annotations specified here will be merged with the default - annotations applied to the Pod by the Tailscale Kubernetes operator. - Annotations must be valid Kubernetes annotations. - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set - type: object - additionalProperties: - type: string - dnsConfig: - description: |- - DNSConfig defines DNS parameters for the proxy Pod in addition to those generated from DNSPolicy. - When DNSPolicy is set to "None", DNSConfig must be specified. - https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config - type: object - properties: - nameservers: - description: |- - A list of DNS name server IP addresses. - This will be appended to the base nameservers generated from DNSPolicy. - Duplicated nameservers will be removed. - type: array - items: - type: string - x-kubernetes-list-type: atomic - options: - description: |- - A list of DNS resolver options. - This will be merged with the base options generated from DNSPolicy. - Duplicated entries will be removed. Resolution options given in Options - will override those that appear in the base DNSPolicy. - type: array - items: - description: PodDNSConfigOption defines DNS resolver options of a pod. - type: object - properties: - name: - description: |- - Name is this DNS resolver option's name. - Required. - type: string - value: - description: Value is this DNS resolver option's value. - type: string - x-kubernetes-list-type: atomic - searches: - description: |- - A list of DNS search domains for host-name lookup. - This will be appended to the base search paths generated from DNSPolicy. - Duplicated search paths will be removed. - type: array - items: - type: string - x-kubernetes-list-type: atomic - dnsPolicy: - description: |- - DNSPolicy defines how DNS will be configured for the proxy Pod. - By default the Tailscale Kubernetes Operator does not set a DNS policy (uses cluster default). - https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - type: string - enum: - - ClusterFirstWithHostNet - - ClusterFirst - - Default - - None - imagePullSecrets: - description: |- - Proxy Pod's image pull Secrets. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec - type: array - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - type: object - properties: - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - default: "" - x-kubernetes-map-type: atomic - labels: - description: |- - Labels that will be added to the proxy Pod. - Any labels specified here will be merged with the default labels - applied to the Pod by the Tailscale Kubernetes operator. - Label keys and values must be valid Kubernetes label keys and values. - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - additionalProperties: - type: string - maxLength: 63 - pattern: ^(([a-zA-Z0-9][-._a-zA-Z0-9]*)?[a-zA-Z0-9])?$ - nodeName: - description: |- - Proxy Pod's node name. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - type: string - nodeSelector: - description: |- - Proxy Pod's node selector. - By default Tailscale Kubernetes operator does not apply any node - selector. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - type: object - additionalProperties: - type: string - priorityClassName: - description: |- - PriorityClassName for the proxy Pod. - By default Tailscale Kubernetes operator does not apply any priority class. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - type: string - securityContext: - description: |- - Proxy Pod's security context. - By default Tailscale Kubernetes operator does not apply any Pod - security context. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2 - type: object - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - type: array - items: - type: integer - format: int64 - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - type: array - items: - description: Sysctl defines a kernel parameter to be set - type: object - required: - - name - - value - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - type: object - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - tailscaleContainer: - description: Configuration for the proxy container running tailscale. - type: object - properties: - debug: - description: |- - Configuration for enabling extra debug information in the container. - Not recommended for production use. - type: object - properties: - enable: - description: |- - Enable tailscaled's HTTP pprof endpoints at :9001/debug/pprof/ - and internal debug metrics endpoint at :9001/debug/metrics, where - 9001 is a container port named "debug". The endpoints and their responses - may change in backwards incompatible ways in the future, and should not - be considered stable. - - In 1.78.x and 1.80.x, this setting will default to the value of - .spec.metrics.enable, and requests to the "metrics" port matching the - mux pattern /debug/ will be forwarded to the "debug" port. In 1.82.x, - this setting will default to false, and no requests will be proxied. - type: boolean - env: - description: |- - List of environment variables to set in the container. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables - Note that environment variables provided here will take precedence - over Tailscale-specific environment variables set by the operator, - however running proxies with custom values for Tailscale environment - variables (i.e TS_USERSPACE) is not recommended and might break in - the future. - type: array - items: - type: object - required: - - name - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - pattern: ^[-._a-zA-Z][-._a-zA-Z0-9]*$ - value: - description: |- - Variable references $(VAR_NAME) are expanded using the previously defined - environment variables in the container and any service environment - variables. If a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single $, which - allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists or not. Defaults - to "". - type: string - image: - description: |- - Container image name. By default images are pulled from docker.io/tailscale, - but the official images are also available at ghcr.io/tailscale. - - For all uses except on ProxyGroups of type "kube-apiserver", this image must - be either tailscale/tailscale, or an equivalent mirror of that image. - To apply to ProxyGroups of type "kube-apiserver", this image must be - tailscale/k8s-proxy or a mirror of that image. - - For "tailscale/tailscale"-based proxies, specifying image name here will - override any proxy image values specified via the Kubernetes operator's - Helm chart values or PROXY_IMAGE env var in the operator Deployment. - For "tailscale/k8s-proxy"-based proxies, there is currently no way to - configure your own default, and this field is the only way to use a - custom image. - - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - type: string - imagePullPolicy: - description: |- - Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - type: string - enum: - - Always - - Never - - IfNotPresent - resources: - description: |- - Container resource requirements. - By default Tailscale Kubernetes operator does not apply any resource - requirements. The amount of resources required wil depend on the - amount of resources the operator needs to parse, usage patterns and - cluster size. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources - type: object - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - type: array - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - type: object - required: - - name - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - requests: - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - securityContext: - description: |- - Container security context. - Security context specified here will override the security context set by the operator. - By default the operator sets the Tailscale container and the Tailscale init container to privileged - for proxies created for Tailscale ingress and egress Service, Connector and ProxyGroup. - You can reduce the permissions of the Tailscale container to cap NET_ADMIN by - installing device plugin in your cluster and configuring the proxies tun device to be created - by the device plugin, see https://github.com/tailscale/tailscale/issues/10814#issuecomment-2479977752 - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context - type: object - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - add: - description: Added capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - type: object - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - tailscaleInitContainer: - description: |- - Configuration for the proxy init container that enables forwarding. - Not valid to apply to ProxyGroups of type "kube-apiserver". - type: object - properties: - debug: - description: |- - Configuration for enabling extra debug information in the container. - Not recommended for production use. - type: object - properties: - enable: - description: |- - Enable tailscaled's HTTP pprof endpoints at :9001/debug/pprof/ - and internal debug metrics endpoint at :9001/debug/metrics, where - 9001 is a container port named "debug". The endpoints and their responses - may change in backwards incompatible ways in the future, and should not - be considered stable. - - In 1.78.x and 1.80.x, this setting will default to the value of - .spec.metrics.enable, and requests to the "metrics" port matching the - mux pattern /debug/ will be forwarded to the "debug" port. In 1.82.x, - this setting will default to false, and no requests will be proxied. - type: boolean - env: - description: |- - List of environment variables to set in the container. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables - Note that environment variables provided here will take precedence - over Tailscale-specific environment variables set by the operator, - however running proxies with custom values for Tailscale environment - variables (i.e TS_USERSPACE) is not recommended and might break in - the future. - type: array - items: - type: object - required: - - name - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - pattern: ^[-._a-zA-Z][-._a-zA-Z0-9]*$ - value: - description: |- - Variable references $(VAR_NAME) are expanded using the previously defined - environment variables in the container and any service environment - variables. If a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single $, which - allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists or not. Defaults - to "". - type: string - image: - description: |- - Container image name. By default images are pulled from docker.io/tailscale, - but the official images are also available at ghcr.io/tailscale. - - For all uses except on ProxyGroups of type "kube-apiserver", this image must - be either tailscale/tailscale, or an equivalent mirror of that image. - To apply to ProxyGroups of type "kube-apiserver", this image must be - tailscale/k8s-proxy or a mirror of that image. - - For "tailscale/tailscale"-based proxies, specifying image name here will - override any proxy image values specified via the Kubernetes operator's - Helm chart values or PROXY_IMAGE env var in the operator Deployment. - For "tailscale/k8s-proxy"-based proxies, there is currently no way to - configure your own default, and this field is the only way to use a - custom image. - - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - type: string - imagePullPolicy: - description: |- - Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - type: string - enum: - - Always - - Never - - IfNotPresent - resources: - description: |- - Container resource requirements. - By default Tailscale Kubernetes operator does not apply any resource - requirements. The amount of resources required wil depend on the - amount of resources the operator needs to parse, usage patterns and - cluster size. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources - type: object - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - type: array - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - type: object - required: - - name - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - requests: - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - securityContext: - description: |- - Container security context. - Security context specified here will override the security context set by the operator. - By default the operator sets the Tailscale container and the Tailscale init container to privileged - for proxies created for Tailscale ingress and egress Service, Connector and ProxyGroup. - You can reduce the permissions of the Tailscale container to cap NET_ADMIN by - installing device plugin in your cluster and configuring the proxies tun device to be created - by the device plugin, see https://github.com/tailscale/tailscale/issues/10814#issuecomment-2479977752 - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context - type: object - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - add: - description: Added capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - type: object - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - tolerations: - description: |- - Proxy Pod's tolerations. - By default Tailscale Kubernetes operator does not apply any - tolerations. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - type: array - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - type: object - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - topologySpreadConstraints: - description: |- - Proxy Pod's topology spread constraints. - By default Tailscale Kubernetes operator does not apply any topology spread constraints. - https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ - type: array - items: - description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. - type: object - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - type: integer - format: int32 - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - type: integer - format: int32 - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - staticEndpoints: - description: |- - Configuration for 'static endpoints' on proxies in order to facilitate - direct connections from other devices on the tailnet. - See https://tailscale.com/kb/1445/kubernetes-operator-customization#static-endpoints. - type: object - required: - - nodePort - properties: - nodePort: - description: The configuration for static endpoints using NodePort Services. - type: object - required: - - ports - properties: - ports: - description: |- - The port ranges from which the operator will select NodePorts for the Services. - You must ensure that firewall rules allow UDP ingress traffic for these ports - to the node's external IPs. - The ports must be in the range of service node ports for the cluster (default `30000-32767`). - See https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport. - type: array - minItems: 1 - items: - type: object - required: - - port - properties: - endPort: - description: |- - endPort indicates that the range of ports from port to endPort if set, inclusive, - should be used. This field cannot be defined if the port field is not defined. - The endPort must be either unset, or equal or greater than port. - type: integer - port: - description: port represents a port selected to be used. This is a required field. - type: integer - selector: - description: |- - A selector which will be used to select the node's that will have their `ExternalIP`'s advertised - by the ProxyGroup as Static Endpoints. - type: object - additionalProperties: - type: string - tailscale: - description: |- - TailscaleConfig contains options to configure the tailscale-specific - parameters of proxies. - type: object - properties: - acceptRoutes: - description: |- - AcceptRoutes can be set to true to make the proxy instance accept - routes advertized by other nodes on the tailnet, such as subnet - routes. - This is equivalent of passing --accept-routes flag to a tailscale Linux client. - https://tailscale.com/kb/1019/subnets#use-your-subnet-routes-from-other-devices - Defaults to false. - type: boolean - useLetsEncryptStagingEnvironment: - description: |- - Set UseLetsEncryptStagingEnvironment to true to issue TLS - certificates for any HTTPS endpoints exposed to the tailnet from - LetsEncrypt's staging environment. - https://letsencrypt.org/docs/staging-environment/ - This setting only affects Tailscale Ingress resources. - By default Ingress TLS certificates are issued from LetsEncrypt's - production environment. - Changing this setting true -> false, will result in any - existing certs being re-issued from the production environment. - Changing this setting false (default) -> true, when certs have already - been provisioned from production environment will NOT result in certs - being re-issued from the staging environment before they need to be - renewed. - type: boolean - status: - description: |- - Status of the ProxyClass. This is set and managed automatically. - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - type: object - properties: - conditions: - description: |- - List of status conditions to indicate the status of the ProxyClass. - Known condition types are `ProxyClassReady`. - type: array - items: - description: Condition contains details for one aspect of the current state of this API Resource. - type: object - required: - - lastTransitionTime - - message - - reason - - status - - type - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - type: string - format: date-time - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - type: string - maxLength: 32768 - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - type: integer - format: int64 - minimum: 0 - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - type: string - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - status: - description: status of the condition, one of True, False, Unknown. - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - type: string - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - served: true - storage: true - subresources: - status: {} ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/proxygroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.0 - name: proxygroups.tailscale.com -spec: - group: tailscale.com - names: - kind: ProxyGroup - listKind: ProxyGroupList - plural: proxygroups - shortNames: - - pg - singular: proxygroup - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Status of the deployed ProxyGroup resources. - jsonPath: .status.conditions[?(@.type == "ProxyGroupReady")].reason - name: Status - type: string - - description: URL of the kube-apiserver proxy advertised by the ProxyGroup devices, if any. Only applies to ProxyGroups of type kube-apiserver. - jsonPath: .status.url - name: URL - type: string - - description: ProxyGroup type. - jsonPath: .spec.type - name: Type - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ProxyGroup defines a set of Tailscale devices that will act as proxies. - Depending on spec.Type, it can be a group of egress, ingress, or kube-apiserver - proxies. In addition to running a highly available set of proxies, ingress - and egress ProxyGroups also allow for serving many annotated Services from a - single set of proxies to minimise resource consumption. - - For ingress and egress, use the tailscale.com/proxy-group annotation on a - Service to specify that the proxy should be implemented by a ProxyGroup - instead of a single dedicated proxy. - - More info: - * https://tailscale.com/kb/1438/kubernetes-operator-cluster-egress - * https://tailscale.com/kb/1439/kubernetes-operator-cluster-ingress - - For kube-apiserver, the ProxyGroup is a standalone resource. Use the - spec.kubeAPIServer field to configure options specific to the kube-apiserver - ProxyGroup type. - type: object - required: - - spec - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec describes the desired ProxyGroup instances. - type: object - required: - - type - properties: - hostnamePrefix: - description: |- - HostnamePrefix is the hostname prefix to use for tailnet devices created - by the ProxyGroup. Each device will have the integer number from its - StatefulSet pod appended to this prefix to form the full hostname. - HostnamePrefix can contain lower case letters, numbers and dashes, it - must not start with a dash and must be between 1 and 62 characters long. - type: string - pattern: ^[a-z0-9][a-z0-9-]{0,61}$ - kubeAPIServer: - description: |- - KubeAPIServer contains configuration specific to the kube-apiserver - ProxyGroup type. This field is only used when Type is set to "kube-apiserver". - type: object - properties: - hostname: - description: |- - Hostname is the hostname with which to expose the Kubernetes API server - proxies. Must be a valid DNS label no longer than 63 characters. If not - specified, the name of the ProxyGroup is used as the hostname. Must be - unique across the whole tailnet. - type: string - pattern: ^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$ - mode: - description: |- - Mode to run the API server proxy in. Supported modes are auth and noauth. - In auth mode, requests from the tailnet proxied over to the Kubernetes - API server are additionally impersonated using the sender's tailnet identity. - If not specified, defaults to auth mode. - type: string - enum: - - auth - - noauth - proxyClass: - description: |- - ProxyClass is the name of the ProxyClass custom resource that contains - configuration options that should be applied to the resources created - for this ProxyGroup. If unset, and there is no default ProxyClass - configured, the operator will create resources with the default - configuration. - type: string - replicas: - description: |- - Replicas specifies how many replicas to create the StatefulSet with. - Defaults to 2. - type: integer - format: int32 - minimum: 0 - tags: - description: |- - Tags that the Tailscale devices will be tagged with. Defaults to [tag:k8s]. - If you specify custom tags here, make sure you also make the operator - an owner of these tags. - See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. - Tags cannot be changed once a ProxyGroup device has been created. - Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. - type: array - items: - type: string - pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ - type: - description: |- - Type of the ProxyGroup proxies. Supported types are egress, ingress, and kube-apiserver. - Type is immutable once a ProxyGroup is created. - type: string - enum: - - egress - - ingress - - kube-apiserver - x-kubernetes-validations: - - rule: self == oldSelf - message: ProxyGroup type is immutable - status: - description: |- - ProxyGroupStatus describes the status of the ProxyGroup resources. This is - set and managed by the Tailscale operator. - type: object - properties: - conditions: - description: |- - List of status conditions to indicate the status of the ProxyGroup - resources. Known condition types include `ProxyGroupReady` and - `ProxyGroupAvailable`. - - * `ProxyGroupReady` indicates all ProxyGroup resources are reconciled and - all expected conditions are true. - * `ProxyGroupAvailable` indicates that at least one proxy is ready to - serve traffic. - - For ProxyGroups of type kube-apiserver, there are two additional conditions: - - * `KubeAPIServerProxyConfigured` indicates that at least one API server - proxy is configured and ready to serve traffic. - * `KubeAPIServerProxyValid` indicates that spec.kubeAPIServer config is - valid. - type: array - items: - description: Condition contains details for one aspect of the current state of this API Resource. - type: object - required: - - lastTransitionTime - - message - - reason - - status - - type - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - type: string - format: date-time - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - type: string - maxLength: 32768 - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - type: integer - format: int64 - minimum: 0 - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - type: string - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - status: - description: status of the condition, one of True, False, Unknown. - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - type: string - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - devices: - description: List of tailnet devices associated with the ProxyGroup StatefulSet. - type: array - items: - type: object - required: - - hostname - properties: - hostname: - description: |- - Hostname is the fully qualified domain name of the device. - If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the - node. - type: string - staticEndpoints: - description: StaticEndpoints are user configured, 'static' endpoints by which tailnet peers can reach this device. - type: array - items: - type: string - tailnetIPs: - description: |- - TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6) - assigned to the device. - type: array - items: - type: string - x-kubernetes-list-map-keys: - - hostname - x-kubernetes-list-type: map - url: - description: |- - URL of the kube-apiserver proxy advertised by the ProxyGroup devices, if - any. Only applies to ProxyGroups of type kube-apiserver. - type: string - served: true - storage: true - subresources: - status: {} ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/recorder.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.0 - name: recorders.tailscale.com -spec: - group: tailscale.com - names: - kind: Recorder - listKind: RecorderList - plural: recorders - shortNames: - - rec - singular: recorder - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Status of the deployed Recorder resources. - jsonPath: .status.conditions[?(@.type == "RecorderReady")].reason - name: Status - type: string - - description: URL on which the UI is exposed if enabled. - jsonPath: .status.devices[?(@.url != "")].url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Recorder defines a tsrecorder device for recording SSH sessions. By default, - it will store recordings in a local ephemeral volume. If you want to persist - recordings, you can configure an S3-compatible API for storage. - - More info: https://tailscale.com/kb/1484/kubernetes-operator-deploying-tsrecorder - type: object - required: - - spec - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec describes the desired recorder instance. - type: object - properties: - enableUI: - description: |- - Set to true to enable the Recorder UI. The UI lists and plays recorded sessions. - The UI will be served at :443. Defaults to false. - Corresponds to --ui tsrecorder flag https://tailscale.com/kb/1246/tailscale-ssh-session-recording#deploy-a-recorder-node. - Required if S3 storage is not set up, to ensure that recordings are accessible. - type: boolean - statefulSet: - description: |- - Configuration parameters for the Recorder's StatefulSet. The operator - deploys a StatefulSet for each Recorder resource. - type: object - properties: - annotations: - description: |- - Annotations that will be added to the StatefulSet created for the Recorder. - Any Annotations specified here will be merged with the default annotations - applied to the StatefulSet by the operator. - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set - type: object - additionalProperties: - type: string - labels: - description: |- - Labels that will be added to the StatefulSet created for the Recorder. - Any labels specified here will be merged with the default labels applied - to the StatefulSet by the operator. - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - additionalProperties: - type: string - pod: - description: Configuration for pods created by the Recorder's StatefulSet. - type: object - properties: - affinity: - description: |- - Affinity rules for Recorder Pods. By default, the operator does not - apply any affinity rules. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#affinity - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - type: array - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - x-kubernetes-map-type: atomic - x-kubernetes-list-type: atomic - x-kubernetes-map-type: atomic - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - type: integer - format: int32 - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - x-kubernetes-list-type: atomic - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - type: integer - format: int32 - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - type: array - items: - type: string - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - type: array - items: - type: string - x-kubernetes-list-type: atomic - x-kubernetes-list-type: atomic - matchLabels: - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - x-kubernetes-list-type: atomic - annotations: - description: |- - Annotations that will be added to Recorder Pods. Any annotations - specified here will be merged with the default annotations applied to - the Pod by the operator. - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set - type: object - additionalProperties: - type: string - container: - description: Configuration for the Recorder container running tailscale. - type: object - properties: - env: - description: |- - List of environment variables to set in the container. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables - Note that environment variables provided here will take precedence - over Tailscale-specific environment variables set by the operator, - however running proxies with custom values for Tailscale environment - variables (i.e TS_USERSPACE) is not recommended and might break in - the future. - type: array - items: - type: object - required: - - name - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - pattern: ^[-._a-zA-Z][-._a-zA-Z0-9]*$ - value: - description: |- - Variable references $(VAR_NAME) are expanded using the previously defined - environment variables in the container and any service environment - variables. If a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single $, which - allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will - produce the string literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists or not. Defaults - to "". - type: string - image: - description: |- - Container image name including tag. Defaults to docker.io/tailscale/tsrecorder - with the same tag as the operator, but the official images are also - available at ghcr.io/tailscale/tsrecorder. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - type: string - imagePullPolicy: - description: |- - Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - type: string - enum: - - Always - - Never - - IfNotPresent - resources: - description: |- - Container resource requirements. - By default, the operator does not apply any resource requirements. The - amount of resources required wil depend on the volume of recordings sent. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources - type: object - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - type: array - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - type: object - required: - - name - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - requests: - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - securityContext: - description: |- - Container security context. By default, the operator does not apply any - container security context. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context - type: object - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - add: - description: Added capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-list-type: atomic - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - type: object - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - imagePullSecrets: - description: |- - Image pull Secrets for Recorder Pods. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec - type: array - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - type: object - properties: - name: - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - default: "" - x-kubernetes-map-type: atomic - labels: - description: |- - Labels that will be added to Recorder Pods. Any labels specified here - will be merged with the default labels applied to the Pod by the operator. - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - additionalProperties: - type: string - nodeSelector: - description: |- - Node selector rules for Recorder Pods. By default, the operator does - not apply any node selector rules. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - type: object - additionalProperties: - type: string - securityContext: - description: |- - Security context for Recorder Pods. By default, the operator does not - apply any Pod security context. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2 - type: object - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - type: integer - format: int64 - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - type: object - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - type: object - required: - - type - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - type: array - items: - type: integer - format: int64 - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - type: array - items: - description: Sysctl defines a kernel parameter to be set - type: object - required: - - name - - value - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - type: object - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - serviceAccount: - description: |- - Config for the ServiceAccount to create for the Recorder's StatefulSet. - By default, the operator will create a ServiceAccount with the same - name as the Recorder resource. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#service-account - type: object - properties: - annotations: - description: |- - Annotations to add to the ServiceAccount. - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set - - You can use this to add IAM roles to the ServiceAccount (IRSA) instead of - providing static S3 credentials in a Secret. - https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html - - For example: - eks.amazonaws.com/role-arn: arn:aws:iam:::role/ - type: object - additionalProperties: - type: string - name: - description: |- - Name of the ServiceAccount to create. Defaults to the name of the - Recorder resource. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#service-account - type: string - maxLength: 253 - pattern: ^[a-z0-9]([a-z0-9-.]{0,61}[a-z0-9])?$ - tolerations: - description: |- - Tolerations for Recorder Pods. By default, the operator does not apply - any tolerations. - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - type: array - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - type: object - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - storage: - description: |- - Configure where to store session recordings. By default, recordings will - be stored in a local ephemeral volume, and will not be persisted past the - lifetime of a specific pod. - type: object - properties: - s3: - description: |- - Configure an S3-compatible API for storage. Required if the UI is not - enabled, to ensure that recordings are accessible. - type: object - properties: - bucket: - description: |- - Bucket name to write to. The bucket is expected to be used solely for - recordings, as there is no stable prefix for written object names. - type: string - credentials: - description: |- - Configure environment variable credentials for managing objects in the - configured bucket. If not set, tsrecorder will try to acquire credentials - first from the file system and then the STS API. - type: object - properties: - secret: - description: |- - Use a Kubernetes Secret from the operator's namespace as the source of - credentials. - type: object - properties: - name: - description: |- - The name of a Kubernetes Secret in the operator's namespace that contains - credentials for writing to the configured bucket. Each key-value pair - from the secret's data will be mounted as an environment variable. It - should include keys for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if - using a static access key. - type: string - endpoint: - description: S3-compatible endpoint, e.g. s3.us-east-1.amazonaws.com. - type: string - tags: - description: |- - Tags that the Tailscale device will be tagged with. Defaults to [tag:k8s]. - If you specify custom tags here, make sure you also make the operator - an owner of these tags. - See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. - Tags cannot be changed once a Recorder node has been created. - Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. - type: array - items: - type: string - pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ - status: - description: |- - RecorderStatus describes the status of the recorder. This is set - and managed by the Tailscale operator. - type: object - properties: - conditions: - description: |- - List of status conditions to indicate the status of the Recorder. - Known condition types are `RecorderReady`. - type: array - items: - description: Condition contains details for one aspect of the current state of this API Resource. - type: object - required: - - lastTransitionTime - - message - - reason - - status - - type - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - type: string - format: date-time - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - type: string - maxLength: 32768 - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - type: integer - format: int64 - minimum: 0 - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - type: string - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - status: - description: status of the condition, one of True, False, Unknown. - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - type: string - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - devices: - description: List of tailnet devices associated with the Recorder StatefulSet. - type: array - items: - type: object - required: - - hostname - properties: - hostname: - description: |- - Hostname is the fully qualified domain name of the device. - If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the - node. - type: string - tailnetIPs: - description: |- - TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6) - assigned to the device. - type: array - items: - type: string - url: - description: |- - URL where the UI is available if enabled for replaying recordings. This - will be an HTTPS MagicDNS URL. You must be connected to the same tailnet - as the recorder to access it. - type: string - x-kubernetes-list-map-keys: - - hostname - x-kubernetes-list-type: map - served: true - storage: true - subresources: - status: {} ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/operator-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tailscale-operator -rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["events", "services", "services/status"] - verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingresses/status"] - verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] -- apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] -- apiGroups: ["tailscale.com"] - resources: ["connectors", "connectors/status", "proxyclasses", "proxyclasses/status", "proxygroups", "proxygroups/status"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: ["tailscale.com"] - resources: ["dnsconfigs", "dnsconfigs/status"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: ["tailscale.com"] - resources: ["recorders", "recorders/status"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - resourceNames: ["servicemonitors.monitoring.coreos.com"] ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/operator-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tailscale-operator -subjects: -- kind: ServiceAccount - name: operator - namespace: tailscale-operator -roleRef: - kind: ClusterRole - name: tailscale-operator - apiGroup: rbac.authorization.k8s.io ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/operator-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: operator - namespace: tailscale-operator -rules: -- apiGroups: [""] - resources: ["secrets", "serviceaccounts", "configmaps"] - verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["get","list","watch", "update"] -- apiGroups: [""] - resources: ["pods/status"] - verbs: ["update"] -- apiGroups: ["apps"] - resources: ["statefulsets", "deployments"] - verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] -- apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch", "create", "update", "deletecollection"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "create", "patch", "update", "list", "watch", "deletecollection"] -- apiGroups: ["monitoring.coreos.com"] - resources: ["servicemonitors"] - verbs: ["get", "list", "update", "create", "delete"] ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/proxy-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: proxies - namespace: tailscale-operator -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch", "get"] ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/operator-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: operator - namespace: tailscale-operator -subjects: -- kind: ServiceAccount - name: operator - namespace: tailscale-operator -roleRef: - kind: Role - name: operator - apiGroup: rbac.authorization.k8s.io ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/proxy-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: proxies - namespace: tailscale-operator -subjects: -- kind: ServiceAccount - name: proxies - namespace: tailscale-operator -roleRef: - kind: Role - name: proxies - apiGroup: rbac.authorization.k8s.io ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/deployment.yaml -# Copyright (c) Tailscale Inc & AUTHORS -# SPDX-License-Identifier: BSD-3-Clause - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: operator - namespace: tailscale-operator -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: operator - template: - metadata: - labels: - app: operator - spec: - serviceAccountName: operator - volumes: - - name: oauth - secret: - secretName: operator-oauth - containers: - - name: operator - image: tailscale/k8s-operator:v1.90.9 - imagePullPolicy: Always - env: - - name: OPERATOR_INITIAL_TAGS - value: tag:k8s-operator - - name: OPERATOR_HOSTNAME - value: tailscale-operator-cl01tl - - name: OPERATOR_SECRET - value: operator - - name: OPERATOR_LOGGING - value: info - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_LOGIN_SERVER - value: - - name: OPERATOR_INGRESS_CLASS_NAME - value: tailscale - - name: CLIENT_ID_FILE - value: /oauth/client_id - - name: CLIENT_SECRET_FILE - value: /oauth/client_secret - - name: PROXY_IMAGE - value: tailscale/tailscale:v1.90.9 - - name: PROXY_TAGS - value: tag:k8s - - name: APISERVER_PROXY - value: "false" - - name: PROXY_FIREWALL_MODE - value: auto - - name: PROXY_DEFAULT_CLASS - value: no-metrics - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - volumeMounts: - - name: oauth - mountPath: /oauth - readOnly: true - nodeSelector: - kubernetes.io/os: linux ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/ingressclass.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: tailscale - annotations: {} # we do not support default IngressClass annotation https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class -spec: - controller: tailscale.com/ts-ingress # controller name currently can not be changed - # parameters: {} # currently no parameters are supported ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/apiserverproxy-rbac.yaml -# Copyright (c) Tailscale Inc & AUTHORS -# SPDX-License-Identifier: BSD-3-Clause - -# If old setting used, enable both old (operator) and new (ProxyGroup) workflows. -# If new setting used, enable only new workflow. ---- -# Source: tailscale-operator/charts/tailscale-operator/templates/oauth-secret.yaml -# Copyright (c) Tailscale Inc & AUTHORS -# SPDX-License-Identifier: BSD-3-Clause ---- -# Source: tailscale-operator/templates/connector.yaml -apiVersion: tailscale.com/v1alpha1 -kind: Connector -metadata: - name: subnet-router-local - namespace: tailscale-operator - labels: - app.kubernetes.io/name: subnet-router-local - app.kubernetes.io/instance: tailscale-operator - app.kubernetes.io/part-of: tailscale-operator -spec: - hostname: subnet-router-local-cl01tl - proxyClass: default - subnetRouter: - advertiseRoutes: - - 192.168.1.0/24 - - 10.230.0.0/24 - - 10.232.0.0/22 ---- -# Source: tailscale-operator/templates/dns-config.yaml -apiVersion: tailscale.com/v1alpha1 -kind: DNSConfig -metadata: - name: ts-dns - namespace: tailscale-operator - labels: - app.kubernetes.io/name: ts-dns - app.kubernetes.io/instance: tailscale-operator - app.kubernetes.io/part-of: tailscale-operator -spec: - nameserver: - image: - repo: tailscale/k8s-nameserver - tag: unstable-v1.91.88 ---- -# Source: tailscale-operator/templates/external-secrets.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: operator-oauth - namespace: tailscale-operator - labels: - app.kubernetes.io/name: operator-oauth - app.kubernetes.io/instance: tailscale-operator - app.kubernetes.io/part-of: tailscale-operator -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: client_id - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /tailscale/k8s-operator - metadataPolicy: None - property: clientId - - secretKey: client_secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /tailscale/k8s-operator - metadataPolicy: None - property: clientSecret ---- -# Source: tailscale-operator/templates/proxy-class.yaml -apiVersion: tailscale.com/v1alpha1 -kind: ProxyClass -metadata: - name: default - namespace: tailscale-operator - labels: - app.kubernetes.io/name: default - app.kubernetes.io/instance: tailscale-operator - app.kubernetes.io/part-of: tailscale-operator -spec: - metrics: - enable: true - serviceMonitor: - enable: true - statefulSet: - pod: - tailscaleContainer: - resources: - limits: - devic.es/tun: "1" - tailscaleInitContainer: - resources: - limits: - devic.es/tun: "1" ---- -# Source: tailscale-operator/templates/proxy-class.yaml -apiVersion: tailscale.com/v1alpha1 -kind: ProxyClass -metadata: - name: no-metrics - namespace: tailscale-operator - labels: - app.kubernetes.io/name: no-metrics - app.kubernetes.io/instance: tailscale-operator - app.kubernetes.io/part-of: tailscale-operator -spec: - metrics: - enable: false - statefulSet: - pod: - tailscaleContainer: - resources: - limits: - devic.es/tun: "1" - tailscaleInitContainer: - resources: - limits: - devic.es/tun: "1" diff --git a/clusters/cl01tl/manifests/talos/talos.yaml b/clusters/cl01tl/manifests/talos/talos.yaml deleted file mode 100644 index 3df785f4e..000000000 --- a/clusters/cl01tl/manifests/talos/talos.yaml +++ /dev/null @@ -1,476 +0,0 @@ ---- -# Source: talos/templates/service-account.yaml -apiVersion: talos.dev/v1alpha1 -kind: ServiceAccount -metadata: - name: talos-backup-secrets - namespace: talos - labels: - app.kubernetes.io/name: talos-backup-secrets - app.kubernetes.io/instance: talos - app.kubernetes.io/part-of: talos -spec: - roles: - - os:etcd:backup ---- -# Source: talos/templates/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: talos-backup-secrets - namespace: talos - labels: - app.kubernetes.io/name: talos-backup-secrets - app.kubernetes.io/instance: talos - app.kubernetes.io/part-of: talos - annotations: - kubernetes.io/service-account.name: talos-backup-secrets ---- -# Source: talos/charts/etcd-backup/templates/common.yaml ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: talos - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: talos - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: talos - helm.sh/chart: etcd-backup-4.4.0 - namespace: talos -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "0 2 * * *" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: talos - app.kubernetes.io/name: talos - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - containers: - - command: - - /talos-backup - env: - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: talos-etcd-backup-secret - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: talos-etcd-backup-secret - - name: AWS_REGION - value: nyc3 - - name: CUSTOM_S3_ENDPOINT - value: https://nyc3.digitaloceanspaces.com - - name: BUCKET - value: talos-backups-bee8585f7b8a4d0239c9b823 - - name: S3_PREFIX - value: cl01tl/etcd - - name: CLUSTER_NAME - value: cl01tl - - name: AGE_X25519_PUBLIC_KEY - valueFrom: - secretKeyRef: - key: AGE_X25519_PUBLIC_KEY - name: talos-etcd-backup-secret - - name: USE_PATH_STYLE - value: "false" - image: ghcr.io/siderolabs/talos-backup:v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /var/run/secrets/talos.dev - mountPropagation: None - name: secret - readOnly: true - - mountPath: /.talos - name: talos - - mountPath: /tmp - name: tmp - workingDir: /tmp - - args: - - -ec - - | - export DATE_RANGE=$(date -d @$(( $(date +%s) - 1209600 )) +%Y-%m-%dT%H:%M:%SZ); - export FILE_MATCH="$BUCKET/cl01tl/etcd/cl01tl-$DATE_RANGE.snap.age" - echo ">> Running S3 prune for Talos backup repository" - echo ">> Backups prior to '$DATE_RANGE' will be removed" - echo ">> Backups to be removed:" - s3cmd ls ${BUCKET}/cl01tl/etcd/ | - awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' - echo ">> Deleting ..." - s3cmd ls ${BUCKET}/cl01tl/etcd/ | - awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' | - while read file; do - s3cmd del "$file"; - done; - echo ">> Completed S3 prune for Talos backup repository" - command: - - /bin/sh - env: - - name: BUCKET - valueFrom: - secretKeyRef: - key: BUCKET - name: talos-etcd-backup-secret - image: d3fk/s3cmd:latest@sha256:590c42746db1252be8aad33e287c7910698c32b58b4fc34f67592a5bd0841551 - imagePullPolicy: IfNotPresent - name: s3-prune - resources: - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-config - readOnly: true - subPath: .s3cfg - volumes: - - name: s3cmd-config - secret: - secretName: talos-etcd-backup-secret - - name: secret - secret: - secretName: talos-backup-secrets - - emptyDir: - medium: Memory - name: talos - - emptyDir: - medium: Memory - name: tmp ---- -# Source: talos/charts/etcd-defrag/templates/common.yaml ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: etcd-defrag-defrag-2 - labels: - app.kubernetes.io/controller: defrag-2 - app.kubernetes.io/instance: talos - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: talos - helm.sh/chart: etcd-defrag-4.4.0 - namespace: talos -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "10 0 * * 0" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: defrag-2 - app.kubernetes.io/instance: talos - app.kubernetes.io/name: talos - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - containers: - - args: - - etcd - - defrag - - -n - - 10.232.1.12 - env: - - name: TALOSCONFIG - value: /tmp/.talos/config - image: ghcr.io/siderolabs/talosctl:v1.11.5 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /tmp/.talos/config - mountPropagation: None - name: talos-config-2 - readOnly: true - subPath: config - volumes: - - name: talos-config-2 - secret: - secretName: talos-etcd-defrag-secret ---- -# Source: talos/charts/etcd-defrag/templates/common.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: etcd-defrag-defrag-3 - labels: - app.kubernetes.io/controller: defrag-3 - app.kubernetes.io/instance: talos - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: talos - helm.sh/chart: etcd-defrag-4.4.0 - namespace: talos -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "20 0 * * 0" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: defrag-3 - app.kubernetes.io/instance: talos - app.kubernetes.io/name: talos - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - containers: - - args: - - etcd - - defrag - - -n - - 10.232.1.13 - env: - - name: TALOSCONFIG - value: /tmp/.talos/config - image: ghcr.io/siderolabs/talosctl:v1.11.5 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /tmp/.talos/config - mountPropagation: None - name: talos-config-3 - readOnly: true - subPath: config - volumes: - - name: talos-config-3 - secret: - secretName: talos-etcd-defrag-secret ---- -# Source: talos/charts/etcd-defrag/templates/common.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: etcd-defrag-defrag-1 - labels: - app.kubernetes.io/controller: defrag-1 - app.kubernetes.io/instance: talos - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: talos - helm.sh/chart: etcd-defrag-4.4.0 - namespace: talos -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "0 0 * * 0" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: defrag-1 - app.kubernetes.io/instance: talos - app.kubernetes.io/name: talos - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - containers: - - args: - - etcd - - defrag - - -n - - 10.232.1.11 - env: - - name: TALOSCONFIG - value: /tmp/.talos/config - image: ghcr.io/siderolabs/talosctl:v1.11.5 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /tmp/.talos/config - mountPropagation: None - name: talos-config-1 - readOnly: true - subPath: config - volumes: - - name: talos-config-1 - secret: - secretName: talos-etcd-defrag-secret ---- -# Source: talos/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: talos-etcd-backup-secret - namespace: talos - labels: - app.kubernetes.io/name: talos-etcd-backup-secret - app.kubernetes.io/instance: talos - app.kubernetes.io/part-of: talos - annotations: - kubernetes.io/service-account.name: talos-backup-secrets -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/etcd-backup - metadataPolicy: None - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/etcd-backup - metadataPolicy: None - property: AWS_SECRET_ACCESS_KEY - - secretKey: .s3cfg - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/etcd-backup - metadataPolicy: None - property: s3cfg - - secretKey: BUCKET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/etcd-backup - metadataPolicy: None - property: BUCKET - - secretKey: AGE_X25519_PUBLIC_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/talos/etcd-backup - metadataPolicy: None - property: AGE_X25519_PUBLIC_KEY ---- -# Source: talos/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: talos-etcd-defrag-secret - namespace: talos - labels: - app.kubernetes.io/name: talos-etcd-defrag-secret - app.kubernetes.io/instance: talos - app.kubernetes.io/part-of: talos -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/talos/etcd-defrag - metadataPolicy: None - property: config diff --git a/clusters/cl01tl/manifests/tautulli/tautulli.yaml b/clusters/cl01tl/manifests/tautulli/tautulli.yaml deleted file mode 100644 index d00adc0f7..000000000 --- a/clusters/cl01tl/manifests/tautulli/tautulli.yaml +++ /dev/null @@ -1,331 +0,0 @@ ---- -# Source: tautulli/charts/tautulli/templates/common.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: tautulli - labels: - app.kubernetes.io/instance: tautulli - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tautulli - helm.sh/chart: tautulli-4.4.0 - namespace: tautulli -data: - select_tmdb_poster.py: | - #!/usr/bin/env python - # -*- coding: utf-8 -*- - - ''' - Description: Selects the default TMDB poster if no poster is selected - or the current poster is from Gracenote. - Author: /u/SwiftPanda16 - Requires: plexapi - Usage: - * Change the posters for an entire library: - python select_tmdb_poster.py --library "Movies" - - * Change the poster for a specific item: - python select_tmdb_poster.py --rating_key 1234 - - * By default locked posters are skipped. To update locked posters: - python select_tmdb_poster.py --library "Movies" --include_locked - - Tautulli script trigger: - * Notify on recently added - Tautulli script conditions: - * Filter which media to select the poster. Examples: - [ Media Type | is | movie ] - Tautulli script arguments: - * Recently Added: - --rating_key {rating_key} - ''' - - import argparse - import os - import plexapi.base - from plexapi.server import PlexServer - plexapi.base.USER_DONT_RELOAD_FOR_KEYS.add('fields') - - - # Environmental Variables - PLEX_URL = os.getenv('PLEX_URL') - PLEX_TOKEN = os.getenv('PLEX_TOKEN') - - - def select_tmdb_poster_library(library, include_locked=False): - for item in library.all(includeGuids=False): - # Only reload for fields - item.reload(**{k: 0 for k, v in item._INCLUDES.items()}) - select_tmdb_poster_item(item, include_locked=include_locked) - - - def select_tmdb_poster_item(item, include_locked=False): - if item.isLocked('thumb') and not include_locked: # PlexAPI 4.5.10 - print(f"Locked poster for {item.title}. Skipping.") - return - - posters = item.posters() - selected_poster = next((p for p in posters if p.selected), None) - - if selected_poster is None: - print(f"WARNING: No poster selected for {item.title}.") - else: - skipping = ' Skipping.' if selected_poster.provider != 'gracenote' else '' - print(f"Poster provider is '{selected_poster.provider}' for {item.title}.{skipping}") - - if posters and (selected_poster is None or selected_poster.provider == 'gracenote'): - # Fallback to first poster if no TMDB posters are available - tmdb_poster = next((p for p in posters if p.provider == 'tmdb'), posters[0]) - # Selecting the poster automatically locks it - tmdb_poster.select() - print(f"Selected {tmdb_poster.provider} poster for {item.title}.") - - - if __name__ == '__main__': - parser = argparse.ArgumentParser() - parser.add_argument('--rating_key', type=int) - parser.add_argument('--library') - parser.add_argument('--include_locked', action='store_true') - opts = parser.parse_args() - - plex = PlexServer(PLEX_URL, PLEX_TOKEN) - - if opts.rating_key: - item = plex.fetchItem(opts.rating_key) - select_tmdb_poster_item(item, opts.include_locked) - elif opts.library: - library = plex.library.section(opts.library) - select_tmdb_poster_library(library, opts.include_locked) - else: - print("No --rating_key or --library specified. Exiting.") ---- -# Source: tautulli/charts/tautulli/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: tautulli-config - labels: - app.kubernetes.io/instance: tautulli - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tautulli - helm.sh/chart: tautulli-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: tautulli -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: tautulli/charts/tautulli/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: tautulli - labels: - app.kubernetes.io/instance: tautulli - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tautulli - app.kubernetes.io/service: tautulli - helm.sh/chart: tautulli-4.4.0 - namespace: tautulli -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8181 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: tautulli - app.kubernetes.io/name: tautulli ---- -# Source: tautulli/charts/tautulli/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tautulli - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: tautulli - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tautulli - helm.sh/chart: tautulli-4.4.0 - annotations: - reloader.stakater.com/auto: "true" - namespace: tautulli -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: tautulli - app.kubernetes.io/instance: tautulli - template: - metadata: - annotations: - checksum/configMaps: 8f779aaa6f9bccc9e07f526b05d4f9d81e7e55a443819d526312ff297ac88ba5 - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: tautulli - app.kubernetes.io/name: tautulli - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: PUID - value: "1001" - - name: GUID - value: "1001" - - name: TZ - value: US/Central - image: ghcr.io/tautulli/tautulli:v2.16.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /config - name: config - - mountPath: /config/scripts/select_tmdb_poster.py - mountPropagation: None - name: scripts - readOnly: true - subPath: select_tmdb_poster.py - volumes: - - name: config - persistentVolumeClaim: - claimName: tautulli-config - - configMap: - name: tautulli-scripts - name: scripts ---- -# Source: tautulli/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tautulli-config-backup-secret - namespace: tautulli - labels: - app.kubernetes.io/name: tautulli-config-backup-secret - app.kubernetes.io/instance: tautulli - app.kubernetes.io/part-of: tautulli -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/tautulli/tautulli-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: tautulli/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-tautulli - namespace: tautulli - labels: - app.kubernetes.io/name: http-route-tautulli - app.kubernetes.io/instance: tautulli - app.kubernetes.io/part-of: tautulli -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - tautulli.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: tautulli - port: 80 - weight: 100 ---- -# Source: tautulli/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: tautulli-config-backup-source - namespace: tautulli - labels: - app.kubernetes.io/name: tautulli-config-backup-source - app.kubernetes.io/instance: tautulli - app.kubernetes.io/part-of: tautulli -spec: - sourcePVC: tautulli-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: tautulli-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/manifests/tdarr/tdarr.yaml b/clusters/cl01tl/manifests/tdarr/tdarr.yaml deleted file mode 100644 index 4da17a419..000000000 --- a/clusters/cl01tl/manifests/tdarr/tdarr.yaml +++ /dev/null @@ -1,658 +0,0 @@ ---- -# Source: tdarr/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: tdarr-nfs-storage - namespace: tdarr - labels: - app.kubernetes.io/name: tdarr-nfs-storage - app.kubernetes.io/instance: tdarr - app.kubernetes.io/part-of: tdarr -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: tdarr/charts/tdarr/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: tdarr-config - labels: - app.kubernetes.io/instance: tdarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tdarr - helm.sh/chart: tdarr-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: tdarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "50Gi" - storageClassName: "ceph-block" ---- -# Source: tdarr/charts/tdarr/templates/common.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: tdarr-server - labels: - app.kubernetes.io/instance: tdarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tdarr - helm.sh/chart: tdarr-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: tdarr -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "50Gi" - storageClassName: "ceph-block" ---- -# Source: tdarr/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: tdarr-nfs-storage - namespace: tdarr - labels: - app.kubernetes.io/name: tdarr-nfs-storage - app.kubernetes.io/instance: tdarr - app.kubernetes.io/part-of: tdarr -spec: - volumeName: tdarr-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: tdarr/charts/tdarr-exporter/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: tdarr-tdarr-exporter - labels: - helm.sh/chart: tdarr-exporter-1.1.7 - app.kubernetes.io/name: tdarr-exporter - app.kubernetes.io/instance: tdarr - app.kubernetes.io/version: "1.4.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 9090 - targetPort: 9090 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/name: tdarr-exporter - app.kubernetes.io/instance: tdarr ---- -# Source: tdarr/charts/tdarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: tdarr-api - labels: - app.kubernetes.io/instance: tdarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tdarr - app.kubernetes.io/service: tdarr-api - helm.sh/chart: tdarr-4.4.0 - namespace: tdarr -spec: - type: ClusterIP - ports: - - port: 8266 - targetPort: 8266 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: server - app.kubernetes.io/instance: tdarr - app.kubernetes.io/name: tdarr ---- -# Source: tdarr/charts/tdarr/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: tdarr-web - labels: - app.kubernetes.io/instance: tdarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tdarr - app.kubernetes.io/service: tdarr-web - helm.sh/chart: tdarr-4.4.0 - namespace: tdarr -spec: - type: ClusterIP - ports: - - port: 8265 - targetPort: 8265 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: server - app.kubernetes.io/instance: tdarr - app.kubernetes.io/name: tdarr ---- -# Source: tdarr/charts/tdarr/templates/common.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: tdarr-node - labels: - app.kubernetes.io/controller: node - app.kubernetes.io/instance: tdarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tdarr - helm.sh/chart: tdarr-4.4.0 - namespace: tdarr -spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app.kubernetes.io/controller: node - app.kubernetes.io/name: tdarr - app.kubernetes.io/instance: tdarr - template: - metadata: - annotations: - - labels: - app.kubernetes.io/controller: node - app.kubernetes.io/instance: tdarr - app.kubernetes.io/name: tdarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - nodeSelector: - intel.feature.node.kubernetes.io/gpu: "true" - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1001" - - name: PGID - value: "1001" - - name: UMASK_SET - value: "002" - - name: ffmpegVersion - value: "6" - - name: inContainer - value: "true" - - name: nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: serverIP - value: tdarr-api - - name: serverPort - value: "8266" - image: ghcr.io/haveagitgat/tdarr_node:2.58.02 - imagePullPolicy: IfNotPresent - name: main - resources: - limits: - gpu.intel.com/i915: 1 - requests: - cpu: 10m - gpu.intel.com/i915: 1 - memory: 512Mi - volumeMounts: - - mountPath: /mnt/store - name: media - readOnly: true - - mountPath: /tcache - name: node-cache - volumes: - - name: media - persistentVolumeClaim: - claimName: tdarr-nfs-storage - - emptyDir: {} - name: node-cache ---- -# Source: tdarr/charts/tdarr-exporter/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tdarr-tdarr-exporter - labels: - helm.sh/chart: tdarr-exporter-1.1.7 - app.kubernetes.io/name: tdarr-exporter - app.kubernetes.io/instance: tdarr - app.kubernetes.io/version: "1.4.3" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/name: tdarr-exporter - app.kubernetes.io/instance: tdarr - template: - metadata: - annotations: - labels: - helm.sh/chart: tdarr-exporter-1.1.7 - app.kubernetes.io/name: tdarr-exporter - app.kubernetes.io/instance: tdarr - app.kubernetes.io/version: "1.4.3" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: default - securityContext: - {} - containers: - - name: tdarr-exporter - securityContext: - {} - image: "docker.io/homeylab/tdarr-exporter:1.4.2" - imagePullPolicy: IfNotPresent - ports: - - name: metrics - containerPort: 9090 - protocol: TCP - env: - - name: TDARR_URL - value: "http://tdarr-web.tdarr:8265" - - name: VERIFY_SSL - value: "false" - - name: LOG_LEVEL - value: "info" - - name: PROMETHEUS_PORT - value: "9090" - - name: PROMETHEUS_PATH - value: "/metrics" - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: metrics - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 3 - readinessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: metrics - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - startupProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: metrics - initialDelaySeconds: 2 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 2 - resources: - requests: - cpu: 10m - memory: 256Mi ---- -# Source: tdarr/charts/tdarr/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tdarr-server - labels: - app.kubernetes.io/controller: server - app.kubernetes.io/instance: tdarr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tdarr - helm.sh/chart: tdarr-4.4.0 - namespace: tdarr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: server - app.kubernetes.io/name: tdarr - app.kubernetes.io/instance: tdarr - template: - metadata: - labels: - app.kubernetes.io/controller: server - app.kubernetes.io/instance: tdarr - app.kubernetes.io/name: tdarr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: PUID - value: "1001" - - name: PGID - value: "1001" - - name: UMASK_SET - value: "002" - - name: ffmpegVersion - value: "6" - - name: internalNode - value: "false" - - name: inContainer - value: "true" - - name: nodeName - value: tdarr-server - - name: serverIP - value: 0.0.0.0 - - name: serverPort - value: "8266" - - name: webUIPort - value: "8265" - image: ghcr.io/haveagitgat/tdarr:2.58.02 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 200m - memory: 1Gi - volumeMounts: - - mountPath: /app/configs - name: config - - mountPath: /mnt/store - name: media - readOnly: true - - mountPath: /app/server - name: server - - mountPath: /tcache - name: server-cache - volumes: - - name: config - persistentVolumeClaim: - claimName: tdarr-config - - name: media - persistentVolumeClaim: - claimName: tdarr-nfs-storage - - name: server - persistentVolumeClaim: - claimName: tdarr-server - - emptyDir: {} - name: server-cache ---- -# Source: tdarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tdarr-config-backup-secret - namespace: tdarr - labels: - app.kubernetes.io/name: tdarr-config-backup-secret - app.kubernetes.io/instance: tdarr - app.kubernetes.io/part-of: tdarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/tdarr/tdarr-config" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: tdarr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tdarr-server-backup-secret - namespace: tdarr - labels: - app.kubernetes.io/name: tdarr-server-backup-secret - app.kubernetes.io/instance: tdarr - app.kubernetes.io/part-of: tdarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/tdarr/tdarr-server" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: tdarr/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-tdarr - namespace: tdarr - labels: - app.kubernetes.io/name: http-route-tdarr - app.kubernetes.io/instance: tdarr - app.kubernetes.io/part-of: tdarr -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - tdarr.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: tdarr-web - port: 8265 - weight: 100 ---- -# Source: tdarr/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: tdarr-config-backup-source - namespace: tdarr - labels: - app.kubernetes.io/name: tdarr-config-backup-source - app.kubernetes.io/instance: tdarr - app.kubernetes.io/part-of: tdarr -spec: - sourcePVC: tdarr-config - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: tdarr-config-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: tdarr/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: tdarr-server-backup-source - namespace: tdarr - labels: - app.kubernetes.io/name: tdarr-server-backup-source - app.kubernetes.io/instance: tdarr - app.kubernetes.io/part-of: tdarr -spec: - sourcePVC: tdarr-server - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: tdarr-server-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: tdarr/charts/tdarr-exporter/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - helm.sh/chart: tdarr-exporter-1.1.7 - app.kubernetes.io/name: tdarr-exporter - app.kubernetes.io/instance: tdarr - app.kubernetes.io/version: "1.4.3" - app.kubernetes.io/managed-by: Helm - name: tdarr-tdarr-exporter -spec: - endpoints: - - interval: 1m - path: /metrics - port: metrics - scrapeTimeout: 15s - namespaceSelector: - matchNames: - - tdarr - selector: - matchLabels: - app.kubernetes.io/name: tdarr-exporter - app.kubernetes.io/instance: tdarr ---- -# Source: tdarr/charts/tdarr-exporter/templates/tests/test-connection.yaml -apiVersion: v1 -kind: Pod -metadata: - name: "tdarr-tdarr-exporter-test-connection" - labels: - helm.sh/chart: tdarr-exporter-1.1.7 - app.kubernetes.io/name: tdarr-exporter - app.kubernetes.io/instance: tdarr - app.kubernetes.io/version: "1.4.3" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: "docker.io/busybox:1.36.1" - command: ['wget'] - args: ['tdarr-tdarr-exporter:9090/healthz'] - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/traefik/traefik.yaml b/clusters/cl01tl/manifests/traefik/traefik.yaml deleted file mode 100644 index 68c63fb0f..000000000 --- a/clusters/cl01tl/manifests/traefik/traefik.yaml +++ /dev/null @@ -1,19092 +0,0 @@ ---- -# Source: traefik/charts/traefik/crds/gateway-standard-install.yaml -# Copyright 2025 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# -# Gateway API Standard channel install -# ---- -# -# config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 - gateway.networking.k8s.io/channel: standard - labels: - gateway.networking.k8s.io/policy: Direct - name: backendtlspolicies.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: BackendTLSPolicy - listKind: BackendTLSPolicyList - plural: backendtlspolicies - shortNames: - - btlspolicy - singular: backendtlspolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - BackendTLSPolicy provides a way to configure how a Gateway - connects to a Backend via TLS. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of BackendTLSPolicy. - properties: - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. - - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. - - Support: Implementation-specific - maxProperties: 16 - type: object - targetRefs: - description: |- - TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. - Note that this config applies to the entire referenced resource - by default, but this default may change in the future to provide - a more granular application of the policy. - - TargetRefs must be _distinct_. This means either that: - - * They select different targets. If this is the case, then targetRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, and `name` must - be unique across all targetRef entries in the BackendTLSPolicy. - * They select different sectionNames in the same target. - - When more than one BackendTLSPolicy selects the same target and - sectionName, implementations MUST determine precedence using the - following criteria, continuing on ties: - - * The older policy by creation timestamp takes precedence. For - example, a policy with a creation timestamp of "2021-07-15 - 01:02:03" MUST be given precedence over a policy with a - creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. - - For any BackendTLSPolicy that does not take precedence, the - implementation MUST ensure the `Accepted` Condition is set to - `status: False`, with Reason `Conflicted`. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - items: - description: |- - LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - direct policy to. This should be used as part of Policy resources that can - target single resources. For more information on how this policy attachment - mode works, and a sample Policy resource, refer to the policy attachment - documentation for Gateway API. - - Note: This should only be used for direct policy attachment when references - to SectionName are actually needed. In all other cases, - LocalPolicyTargetReference should be used. - properties: - group: - description: Group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - sectionName: - description: |- - SectionName is the name of a section within the target resource. When - unspecified, this targetRef targets the entire resource. In the following - resources, SectionName is interpreted as the following: - - * Gateway: Listener name - * HTTPRoute: HTTPRouteRule name - * Service: Port name - - If a SectionName is specified, but does not exist on the targeted object, - the Policy must fail to attach, and the policy implementation should record - a `ResolvedRefs` or similar Condition in the Policy's status. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName must be specified when targetRefs includes - 2 or more references to the same target - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName - == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) - : true))' - - message: sectionName must be unique when targetRefs includes 2 or - more references to the same target - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || - p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)))) - validation: - description: Validation contains backend TLS validation configuration. - properties: - caCertificateRefs: - description: |- - CACertificateRefs contains one or more references to Kubernetes objects that - contain a PEM-encoded TLS CA certificate bundle, which is used to - validate a TLS handshake between the Gateway and backend Pod. - - If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - not both. If CACertificateRefs is empty or unspecified, the configuration for - WellKnownCACertificates MUST be honored instead if supported by the implementation. - - A CACertificateRef is invalid if: - - * It refers to a resource that cannot be resolved (e.g., the referenced resource - does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - and the Message of the Condition must indicate which reference is invalid and why. - - * It refers to an unknown or unsupported kind of resource. In this case, the Reason - must be set to `InvalidKind` and the Message of the Condition must explain which - kind of resource is unknown or unsupported. - - * It refers to a resource in another namespace. This may change in future - spec updates. - - Implementations MAY choose to perform further validation of the certificate - content (e.g., checking expiry or enforcing specific formats). In such cases, - an implementation-specific Reason and Message must be set for the invalid reference. - - In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - the BackendTLSPolicy is set to `status: False`, with a Reason and Message - that indicate the cause of the error. Connections using an invalid - CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - response. If ALL CACertificateRefs are invalid, the implementation MUST also - ensure the `Accepted` Condition on the BackendTLSPolicy is set to - `status: False`, with a Reason `NoValidCACertificate`. - - A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a backend, but this behavior is implementation-specific. - - Support: Core - An optional single reference to a Kubernetes ConfigMap, - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific - More than one reference, other kinds - of resources, or a single reference that includes multiple certificates. - items: - description: |- - LocalObjectReference identifies an API object within the namespace of the - referrer. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example "HTTPRoute" - or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - hostname: - description: |- - Hostname is used for two purposes in the connection between Gateways and - backends: - - 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - 2. Hostname MUST be used for authentication and MUST match the certificate - served by the matching backend, unless SubjectAltNames is specified. - 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - but MUST NOT be used for authentication. If you want to use the value - of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - subjectAltNames: - description: |- - SubjectAltNames contains one or more Subject Alternative Names. - When specified the certificate served from the backend MUST - have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - - Support: Extended - items: - description: SubjectAltName represents Subject Alternative Name. - properties: - hostname: - description: |- - Hostname contains Subject Alternative Name specified in DNS name format. - Required when Type is set to Hostname, ignored otherwise. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: - description: |- - Type determines the format of the Subject Alternative Name. Always required. - - Support: Core - enum: - - Hostname - - URI - type: string - uri: - description: |- - URI contains Subject Alternative Name specified in a full URI format. - It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - Required when Type is set to URI, ignored otherwise. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: SubjectAltName element must contain Hostname, if - Type is set to Hostname - rule: '!(self.type == "Hostname" && (!has(self.hostname) || - self.hostname == ""))' - - message: SubjectAltName element must not contain Hostname, - if Type is not set to Hostname - rule: '!(self.type != "Hostname" && has(self.hostname) && - self.hostname != "")' - - message: SubjectAltName element must contain URI, if Type - is set to URI - rule: '!(self.type == "URI" && (!has(self.uri) || self.uri - == ""))' - - message: SubjectAltName element must not contain URI, if Type - is not set to URI - rule: '!(self.type != "URI" && has(self.uri) && self.uri != - "")' - maxItems: 5 - type: array - x-kubernetes-list-type: atomic - wellKnownCACertificates: - description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. - - If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - must be specified with at least one entry for a valid configuration. Only one of - CACertificateRefs or WellKnownCACertificates may be specified, not both. - If an implementation does not support the WellKnownCACertificates field, or - the supplied value is not recognized, the implementation MUST ensure the - `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - a Reason `Invalid`. - - Support: Implementation-specific - enum: - - System - type: string - required: - - hostname - type: object - x-kubernetes-validations: - - message: must not contain both CACertificateRefs and WellKnownCACertificates - rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) - > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates - != "")' - - message: must specify either CACertificateRefs or WellKnownCACertificates - rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) - > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates - != "") - required: - - targetRefs - - validation - type: object - status: - description: Status defines the current state of BackendTLSPolicy. - properties: - ancestors: - description: |- - Ancestors is a list of ancestor resources (usually Gateways) that are - associated with the policy, and the status of the policy with respect to - each ancestor. When this policy attaches to a parent, the controller that - manages the parent and the ancestors MUST add an entry to this list when - the controller first sees the policy and SHOULD update the entry as - appropriate when the relevant ancestor is modified. - - Note that choosing the relevant ancestor is left to the Policy designers; - an important part of Policy design is designing the right object level at - which to namespace this status. - - Note also that implementations MUST ONLY populate ancestor status for - the Ancestor resources they are responsible for. Implementations MUST - use the ControllerName field to uniquely identify the entries in this list - that they are responsible for. - - Note that to achieve this, the list of PolicyAncestorStatus structs - MUST be treated as a map with a composite key, made up of the AncestorRef - and ControllerName fields combined. - - A maximum of 16 ancestors will be represented in this list. An empty list - means the Policy is not relevant for any ancestors. - - If this slice is full, implementations MUST NOT add further entries. - Instead they MUST consider the policy unimplementable and signal that - on any related resources such as the ancestor that would be referenced - here. For example, if this list was full on BackendTLSPolicy, no - additional Gateways would be able to reference the Service targeted by - the BackendTLSPolicy. - items: - description: |- - PolicyAncestorStatus describes the status of a route with respect to an - associated Ancestor. - - Ancestors refer to objects that are either the Target of a policy or above it - in terms of object hierarchy. For example, if a policy targets a Service, the - Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - useful object to place Policy status on, so we recommend that implementations - SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - have a _very_ good reason otherwise. - - In the context of policy attachment, the Ancestor is used to distinguish which - resource results in a distinct application of this policy. For example, if a policy - targets a Service, it may have a distinct result per attached Gateway. - - Policies targeting the same resource may have different effects depending on the - ancestors of those resources. For example, different Gateways targeting the same - Service may have different capabilities, especially if they have different underlying - implementations. - - For example, in BackendTLSPolicy, the Policy attaches to a Service that is - used as a backend in a HTTPRoute that is itself attached to a Gateway. - In this case, the relevant object for status is the Gateway, and that is the - ancestor object referred to in this status. - - Note that a parent is also an ancestor, so for objects where the parent is the - relevant object for status, this struct SHOULD still be used. - - This struct is intended to be used in a slice that's effectively a map, - with a composite key made up of the AncestorRef and the ControllerName. - properties: - ancestorRef: - description: |- - AncestorRef corresponds with a ParentRef in the spec that this - PolicyAncestorStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - conditions: - description: Conditions describes the status of the Policy with - respect to the given Ancestor. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - required: - - ancestorRef - - conditions - - controllerName - type: object - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - required: - - ancestors - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: The v1alpha3 version of BackendTLSPolicy has been deprecated - and will be removed in a future release of the API. Please upgrade to v1. - name: v1alpha3 - schema: - openAPIV3Schema: - description: |- - BackendTLSPolicy provides a way to configure how a Gateway - connects to a Backend via TLS. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of BackendTLSPolicy. - properties: - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. - - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. - - Support: Implementation-specific - maxProperties: 16 - type: object - targetRefs: - description: |- - TargetRefs identifies an API object to apply the policy to. - Only Services have Extended support. Implementations MAY support - additional objects, with Implementation Specific support. - Note that this config applies to the entire referenced resource - by default, but this default may change in the future to provide - a more granular application of the policy. - - TargetRefs must be _distinct_. This means either that: - - * They select different targets. If this is the case, then targetRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, and `name` must - be unique across all targetRef entries in the BackendTLSPolicy. - * They select different sectionNames in the same target. - - When more than one BackendTLSPolicy selects the same target and - sectionName, implementations MUST determine precedence using the - following criteria, continuing on ties: - - * The older policy by creation timestamp takes precedence. For - example, a policy with a creation timestamp of "2021-07-15 - 01:02:03" MUST be given precedence over a policy with a - creation timestamp of "2021-07-15 01:02:04". - * The policy appearing first in alphabetical order by {name}. - For example, a policy named `bar` is given precedence over a - policy named `baz`. - - For any BackendTLSPolicy that does not take precedence, the - implementation MUST ensure the `Accepted` Condition is set to - `status: False`, with Reason `Conflicted`. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - items: - description: |- - LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - direct policy to. This should be used as part of Policy resources that can - target single resources. For more information on how this policy attachment - mode works, and a sample Policy resource, refer to the policy attachment - documentation for Gateway API. - - Note: This should only be used for direct policy attachment when references - to SectionName are actually needed. In all other cases, - LocalPolicyTargetReference should be used. - properties: - group: - description: Group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - sectionName: - description: |- - SectionName is the name of a section within the target resource. When - unspecified, this targetRef targets the entire resource. In the following - resources, SectionName is interpreted as the following: - - * Gateway: Listener name - * HTTPRoute: HTTPRouteRule name - * Service: Port name - - If a SectionName is specified, but does not exist on the targeted object, - the Policy must fail to attach, and the policy implementation should record - a `ResolvedRefs` or similar Condition in the Policy's status. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - group - - kind - - name - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName must be specified when targetRefs includes - 2 or more references to the same target - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName - == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) - : true))' - - message: sectionName must be unique when targetRefs includes 2 or - more references to the same target - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || - p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)))) - validation: - description: Validation contains backend TLS validation configuration. - properties: - caCertificateRefs: - description: |- - CACertificateRefs contains one or more references to Kubernetes objects that - contain a PEM-encoded TLS CA certificate bundle, which is used to - validate a TLS handshake between the Gateway and backend Pod. - - If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - not both. If CACertificateRefs is empty or unspecified, the configuration for - WellKnownCACertificates MUST be honored instead if supported by the implementation. - - A CACertificateRef is invalid if: - - * It refers to a resource that cannot be resolved (e.g., the referenced resource - does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - and the Message of the Condition must indicate which reference is invalid and why. - - * It refers to an unknown or unsupported kind of resource. In this case, the Reason - must be set to `InvalidKind` and the Message of the Condition must explain which - kind of resource is unknown or unsupported. - - * It refers to a resource in another namespace. This may change in future - spec updates. - - Implementations MAY choose to perform further validation of the certificate - content (e.g., checking expiry or enforcing specific formats). In such cases, - an implementation-specific Reason and Message must be set for the invalid reference. - - In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - the BackendTLSPolicy is set to `status: False`, with a Reason and Message - that indicate the cause of the error. Connections using an invalid - CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - response. If ALL CACertificateRefs are invalid, the implementation MUST also - ensure the `Accepted` Condition on the BackendTLSPolicy is set to - `status: False`, with a Reason `NoValidCACertificate`. - - A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a backend, but this behavior is implementation-specific. - - Support: Core - An optional single reference to a Kubernetes ConfigMap, - with the CA certificate in a key named `ca.crt`. - - Support: Implementation-specific - More than one reference, other kinds - of resources, or a single reference that includes multiple certificates. - items: - description: |- - LocalObjectReference identifies an API object within the namespace of the - referrer. - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example "HTTPRoute" - or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - hostname: - description: |- - Hostname is used for two purposes in the connection between Gateways and - backends: - - 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - 2. Hostname MUST be used for authentication and MUST match the certificate - served by the matching backend, unless SubjectAltNames is specified. - 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - but MUST NOT be used for authentication. If you want to use the value - of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - subjectAltNames: - description: |- - SubjectAltNames contains one or more Subject Alternative Names. - When specified the certificate served from the backend MUST - have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - - Support: Extended - items: - description: SubjectAltName represents Subject Alternative Name. - properties: - hostname: - description: |- - Hostname contains Subject Alternative Name specified in DNS name format. - Required when Type is set to Hostname, ignored otherwise. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: - description: |- - Type determines the format of the Subject Alternative Name. Always required. - - Support: Core - enum: - - Hostname - - URI - type: string - uri: - description: |- - URI contains Subject Alternative Name specified in a full URI format. - It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - Required when Type is set to URI, ignored otherwise. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: SubjectAltName element must contain Hostname, if - Type is set to Hostname - rule: '!(self.type == "Hostname" && (!has(self.hostname) || - self.hostname == ""))' - - message: SubjectAltName element must not contain Hostname, - if Type is not set to Hostname - rule: '!(self.type != "Hostname" && has(self.hostname) && - self.hostname != "")' - - message: SubjectAltName element must contain URI, if Type - is set to URI - rule: '!(self.type == "URI" && (!has(self.uri) || self.uri - == ""))' - - message: SubjectAltName element must not contain URI, if Type - is not set to URI - rule: '!(self.type != "URI" && has(self.uri) && self.uri != - "")' - maxItems: 5 - type: array - x-kubernetes-list-type: atomic - wellKnownCACertificates: - description: |- - WellKnownCACertificates specifies whether system CA certificates may be used in - the TLS handshake between the gateway and backend pod. - - If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - must be specified with at least one entry for a valid configuration. Only one of - CACertificateRefs or WellKnownCACertificates may be specified, not both. - If an implementation does not support the WellKnownCACertificates field, or - the supplied value is not recognized, the implementation MUST ensure the - `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - a Reason `Invalid`. - - Support: Implementation-specific - enum: - - System - type: string - required: - - hostname - type: object - x-kubernetes-validations: - - message: must not contain both CACertificateRefs and WellKnownCACertificates - rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) - > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates - != "")' - - message: must specify either CACertificateRefs or WellKnownCACertificates - rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) - > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates - != "") - required: - - targetRefs - - validation - type: object - status: - description: Status defines the current state of BackendTLSPolicy. - properties: - ancestors: - description: |- - Ancestors is a list of ancestor resources (usually Gateways) that are - associated with the policy, and the status of the policy with respect to - each ancestor. When this policy attaches to a parent, the controller that - manages the parent and the ancestors MUST add an entry to this list when - the controller first sees the policy and SHOULD update the entry as - appropriate when the relevant ancestor is modified. - - Note that choosing the relevant ancestor is left to the Policy designers; - an important part of Policy design is designing the right object level at - which to namespace this status. - - Note also that implementations MUST ONLY populate ancestor status for - the Ancestor resources they are responsible for. Implementations MUST - use the ControllerName field to uniquely identify the entries in this list - that they are responsible for. - - Note that to achieve this, the list of PolicyAncestorStatus structs - MUST be treated as a map with a composite key, made up of the AncestorRef - and ControllerName fields combined. - - A maximum of 16 ancestors will be represented in this list. An empty list - means the Policy is not relevant for any ancestors. - - If this slice is full, implementations MUST NOT add further entries. - Instead they MUST consider the policy unimplementable and signal that - on any related resources such as the ancestor that would be referenced - here. For example, if this list was full on BackendTLSPolicy, no - additional Gateways would be able to reference the Service targeted by - the BackendTLSPolicy. - items: - description: |- - PolicyAncestorStatus describes the status of a route with respect to an - associated Ancestor. - - Ancestors refer to objects that are either the Target of a policy or above it - in terms of object hierarchy. For example, if a policy targets a Service, the - Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - useful object to place Policy status on, so we recommend that implementations - SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - have a _very_ good reason otherwise. - - In the context of policy attachment, the Ancestor is used to distinguish which - resource results in a distinct application of this policy. For example, if a policy - targets a Service, it may have a distinct result per attached Gateway. - - Policies targeting the same resource may have different effects depending on the - ancestors of those resources. For example, different Gateways targeting the same - Service may have different capabilities, especially if they have different underlying - implementations. - - For example, in BackendTLSPolicy, the Policy attaches to a Service that is - used as a backend in a HTTPRoute that is itself attached to a Gateway. - In this case, the relevant object for status is the Gateway, and that is the - ancestor object referred to in this status. - - Note that a parent is also an ancestor, so for objects where the parent is the - relevant object for status, this struct SHOULD still be used. - - This struct is intended to be used in a slice that's effectively a map, - with a composite key made up of the AncestorRef and the ControllerName. - properties: - ancestorRef: - description: |- - AncestorRef corresponds with a ParentRef in the spec that this - PolicyAncestorStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - conditions: - description: Conditions describes the status of the Policy with - respect to the given Ancestor. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - required: - - ancestorRef - - conditions - - controllerName - type: object - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - required: - - ancestors - type: object - required: - - spec - type: object - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 - gateway.networking.k8s.io/channel: standard - name: gatewayclasses.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: GatewayClass - listKind: GatewayClassList - plural: gatewayclasses - shortNames: - - gc - singular: gatewayclass - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.controllerName - name: Controller - type: string - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.description - name: Description - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: |- - GatewayClass describes a class of Gateways available to the user for creating - Gateway resources. - - It is recommended that this resource be used as a template for Gateways. This - means that a Gateway is based on the state of the GatewayClass at the time it - was created and changes to the GatewayClass or associated parameters are not - propagated down to existing Gateways. This recommendation is intended to - limit the blast radius of changes to GatewayClass or associated parameters. - If implementations choose to propagate GatewayClass changes to existing - Gateways, that MUST be clearly documented by the implementation. - - Whenever one or more Gateways are using a GatewayClass, implementations SHOULD - add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the - associated GatewayClass. This ensures that a GatewayClass associated with a - Gateway is not deleted while in use. - - GatewayClass is a Cluster level resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of GatewayClass. - properties: - controllerName: - description: |- - ControllerName is the name of the controller that is managing Gateways of - this class. The value of this field MUST be a domain prefixed path. - - Example: "example.net/gateway-controller". - - This field is not mutable and cannot be empty. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - description: - description: Description helps describe a GatewayClass with more details. - maxLength: 64 - type: string - parametersRef: - description: |- - ParametersRef is a reference to a resource that contains the configuration - parameters corresponding to the GatewayClass. This is optional if the - controller does not require any additional configuration. - - ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, - or an implementation-specific custom resource. The resource can be - cluster-scoped or namespace-scoped. - - If the referent cannot be found, refers to an unsupported kind, or when - the data within that resource is malformed, the GatewayClass SHOULD be - rejected with the "Accepted" status condition set to "False" and an - "InvalidParameters" reason. - - A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, - the merging behavior is implementation specific. - It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - - Support: Implementation-specific - properties: - group: - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. - This field is required when referring to a Namespace-scoped resource and - MUST be unset when referring to a Cluster-scoped resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - required: - - controllerName - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - description: |- - Status defines the current state of GatewayClass. - - Implementations MUST populate status on all GatewayClass resources which - specify their controller name. - properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - description: |- - Conditions is the current status from the controller for - this GatewayClass. - - Controllers should prefer to publish conditions using values - of GatewayClassConditionType for the type of each Condition. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - supportedFeatures: - description: |- - SupportedFeatures is the set of features the GatewayClass support. - It MUST be sorted in ascending alphabetical order by the Name key. - items: - properties: - name: - description: |- - FeatureName is used to describe distinct features that are covered by - conformance tests. - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.controllerName - name: Controller - type: string - - jsonPath: .status.conditions[?(@.type=="Accepted")].status - name: Accepted - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.description - name: Description - priority: 1 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - GatewayClass describes a class of Gateways available to the user for creating - Gateway resources. - - It is recommended that this resource be used as a template for Gateways. This - means that a Gateway is based on the state of the GatewayClass at the time it - was created and changes to the GatewayClass or associated parameters are not - propagated down to existing Gateways. This recommendation is intended to - limit the blast radius of changes to GatewayClass or associated parameters. - If implementations choose to propagate GatewayClass changes to existing - Gateways, that MUST be clearly documented by the implementation. - - Whenever one or more Gateways are using a GatewayClass, implementations SHOULD - add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the - associated GatewayClass. This ensures that a GatewayClass associated with a - Gateway is not deleted while in use. - - GatewayClass is a Cluster level resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of GatewayClass. - properties: - controllerName: - description: |- - ControllerName is the name of the controller that is managing Gateways of - this class. The value of this field MUST be a domain prefixed path. - - Example: "example.net/gateway-controller". - - This field is not mutable and cannot be empty. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf - description: - description: Description helps describe a GatewayClass with more details. - maxLength: 64 - type: string - parametersRef: - description: |- - ParametersRef is a reference to a resource that contains the configuration - parameters corresponding to the GatewayClass. This is optional if the - controller does not require any additional configuration. - - ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, - or an implementation-specific custom resource. The resource can be - cluster-scoped or namespace-scoped. - - If the referent cannot be found, refers to an unsupported kind, or when - the data within that resource is malformed, the GatewayClass SHOULD be - rejected with the "Accepted" status condition set to "False" and an - "InvalidParameters" reason. - - A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, - the merging behavior is implementation specific. - It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - - Support: Implementation-specific - properties: - group: - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. - This field is required when referring to a Namespace-scoped resource and - MUST be unset when referring to a Cluster-scoped resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - name - type: object - required: - - controllerName - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - description: |- - Status defines the current state of GatewayClass. - - Implementations MUST populate status on all GatewayClass resources which - specify their controller name. - properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - description: |- - Conditions is the current status from the controller for - this GatewayClass. - - Controllers should prefer to publish conditions using values - of GatewayClassConditionType for the type of each Condition. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - supportedFeatures: - description: |- - SupportedFeatures is the set of features the GatewayClass support. - It MUST be sorted in ascending alphabetical order by the Name key. - items: - properties: - name: - description: |- - FeatureName is used to describe distinct features that are covered by - conformance tests. - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/standard/gateway.networking.k8s.io_gateways.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 - gateway.networking.k8s.io/channel: standard - name: gateways.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gtw - singular: gateway - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.gatewayClassName - name: Class - type: string - - jsonPath: .status.addresses[*].value - name: Address - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - Gateway represents an instance of a service-traffic handling infrastructure - by binding Listeners to a set of IP addresses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of Gateway. - properties: - addresses: - description: |- - Addresses requested for this Gateway. This is optional and behavior can - depend on the implementation. If a value is set in the spec and the - requested address is invalid or unavailable, the implementation MUST - indicate this in an associated entry in GatewayStatus.Conditions. - - The Addresses field represents a request for the address(es) on the - "outside of the Gateway", that traffic bound for this Gateway will use. - This could be the IP address or hostname of an external load balancer or - other networking infrastructure, or some other address that traffic will - be sent to. - - If no Addresses are specified, the implementation MAY schedule the - Gateway in an implementation-specific manner, assigning an appropriate - set of Addresses. - - The implementation MUST bind all Listeners to every GatewayAddress that - it assigns to the Gateway and add a corresponding entry in - GatewayStatus.Addresses. - - Support: Extended - items: - description: GatewaySpecAddress describes an address that can be - bound to a Gateway. - oneOf: - - properties: - type: - enum: - - IPAddress - value: - anyOf: - - format: ipv4 - - format: ipv6 - - properties: - type: - not: - enum: - - IPAddress - properties: - type: - default: IPAddress - description: Type of the address. - maxLength: 253 - minLength: 1 - pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - value: - description: |- - When a value is unspecified, an implementation SHOULD automatically - assign an address matching the requested type if possible. - - If an implementation does not support an empty value, they MUST set the - "Programmed" condition in status to False with a reason of "AddressNotAssigned". - - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. - maxLength: 253 - type: string - type: object - x-kubernetes-validations: - - message: Hostname value must be empty or contain only valid characters - (matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) - rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): - true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: IPAddress values must be unique - rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ? - self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value - == a1.value) : true )' - - message: Hostname values must be unique - rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? - self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value - == a1.value) : true )' - gatewayClassName: - description: |- - GatewayClassName used for this Gateway. This is the name of a - GatewayClass resource. - maxLength: 253 - minLength: 1 - type: string - infrastructure: - description: |- - Infrastructure defines infrastructure level attributes about this Gateway instance. - - Support: Extended - properties: - annotations: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Annotations that SHOULD be applied to any resources created in response to this Gateway. - - For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. - For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. - - An implementation may chose to add additional implementation-specific annotations as they see fit. - - Support: Extended - maxProperties: 8 - type: object - x-kubernetes-validations: - - message: Annotation keys must be in the form of an optional - DNS subdomain prefix followed by a required name segment of - up to 63 characters. - rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) - - message: If specified, the annotation key's prefix must be a - DNS subdomain not longer than 253 characters in total. - rule: self.all(key, key.split("/")[0].size() < 253) - labels: - additionalProperties: - description: |- - LabelValue is the value of a label in the Gateway API. This is used for validation - of maps such as Gateway infrastructure labels. This matches the Kubernetes - label validation rules: - * must be 63 characters or less (can be empty), - * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), - * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. - - Valid values include: - - * MyValue - * my.name - * 123-my-value - maxLength: 63 - minLength: 0 - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - description: |- - Labels that SHOULD be applied to any resources created in response to this Gateway. - - For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. - For other implementations, this refers to any relevant (implementation specific) "labels" concepts. - - An implementation may chose to add additional implementation-specific labels as they see fit. - - If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - change, it SHOULD clearly warn about this behavior in documentation. - - Support: Extended - maxProperties: 8 - type: object - x-kubernetes-validations: - - message: Label keys must be in the form of an optional DNS subdomain - prefix followed by a required name segment of up to 63 characters. - rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) - - message: If specified, the label key's prefix must be a DNS - subdomain not longer than 253 characters in total. - rule: self.all(key, key.split("/")[0].size() < 253) - parametersRef: - description: |- - ParametersRef is a reference to a resource that contains the configuration - parameters corresponding to the Gateway. This is optional if the - controller does not require any additional configuration. - - This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis - - The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, - the merging behavior is implementation specific. - It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - - If the referent cannot be found, refers to an unsupported kind, or when - the data within that resource is malformed, the Gateway SHOULD be - rejected with the "Accepted" status condition set to "False" and an - "InvalidParameters" reason. - - Support: Implementation-specific - properties: - group: - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - type: object - listeners: - description: |- - Listeners associated with this Gateway. Listeners define - logical endpoints that are bound on this Gateway's addresses. - At least one Listener MUST be specified. - - ## Distinct Listeners - - Each Listener in a set of Listeners (for example, in a single Gateway) - MUST be _distinct_, in that a traffic flow MUST be able to be assigned to - exactly one listener. (This section uses "set of Listeners" rather than - "Listeners in a single Gateway" because implementations MAY merge configuration - from multiple Gateways onto a single data plane, and these rules _also_ - apply in that case). - - Practically, this means that each listener in a set MUST have a unique - combination of Port, Protocol, and, if supported by the protocol, Hostname. - - Some combinations of port, protocol, and TLS settings are considered - Core support and MUST be supported by implementations based on the objects - they support: - - HTTPRoute - - 1. HTTPRoute, Port: 80, Protocol: HTTP - 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided - - TLSRoute - - 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough - - "Distinct" Listeners have the following property: - - **The implementation can match inbound requests to a single distinct - Listener**. - - When multiple Listeners share values for fields (for - example, two Listeners with the same Port value), the implementation - can match requests to only one of the Listeners using other - Listener fields. - - When multiple listeners have the same value for the Protocol field, then - each of the Listeners with matching Protocol values MUST have different - values for other fields. - - The set of fields that MUST be different for a Listener differs per protocol. - The following rules define the rules for what fields MUST be considered for - Listeners to be distinct with each protocol currently defined in the - Gateway API spec. - - The set of listeners that all share a protocol value MUST have _different_ - values for _at least one_ of these fields to be distinct: - - * **HTTP, HTTPS, TLS**: Port, Hostname - * **TCP, UDP**: Port - - One **very** important rule to call out involves what happens when an - implementation: - - * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - Listeners, and - * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - Protocol. - - In this case all the Listeners that share a port with the - TCP Listener are not distinct and so MUST NOT be accepted. - - If an implementation does not support TCP Protocol Listeners, then the - previous rule does not apply, and the TCP Listeners SHOULD NOT be - accepted. - - Note that the `tls` field is not used for determining if a listener is distinct, because - Listeners that _only_ differ on TLS config will still conflict in all cases. - - ### Listeners that are distinct only by Hostname - - When the Listeners are distinct based only on Hostname, inbound request - hostnames MUST match from the most specific to least specific Hostname - values to choose the correct Listener and its associated set of Routes. - - Exact matches MUST be processed before wildcard matches, and wildcard - matches MUST be processed before fallback (empty Hostname value) - matches. For example, `"foo.example.com"` takes precedence over - `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. - - Additionally, if there are multiple wildcard entries, more specific - wildcard entries must be processed before less specific wildcard entries. - For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - - The precise definition here is that the higher the number of dots in the - hostname to the right of the wildcard character, the higher the precedence. - - The wildcard character will match any number of characters _and dots_ to - the left, however, so `"*.example.com"` will match both - `"foo.bar.example.com"` _and_ `"bar.example.com"`. - - ## Handling indistinct Listeners - - If a set of Listeners contains Listeners that are not distinct, then those - Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" - condition in the Listener Status to "True". - - The words "indistinct" and "conflicted" are considered equivalent for the - purpose of this documentation. - - Implementations MAY choose to accept a Gateway with some Conflicted - Listeners only if they only accept the partial Listener set that contains - no Conflicted Listeners. - - Specifically, an implementation MAY accept a partial Listener set subject to - the following rules: - - * The implementation MUST NOT pick one conflicting Listener as the winner. - ALL indistinct Listeners must not be accepted for processing. - * At least one distinct Listener MUST be present, or else the Gateway effectively - contains _no_ Listeners, and must be rejected from processing as a whole. - - The implementation MUST set a "ListenersNotValid" condition on the - Gateway Status when the Gateway contains Conflicted Listeners whether or - not they accept the Gateway. That Condition SHOULD clearly - indicate in the Message which Listeners are conflicted, and which are - Accepted. Additionally, the Listener status for those listeners SHOULD - indicate which Listeners are conflicted and not Accepted. - - ## General Listener behavior - - Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - request to "foo.example.com" SHOULD only be routed using routes attached - to the "foo.example.com" Listener (and not the "*.example.com" Listener). - - This concept is known as "Listener Isolation", and it is an Extended feature - of Gateway API. Implementations that do not support Listener Isolation MUST - clearly document this, and MUST NOT claim support for the - `GatewayHTTPListenerIsolation` feature. - - Implementations that _do_ support Listener Isolation SHOULD claim support - for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - conformance tests. - - ## Compatible Listeners - - A Gateway's Listeners are considered _compatible_ if: - - 1. They are distinct. - 2. The implementation can serve them in compliance with the Addresses - requirement that all Listeners are available on all assigned - addresses. - - Compatible combinations in Extended support are expected to vary across - implementations. A combination that is compatible for one implementation - may not be compatible for another. - - For example, an implementation that cannot serve both TCP and UDP listeners - on the same address, or cannot mix HTTPS and generic TLS listens on the same port - would not consider those cases compatible, even though they are distinct. - - Implementations MAY merge separate Gateways onto a single set of - Addresses if all Listeners across all Gateways are compatible. - - In a future release the MinItems=1 requirement MAY be dropped. - - Support: Core - items: - description: |- - Listener embodies the concept of a logical endpoint where a Gateway accepts - network connections. - properties: - allowedRoutes: - default: - namespaces: - from: Same - description: |- - AllowedRoutes defines the types of routes that MAY be attached to a - Listener and the trusted namespaces where those Route resources MAY be - present. - - Although a client request may match multiple route rules, only one rule - may ultimately receive the request. Matching precedence MUST be - determined in order of the following criteria: - - * The most specific match as defined by the Route type. - * The oldest Route based on creation timestamp. For example, a Route with - a creation timestamp of "2020-09-08 01:02:03" is given precedence over - a Route with a creation timestamp of "2020-09-08 01:02:04". - * If everything else is equivalent, the Route appearing first in - alphabetical order (namespace/name) should be given precedence. For - example, foo/bar is given precedence over foo/baz. - - All valid rules within a Route attached to this Listener should be - implemented. Invalid Route rules can be ignored (sometimes that will mean - the full Route). If a Route rule transitions from valid to invalid, - support for that Route rule should be dropped to ensure consistency. For - example, even if a filter specified by a Route rule is invalid, the rest - of the rules within that Route should still be supported. - - Support: Core - properties: - kinds: - description: |- - Kinds specifies the groups and kinds of Routes that are allowed to bind - to this Gateway Listener. When unspecified or empty, the kinds of Routes - selected are determined using the Listener protocol. - - A RouteGroupKind MUST correspond to kinds of Routes that are compatible - with the application protocol specified in the Listener's Protocol field. - If an implementation does not support or recognize this resource type, it - MUST set the "ResolvedRefs" condition to False for this Listener with the - "InvalidRouteKinds" reason. - - Support: Core - items: - description: RouteGroupKind indicates the group and kind - of a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - namespaces: - default: - from: Same - description: |- - Namespaces indicates namespaces from which Routes may be attached to this - Listener. This is restricted to the namespace of this Gateway by default. - - Support: Core - properties: - from: - default: Same - description: |- - From indicates where Routes will be selected for this Gateway. Possible - values are: - - * All: Routes in all namespaces may be used by this Gateway. - * Selector: Routes in namespaces selected by the selector may be used by - this Gateway. - * Same: Only Routes in the same namespace may be used by this Gateway. - - Support: Core - enum: - - All - - Selector - - Same - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only Routes in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". - - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - hostname: - description: |- - Hostname specifies the virtual hostname to match for protocol types that - define this concept. When unspecified, all hostnames are matched. This - field is ignored for protocols that don't require hostname based - matching. - - Implementations MUST apply Hostname matching appropriately for each of - the following protocols: - - * TLS: The Listener Hostname MUST match the SNI. - * HTTP: The Listener Hostname MUST match the Host header of the request. - * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - Note that this does not require the SNI and Host header to be the same. - The semantics of this are described in more detail below. - - To ensure security, Section 11.1 of RFC-6066 emphasizes that server - implementations that rely on SNI hostname matching MUST also verify - hostnames within the application protocol. - - Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - reuse of a connection by responding with the HTTP 421 Misdirected Request - status code. This indicates that the origin server has rejected the - request because it appears to have been misdirected. - - To detect misdirected requests, Gateways SHOULD match the authority of - the requests with all the SNI hostname(s) configured across all the - Gateway Listeners on the same port and protocol: - - * If another Listener has an exact match or more specific wildcard entry, - the Gateway SHOULD return a 421. - * If the current Listener (selected by SNI matching during ClientHello) - does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a - 421. - * If no other Listener matches the Host, the Gateway MUST return a - 404. - - For HTTPRoute and TLSRoute resources, there is an interaction with the - `spec.hostnames` array. When both listener and route specify hostnames, - there MUST be an intersection between the values for a Route to be - accepted. For more information, refer to the Route specific Hostnames - documentation. - - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - name: - description: |- - Name is the name of the Listener. This name MUST be unique within a - Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - port: - description: |- - Port is the network port. Multiple listeners may use the - same port, subject to the Listener compatibility rules. - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - description: |- - Protocol specifies the network protocol this listener expects to receive. - - Support: Core - maxLength: 255 - minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ - type: string - tls: - description: |- - TLS is the TLS configuration for the Listener. This field is required if - the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - if the Protocol field is "HTTP", "TCP", or "UDP". - - The association of SNIs to Certificate defined in ListenerTLSConfig is - defined based on the Hostname field for this listener. - - The GatewayClass MUST use the longest matching SNI out of all - available certificates for any TLS handshake. - - Support: Core - properties: - certificateRefs: - description: |- - CertificateRefs contains a series of references to Kubernetes objects that - contains TLS certificates and private keys. These certificates are used to - establish a TLS handshake for requests that match the hostname of the - associated listener. - - A single CertificateRef to a Kubernetes Secret has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a Listener, but this behavior is implementation-specific. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - This field is required to have at least one element when the mode is set - to "Terminate" (default) and is optional otherwise. - - CertificateRefs can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - - Support: Implementation-specific (More than one reference or other resource types) - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - mode: - default: Terminate - description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: - - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. - - Support: Core - enum: - - Terminate - - Passthrough - type: string - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. - - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. - - Support: Implementation-specific - maxProperties: 16 - type: object - type: object - x-kubernetes-validations: - - message: certificateRefs or options must be specified when - mode is Terminate - rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) - > 0 || size(self.options) > 0 : true' - required: - - name - - port - - protocol - type: object - maxItems: 64 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: tls must not be specified for protocols ['HTTP', 'TCP', - 'UDP'] - rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? - !has(l.tls) : true)' - - message: tls mode must be Terminate for protocol HTTPS - rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode - == '''' || l.tls.mode == ''Terminate'') : true)' - - message: hostname must not be specified for protocols ['TCP', 'UDP'] - rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) - || l.hostname == '''') : true)' - - message: Listener name must be unique within the Gateway - rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) - - message: Combination of port, protocol and hostname must be unique - for each listener - rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol - == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname - == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' - required: - - gatewayClassName - - listeners - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: Status defines the current state of Gateway. - properties: - addresses: - description: |- - Addresses lists the network addresses that have been bound to the - Gateway. - - This list may differ from the addresses provided in the spec under some - conditions: - - * no addresses are specified, all addresses are dynamically assigned - * a combination of specified and dynamic addresses are assigned - * a specified address was unusable (e.g. already in use) - items: - description: GatewayStatusAddress describes a network address that - is bound to a Gateway. - oneOf: - - properties: - type: - enum: - - IPAddress - value: - anyOf: - - format: ipv4 - - format: ipv6 - - properties: - type: - not: - enum: - - IPAddress - properties: - type: - default: IPAddress - description: Type of the address. - maxLength: 253 - minLength: 1 - pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - value: - description: |- - Value of the address. The validity of the values will depend - on the type and support by the controller. - - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. - maxLength: 253 - minLength: 1 - type: string - required: - - value - type: object - x-kubernetes-validations: - - message: Hostname value must only contain valid characters (matching - ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) - rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): - true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: |- - Conditions describe the current conditions of the Gateway. - - Implementations should prefer to express Gateway conditions - using the `GatewayConditionType` and `GatewayConditionReason` - constants so that operators and tools can converge on a common - vocabulary to describe Gateway state. - - Known condition types are: - - * "Accepted" - * "Programmed" - * "Ready" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - listeners: - description: Listeners provide status for each unique listener port - defined in the Spec. - items: - description: ListenerStatus is the status associated with a Listener. - properties: - attachedRoutes: - description: |- - AttachedRoutes represents the total number of Routes that have been - successfully attached to this Listener. - - Successful attachment of a Route to a Listener is based solely on the - combination of the AllowedRoutes field on the corresponding Listener - and the Route's ParentRefs field. A Route is successfully attached to - a Listener when it is selected by the Listener's AllowedRoutes field - AND the Route has a valid ParentRef selecting the whole Gateway - resource or a specific Listener as a parent resource (more detail on - attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact - successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. - - Uses for this field include troubleshooting Route attachment and - measuring blast radius/impact of changes to a Listener. - format: int32 - type: integer - conditions: - description: Conditions describe the current condition of this - listener. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - name: - description: Name is the name of the Listener that this status - corresponds to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - supportedKinds: - description: |- - SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for - that Listener configuration. - - If kinds are specified in Spec that are not supported, they MUST NOT - appear in this list and an implementation MUST set the "ResolvedRefs" - condition to "False" with the "InvalidRouteKinds" reason. If both valid - and invalid Route kinds are specified, the implementation MUST - reference the valid Route kinds that have been specified. - items: - description: RouteGroupKind indicates the group and kind of - a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - required: - - attachedRoutes - - conditions - - name - - supportedKinds - type: object - maxItems: 64 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.gatewayClassName - name: Class - type: string - - jsonPath: .status.addresses[*].value - name: Address - type: string - - jsonPath: .status.conditions[?(@.type=="Programmed")].status - name: Programmed - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - Gateway represents an instance of a service-traffic handling infrastructure - by binding Listeners to a set of IP addresses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of Gateway. - properties: - addresses: - description: |- - Addresses requested for this Gateway. This is optional and behavior can - depend on the implementation. If a value is set in the spec and the - requested address is invalid or unavailable, the implementation MUST - indicate this in an associated entry in GatewayStatus.Conditions. - - The Addresses field represents a request for the address(es) on the - "outside of the Gateway", that traffic bound for this Gateway will use. - This could be the IP address or hostname of an external load balancer or - other networking infrastructure, or some other address that traffic will - be sent to. - - If no Addresses are specified, the implementation MAY schedule the - Gateway in an implementation-specific manner, assigning an appropriate - set of Addresses. - - The implementation MUST bind all Listeners to every GatewayAddress that - it assigns to the Gateway and add a corresponding entry in - GatewayStatus.Addresses. - - Support: Extended - items: - description: GatewaySpecAddress describes an address that can be - bound to a Gateway. - oneOf: - - properties: - type: - enum: - - IPAddress - value: - anyOf: - - format: ipv4 - - format: ipv6 - - properties: - type: - not: - enum: - - IPAddress - properties: - type: - default: IPAddress - description: Type of the address. - maxLength: 253 - minLength: 1 - pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - value: - description: |- - When a value is unspecified, an implementation SHOULD automatically - assign an address matching the requested type if possible. - - If an implementation does not support an empty value, they MUST set the - "Programmed" condition in status to False with a reason of "AddressNotAssigned". - - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. - maxLength: 253 - type: string - type: object - x-kubernetes-validations: - - message: Hostname value must be empty or contain only valid characters - (matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) - rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): - true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: IPAddress values must be unique - rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ? - self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value - == a1.value) : true )' - - message: Hostname values must be unique - rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? - self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value - == a1.value) : true )' - gatewayClassName: - description: |- - GatewayClassName used for this Gateway. This is the name of a - GatewayClass resource. - maxLength: 253 - minLength: 1 - type: string - infrastructure: - description: |- - Infrastructure defines infrastructure level attributes about this Gateway instance. - - Support: Extended - properties: - annotations: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Annotations that SHOULD be applied to any resources created in response to this Gateway. - - For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. - For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. - - An implementation may chose to add additional implementation-specific annotations as they see fit. - - Support: Extended - maxProperties: 8 - type: object - x-kubernetes-validations: - - message: Annotation keys must be in the form of an optional - DNS subdomain prefix followed by a required name segment of - up to 63 characters. - rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) - - message: If specified, the annotation key's prefix must be a - DNS subdomain not longer than 253 characters in total. - rule: self.all(key, key.split("/")[0].size() < 253) - labels: - additionalProperties: - description: |- - LabelValue is the value of a label in the Gateway API. This is used for validation - of maps such as Gateway infrastructure labels. This matches the Kubernetes - label validation rules: - * must be 63 characters or less (can be empty), - * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), - * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. - - Valid values include: - - * MyValue - * my.name - * 123-my-value - maxLength: 63 - minLength: 0 - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - description: |- - Labels that SHOULD be applied to any resources created in response to this Gateway. - - For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. - For other implementations, this refers to any relevant (implementation specific) "labels" concepts. - - An implementation may chose to add additional implementation-specific labels as they see fit. - - If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - change, it SHOULD clearly warn about this behavior in documentation. - - Support: Extended - maxProperties: 8 - type: object - x-kubernetes-validations: - - message: Label keys must be in the form of an optional DNS subdomain - prefix followed by a required name segment of up to 63 characters. - rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) - - message: If specified, the label key's prefix must be a DNS - subdomain not longer than 253 characters in total. - rule: self.all(key, key.split("/")[0].size() < 253) - parametersRef: - description: |- - ParametersRef is a reference to a resource that contains the configuration - parameters corresponding to the Gateway. This is optional if the - controller does not require any additional configuration. - - This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis - - The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, - the merging behavior is implementation specific. - It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - - If the referent cannot be found, refers to an unsupported kind, or when - the data within that resource is malformed, the Gateway SHOULD be - rejected with the "Accepted" status condition set to "False" and an - "InvalidParameters" reason. - - Support: Implementation-specific - properties: - group: - description: Group is the group of the referent. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - type: object - listeners: - description: |- - Listeners associated with this Gateway. Listeners define - logical endpoints that are bound on this Gateway's addresses. - At least one Listener MUST be specified. - - ## Distinct Listeners - - Each Listener in a set of Listeners (for example, in a single Gateway) - MUST be _distinct_, in that a traffic flow MUST be able to be assigned to - exactly one listener. (This section uses "set of Listeners" rather than - "Listeners in a single Gateway" because implementations MAY merge configuration - from multiple Gateways onto a single data plane, and these rules _also_ - apply in that case). - - Practically, this means that each listener in a set MUST have a unique - combination of Port, Protocol, and, if supported by the protocol, Hostname. - - Some combinations of port, protocol, and TLS settings are considered - Core support and MUST be supported by implementations based on the objects - they support: - - HTTPRoute - - 1. HTTPRoute, Port: 80, Protocol: HTTP - 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided - - TLSRoute - - 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough - - "Distinct" Listeners have the following property: - - **The implementation can match inbound requests to a single distinct - Listener**. - - When multiple Listeners share values for fields (for - example, two Listeners with the same Port value), the implementation - can match requests to only one of the Listeners using other - Listener fields. - - When multiple listeners have the same value for the Protocol field, then - each of the Listeners with matching Protocol values MUST have different - values for other fields. - - The set of fields that MUST be different for a Listener differs per protocol. - The following rules define the rules for what fields MUST be considered for - Listeners to be distinct with each protocol currently defined in the - Gateway API spec. - - The set of listeners that all share a protocol value MUST have _different_ - values for _at least one_ of these fields to be distinct: - - * **HTTP, HTTPS, TLS**: Port, Hostname - * **TCP, UDP**: Port - - One **very** important rule to call out involves what happens when an - implementation: - - * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - Listeners, and - * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - Protocol. - - In this case all the Listeners that share a port with the - TCP Listener are not distinct and so MUST NOT be accepted. - - If an implementation does not support TCP Protocol Listeners, then the - previous rule does not apply, and the TCP Listeners SHOULD NOT be - accepted. - - Note that the `tls` field is not used for determining if a listener is distinct, because - Listeners that _only_ differ on TLS config will still conflict in all cases. - - ### Listeners that are distinct only by Hostname - - When the Listeners are distinct based only on Hostname, inbound request - hostnames MUST match from the most specific to least specific Hostname - values to choose the correct Listener and its associated set of Routes. - - Exact matches MUST be processed before wildcard matches, and wildcard - matches MUST be processed before fallback (empty Hostname value) - matches. For example, `"foo.example.com"` takes precedence over - `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. - - Additionally, if there are multiple wildcard entries, more specific - wildcard entries must be processed before less specific wildcard entries. - For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - - The precise definition here is that the higher the number of dots in the - hostname to the right of the wildcard character, the higher the precedence. - - The wildcard character will match any number of characters _and dots_ to - the left, however, so `"*.example.com"` will match both - `"foo.bar.example.com"` _and_ `"bar.example.com"`. - - ## Handling indistinct Listeners - - If a set of Listeners contains Listeners that are not distinct, then those - Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" - condition in the Listener Status to "True". - - The words "indistinct" and "conflicted" are considered equivalent for the - purpose of this documentation. - - Implementations MAY choose to accept a Gateway with some Conflicted - Listeners only if they only accept the partial Listener set that contains - no Conflicted Listeners. - - Specifically, an implementation MAY accept a partial Listener set subject to - the following rules: - - * The implementation MUST NOT pick one conflicting Listener as the winner. - ALL indistinct Listeners must not be accepted for processing. - * At least one distinct Listener MUST be present, or else the Gateway effectively - contains _no_ Listeners, and must be rejected from processing as a whole. - - The implementation MUST set a "ListenersNotValid" condition on the - Gateway Status when the Gateway contains Conflicted Listeners whether or - not they accept the Gateway. That Condition SHOULD clearly - indicate in the Message which Listeners are conflicted, and which are - Accepted. Additionally, the Listener status for those listeners SHOULD - indicate which Listeners are conflicted and not Accepted. - - ## General Listener behavior - - Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - request to "foo.example.com" SHOULD only be routed using routes attached - to the "foo.example.com" Listener (and not the "*.example.com" Listener). - - This concept is known as "Listener Isolation", and it is an Extended feature - of Gateway API. Implementations that do not support Listener Isolation MUST - clearly document this, and MUST NOT claim support for the - `GatewayHTTPListenerIsolation` feature. - - Implementations that _do_ support Listener Isolation SHOULD claim support - for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - conformance tests. - - ## Compatible Listeners - - A Gateway's Listeners are considered _compatible_ if: - - 1. They are distinct. - 2. The implementation can serve them in compliance with the Addresses - requirement that all Listeners are available on all assigned - addresses. - - Compatible combinations in Extended support are expected to vary across - implementations. A combination that is compatible for one implementation - may not be compatible for another. - - For example, an implementation that cannot serve both TCP and UDP listeners - on the same address, or cannot mix HTTPS and generic TLS listens on the same port - would not consider those cases compatible, even though they are distinct. - - Implementations MAY merge separate Gateways onto a single set of - Addresses if all Listeners across all Gateways are compatible. - - In a future release the MinItems=1 requirement MAY be dropped. - - Support: Core - items: - description: |- - Listener embodies the concept of a logical endpoint where a Gateway accepts - network connections. - properties: - allowedRoutes: - default: - namespaces: - from: Same - description: |- - AllowedRoutes defines the types of routes that MAY be attached to a - Listener and the trusted namespaces where those Route resources MAY be - present. - - Although a client request may match multiple route rules, only one rule - may ultimately receive the request. Matching precedence MUST be - determined in order of the following criteria: - - * The most specific match as defined by the Route type. - * The oldest Route based on creation timestamp. For example, a Route with - a creation timestamp of "2020-09-08 01:02:03" is given precedence over - a Route with a creation timestamp of "2020-09-08 01:02:04". - * If everything else is equivalent, the Route appearing first in - alphabetical order (namespace/name) should be given precedence. For - example, foo/bar is given precedence over foo/baz. - - All valid rules within a Route attached to this Listener should be - implemented. Invalid Route rules can be ignored (sometimes that will mean - the full Route). If a Route rule transitions from valid to invalid, - support for that Route rule should be dropped to ensure consistency. For - example, even if a filter specified by a Route rule is invalid, the rest - of the rules within that Route should still be supported. - - Support: Core - properties: - kinds: - description: |- - Kinds specifies the groups and kinds of Routes that are allowed to bind - to this Gateway Listener. When unspecified or empty, the kinds of Routes - selected are determined using the Listener protocol. - - A RouteGroupKind MUST correspond to kinds of Routes that are compatible - with the application protocol specified in the Listener's Protocol field. - If an implementation does not support or recognize this resource type, it - MUST set the "ResolvedRefs" condition to False for this Listener with the - "InvalidRouteKinds" reason. - - Support: Core - items: - description: RouteGroupKind indicates the group and kind - of a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - namespaces: - default: - from: Same - description: |- - Namespaces indicates namespaces from which Routes may be attached to this - Listener. This is restricted to the namespace of this Gateway by default. - - Support: Core - properties: - from: - default: Same - description: |- - From indicates where Routes will be selected for this Gateway. Possible - values are: - - * All: Routes in all namespaces may be used by this Gateway. - * Selector: Routes in namespaces selected by the selector may be used by - this Gateway. - * Same: Only Routes in the same namespace may be used by this Gateway. - - Support: Core - enum: - - All - - Selector - - Same - type: string - selector: - description: |- - Selector must be specified when From is set to "Selector". In that case, - only Routes in Namespaces matching this Selector will be selected by this - Gateway. This field is ignored for other values of "From". - - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - hostname: - description: |- - Hostname specifies the virtual hostname to match for protocol types that - define this concept. When unspecified, all hostnames are matched. This - field is ignored for protocols that don't require hostname based - matching. - - Implementations MUST apply Hostname matching appropriately for each of - the following protocols: - - * TLS: The Listener Hostname MUST match the SNI. - * HTTP: The Listener Hostname MUST match the Host header of the request. - * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - Note that this does not require the SNI and Host header to be the same. - The semantics of this are described in more detail below. - - To ensure security, Section 11.1 of RFC-6066 emphasizes that server - implementations that rely on SNI hostname matching MUST also verify - hostnames within the application protocol. - - Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - reuse of a connection by responding with the HTTP 421 Misdirected Request - status code. This indicates that the origin server has rejected the - request because it appears to have been misdirected. - - To detect misdirected requests, Gateways SHOULD match the authority of - the requests with all the SNI hostname(s) configured across all the - Gateway Listeners on the same port and protocol: - - * If another Listener has an exact match or more specific wildcard entry, - the Gateway SHOULD return a 421. - * If the current Listener (selected by SNI matching during ClientHello) - does not match the Host: - * If another Listener does match the Host the Gateway SHOULD return a - 421. - * If no other Listener matches the Host, the Gateway MUST return a - 404. - - For HTTPRoute and TLSRoute resources, there is an interaction with the - `spec.hostnames` array. When both listener and route specify hostnames, - there MUST be an intersection between the values for a Route to be - accepted. For more information, refer to the Route specific Hostnames - documentation. - - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - name: - description: |- - Name is the name of the Listener. This name MUST be unique within a - Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - port: - description: |- - Port is the network port. Multiple listeners may use the - same port, subject to the Listener compatibility rules. - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - description: |- - Protocol specifies the network protocol this listener expects to receive. - - Support: Core - maxLength: 255 - minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ - type: string - tls: - description: |- - TLS is the TLS configuration for the Listener. This field is required if - the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - if the Protocol field is "HTTP", "TCP", or "UDP". - - The association of SNIs to Certificate defined in ListenerTLSConfig is - defined based on the Hostname field for this listener. - - The GatewayClass MUST use the longest matching SNI out of all - available certificates for any TLS handshake. - - Support: Core - properties: - certificateRefs: - description: |- - CertificateRefs contains a series of references to Kubernetes objects that - contains TLS certificates and private keys. These certificates are used to - establish a TLS handshake for requests that match the hostname of the - associated listener. - - A single CertificateRef to a Kubernetes Secret has "Core" support. - Implementations MAY choose to support attaching multiple certificates to - a Listener, but this behavior is implementation-specific. - - References to a resource in different namespace are invalid UNLESS there - is a ReferenceGrant in the target namespace that allows the certificate - to be attached. If a ReferenceGrant does not allow this reference, the - "ResolvedRefs" condition MUST be set to False for this listener with the - "RefNotPermitted" reason. - - This field is required to have at least one element when the mode is set - to "Terminate" (default) and is optional otherwise. - - CertificateRefs can reference to standard Kubernetes resources, i.e. - Secret, or implementation-specific custom resources. - - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - - Support: Implementation-specific (More than one reference or other resource types) - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - mode: - default: Terminate - description: |- - Mode defines the TLS behavior for the TLS session initiated by the client. - There are two possible modes: - - - Terminate: The TLS session between the downstream client and the - Gateway is terminated at the Gateway. This mode requires certificates - to be specified in some way, such as populating the certificateRefs - field. - - Passthrough: The TLS session is NOT terminated by the Gateway. This - implies that the Gateway can't decipher the TLS stream except for - the ClientHello message of the TLS protocol. The certificateRefs field - is ignored in this mode. - - Support: Core - enum: - - Terminate - - Passthrough - type: string - options: - additionalProperties: - description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 - minLength: 0 - type: string - description: |- - Options are a list of key/value pairs to enable extended TLS - configuration for each implementation. For example, configuring the - minimum TLS version or supported cipher suites. - - A set of common keys MAY be defined by the API in the future. To avoid - any ambiguity, implementation-specific definitions MUST use - domain-prefixed names, such as `example.com/my-custom-option`. - Un-prefixed names are reserved for key names defined by Gateway API. - - Support: Implementation-specific - maxProperties: 16 - type: object - type: object - x-kubernetes-validations: - - message: certificateRefs or options must be specified when - mode is Terminate - rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) - > 0 || size(self.options) > 0 : true' - required: - - name - - port - - protocol - type: object - maxItems: 64 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: tls must not be specified for protocols ['HTTP', 'TCP', - 'UDP'] - rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? - !has(l.tls) : true)' - - message: tls mode must be Terminate for protocol HTTPS - rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode - == '''' || l.tls.mode == ''Terminate'') : true)' - - message: hostname must not be specified for protocols ['TCP', 'UDP'] - rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) - || l.hostname == '''') : true)' - - message: Listener name must be unique within the Gateway - rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) - - message: Combination of port, protocol and hostname must be unique - for each listener - rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol - == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname - == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' - required: - - gatewayClassName - - listeners - type: object - status: - default: - conditions: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: Status defines the current state of Gateway. - properties: - addresses: - description: |- - Addresses lists the network addresses that have been bound to the - Gateway. - - This list may differ from the addresses provided in the spec under some - conditions: - - * no addresses are specified, all addresses are dynamically assigned - * a combination of specified and dynamic addresses are assigned - * a specified address was unusable (e.g. already in use) - items: - description: GatewayStatusAddress describes a network address that - is bound to a Gateway. - oneOf: - - properties: - type: - enum: - - IPAddress - value: - anyOf: - - format: ipv4 - - format: ipv6 - - properties: - type: - not: - enum: - - IPAddress - properties: - type: - default: IPAddress - description: Type of the address. - maxLength: 253 - minLength: 1 - pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - value: - description: |- - Value of the address. The validity of the values will depend - on the type and support by the controller. - - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. - maxLength: 253 - minLength: 1 - type: string - required: - - value - type: object - x-kubernetes-validations: - - message: Hostname value must only contain valid characters (matching - ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) - rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): - true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Accepted - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Waiting for controller - reason: Pending - status: Unknown - type: Programmed - description: |- - Conditions describe the current conditions of the Gateway. - - Implementations should prefer to express Gateway conditions - using the `GatewayConditionType` and `GatewayConditionReason` - constants so that operators and tools can converge on a common - vocabulary to describe Gateway state. - - Known condition types are: - - * "Accepted" - * "Programmed" - * "Ready" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - listeners: - description: Listeners provide status for each unique listener port - defined in the Spec. - items: - description: ListenerStatus is the status associated with a Listener. - properties: - attachedRoutes: - description: |- - AttachedRoutes represents the total number of Routes that have been - successfully attached to this Listener. - - Successful attachment of a Route to a Listener is based solely on the - combination of the AllowedRoutes field on the corresponding Listener - and the Route's ParentRefs field. A Route is successfully attached to - a Listener when it is selected by the Listener's AllowedRoutes field - AND the Route has a valid ParentRef selecting the whole Gateway - resource or a specific Listener as a parent resource (more detail on - attachment semantics can be found in the documentation on the various - Route kinds ParentRefs fields). Listener or Route status does not impact - successful attachment, i.e. the AttachedRoutes field count MUST be set - for Listeners with condition Accepted: false and MUST count successfully - attached Routes that may themselves have Accepted: false conditions. - - Uses for this field include troubleshooting Route attachment and - measuring blast radius/impact of changes to a Listener. - format: int32 - type: integer - conditions: - description: Conditions describe the current condition of this - listener. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - name: - description: Name is the name of the Listener that this status - corresponds to. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - supportedKinds: - description: |- - SupportedKinds is the list indicating the Kinds supported by this - listener. This MUST represent the kinds an implementation supports for - that Listener configuration. - - If kinds are specified in Spec that are not supported, they MUST NOT - appear in this list and an implementation MUST set the "ResolvedRefs" - condition to "False" with the "InvalidRouteKinds" reason. If both valid - and invalid Route kinds are specified, the implementation MUST - reference the valid Route kinds that have been specified. - items: - description: RouteGroupKind indicates the group and kind of - a Route resource. - properties: - group: - default: gateway.networking.k8s.io - description: Group is the group of the Route. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is the kind of the Route. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - required: - - kind - type: object - maxItems: 8 - type: array - x-kubernetes-list-type: atomic - required: - - attachedRoutes - - conditions - - name - - supportedKinds - type: object - maxItems: 64 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 - gateway.networking.k8s.io/channel: standard - name: grpcroutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: GRPCRoute - listKind: GRPCRouteList - plural: grpcroutes - singular: grpcroute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.hostnames - name: Hostnames - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - GRPCRoute provides a way to route gRPC requests. This includes the capability - to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. - Filters can be used to specify additional processing steps. Backends specify - where matching requests will be routed. - - GRPCRoute falls under extended support within the Gateway API. Within the - following specification, the word "MUST" indicates that an implementation - supporting GRPCRoute must conform to the indicated requirement, but an - implementation not supporting this route type need not follow the requirement - unless explicitly indicated. - - Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST - accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via - ALPN. If the implementation does not support this, then it MUST set the - "Accepted" condition to "False" for the affected listener with a reason of - "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections - with an upgrade from HTTP/1. - - Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST - support HTTP/2 over cleartext TCP (h2c, - https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial - upgrade from HTTP/1.1, i.e. with prior knowledge - (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation - does not support this, then it MUST set the "Accepted" condition to "False" - for the affected listener with a reason of "UnsupportedProtocol". - Implementations MAY also accept HTTP/2 connections with an upgrade from - HTTP/1, i.e. without prior knowledge. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of GRPCRoute. - properties: - hostnames: - description: |- - Hostnames defines a set of hostnames to match against the GRPC - Host header to select a GRPCRoute to process the request. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label MUST appear by itself as the first label. - - If a hostname is specified by both the Listener and GRPCRoute, there - MUST be at least one intersecting hostname for the GRPCRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches GRPCRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches GRPCRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. - - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - - If both the Listener and GRPCRoute have specified hostnames, any - GRPCRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - GRPCRoute specified `test.example.com` and `test.example.net`, - `test.example.net` MUST NOT be considered for a match. - - If both the Listener and GRPCRoute have specified hostnames, and none - match with the criteria above, then the GRPCRoute MUST NOT be accepted by - the implementation. The implementation MUST raise an 'Accepted' Condition - with a status of `False` in the corresponding RouteParentStatus. - - If a Route (A) of type HTTPRoute or GRPCRoute is attached to a - Listener and that listener already has another Route (B) of the other - type attached and the intersection of the hostnames of A and B is - non-empty, then the implementation MUST accept exactly one of these two - routes, determined by the following criteria, in order: - - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". - - The rejected Route MUST raise an 'Accepted' condition with a status of - 'False' in the corresponding RouteParentStatus. - - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - ParentRefs must be _distinct_. This means either that: - - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. - - Some examples: - - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. - - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. - - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''')) : true))' - - message: sectionName must be unique when parentRefs includes 2 or - more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)))) - rules: - description: Rules are a list of GRPC matchers, filters and actions. - items: - description: |- - GRPCRouteRule defines the semantics for matching a gRPC request based on - conditions (matches), processing it (filters), and forwarding the request to - an API object (backendRefs). - properties: - backendRefs: - description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. - - Failure behavior here depends on how many BackendRefs are specified and - how many are invalid. - - If *all* entries in BackendRefs are invalid, and there are also no filters - specified in this route rule, *all* traffic which matches this rule MUST - receive an `UNAVAILABLE` status. - - See the GRPCBackendRef definition for the rules about what makes a single - GRPCBackendRef invalid. - - When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for - requests that would have otherwise been routed to an invalid backend. If - multiple backends are specified, and some are invalid, the proportion of - requests that would otherwise have been routed to an invalid backend - MUST receive an `UNAVAILABLE` status. - - For example, if two backends are specified with equal weights, and one is - invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. - Implementations may choose how that 50 percent is determined. - - Support: Core for Kubernetes Service - - Support: Implementation-specific for any other resource - - Support for weight: Core - items: - description: |- - GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - properties: - filters: - description: |- - Filters defined at this level MUST be executed if and only if the - request is being forwarded to the backend defined here. - - Support: Implementation-specific (For broader support of filters, use the - Filters field in GRPCRouteRule.) - items: - description: |- - GRPCRouteFilter defines processing steps that must be completed during the - request or response lifecycle. GRPCRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - Support: Implementation-specific - - This filter can be used multiple times within the same rule. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations supporting GRPCRoute MUST support core filters. - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - Implementation-specific: Filters that are defined and supported by specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` MUST be set to - "ExtensionRef" for custom filters. - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - enum: - - ResponseHeaderModifier - - RequestHeaderModifier - - RequestMirror - - ExtensionRef - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil - if the filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type - != ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type - == ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil - if the filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type - != ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for - RequestMirror filter.type - rule: '!(!has(self.requestMirror) && self.type == - ''RequestMirror'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for - ExtensionRef filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - filters: - description: |- - Filters define the filters that are applied to requests that match - this rule. - - The effects of ordering of multiple behaviors are currently unspecified. - This can change in the future based on feedback during the alpha stage. - - Conformance-levels at this level are defined based on the type of filter: - - - ALL core filters MUST be supported by all implementations that support - GRPCRoute. - - Implementers are encouraged to support extended filters. - - Implementation-specific custom filters have no API guarantees across - implementations. - - Specifying the same filter multiple times is not supported unless explicitly - indicated in the filter. - - If an implementation cannot support a combination of filters, it must clearly - document that limitation. In cases where incompatible or unsupported - filters are specified and cause the `Accepted` condition to be set to status - `False`, implementations may use the `IncompatibleFilters` reason to specify - this configuration error. - - Support: Core - items: - description: |- - GRPCRouteFilter defines processing steps that must be completed during the - request or response lifecycle. GRPCRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - Support: Implementation-specific - - This filter can be used multiple times within the same rule. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal to - denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be specified - in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations supporting GRPCRoute MUST support core filters. - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - Implementation-specific: Filters that are defined and supported by specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` MUST be set to - "ExtensionRef" for custom filters. - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - enum: - - ResponseHeaderModifier - - RequestHeaderModifier - - RequestMirror - - ExtensionRef - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil if the - filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type != - ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type == - ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil if the - filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type != - ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for RequestMirror - filter.type - rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for ExtensionRef - filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - matches: - description: |- - Matches define conditions used for matching the rule against incoming - gRPC requests. Each match is independent, i.e. this rule will be matched - if **any** one of the matches is satisfied. - - For example, take the following matches configuration: - - ``` - matches: - - method: - service: foo.bar - headers: - values: - version: 2 - - method: - service: foo.bar.v2 - ``` - - For a request to match against this rule, it MUST satisfy - EITHER of the two conditions: - - - service of foo.bar AND contains the header `version: 2` - - service of foo.bar.v2 - - See the documentation for GRPCRouteMatch on how to specify multiple - match conditions to be ANDed together. - - If no matches are specified, the implementation MUST match every gRPC request. - - Proxy or Load Balancer routing configuration generated from GRPCRoutes - MUST prioritize rules based on the following criteria, continuing on - ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. - Precedence MUST be given to the rule with the largest number of: - - * Characters in a matching non-wildcard hostname. - * Characters in a matching hostname. - * Characters in a matching service. - * Characters in a matching method. - * Header matches. - - If ties still exist across multiple Routes, matching precedence MUST be - determined in order of the following criteria, continuing on ties: - - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". - - If ties still exist within the Route that has been given precedence, - matching precedence MUST be granted to the first matching rule meeting - the above criteria. - items: - description: |- - GRPCRouteMatch defines the predicate used to match requests to a given - action. Multiple match types are ANDed together, i.e. the match will - evaluate to true only if all conditions are satisfied. - - For example, the match below will match a gRPC request only if its service - is `foo` AND it contains the `version: v1` header: - - ``` - matches: - - method: - type: Exact - service: "foo" - headers: - - name: "version" - value "v1" - - ``` - properties: - headers: - description: |- - Headers specifies gRPC request header matchers. Multiple match values are - ANDed together, meaning, a request MUST match all the specified headers - to select the route. - items: - description: |- - GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request - headers. - properties: - name: - description: |- - Name is the name of the gRPC Header to be matched. - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: Type specifies how to match against - the value of the header. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of the gRPC Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - method: - description: |- - Method specifies a gRPC request service/method matcher. If this field is - not specified, all services and methods will match. - properties: - method: - description: |- - Value of the method to match against. If left empty or omitted, will - match all services. - - At least one of Service and Method MUST be a non-empty string. - maxLength: 1024 - type: string - service: - description: |- - Value of the service to match against. If left empty or omitted, will - match any service. - - At least one of Service and Method MUST be a non-empty string. - maxLength: 1024 - type: string - type: - default: Exact - description: |- - Type specifies how to match against the service and/or method. - Support: Core (Exact with service and method specified) - - Support: Implementation-specific (Exact with method specified but no service specified) - - Support: Implementation-specific (RegularExpression) - enum: - - Exact - - RegularExpression - type: string - type: object - x-kubernetes-validations: - - message: One or both of 'service' or 'method' must be - specified - rule: 'has(self.type) ? has(self.service) || has(self.method) - : true' - - message: service must only contain valid characters - (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) - rule: '(!has(self.type) || self.type == ''Exact'') && - has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): - true' - - message: method must only contain valid characters (matching - ^[A-Za-z_][A-Za-z_0-9]*$) - rule: '(!has(self.type) || self.type == ''Exact'') && - has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): - true' - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: While 16 rules and 64 matches per rule are allowed, the - total number of matches across all rules in a route must be less - than 128 - rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size() - : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size() - : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size() - : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size() - : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size() - : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size() - : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size() - : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size() - : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size() - : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size() - : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size() - : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size() - : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size() - : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size() - : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size() - : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size() - : 0) : 0) <= 128' - type: object - status: - description: Status defines the current state of GRPCRoute. - properties: - parents: - description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. - - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. - items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. - properties: - conditions: - description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. - - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: - - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - required: - - conditions - - controllerName - - parentRef - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - required: - - parents - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/standard/gateway.networking.k8s.io_httproutes.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 - gateway.networking.k8s.io/channel: standard - name: httproutes.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: HTTPRoute - listKind: HTTPRouteList - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.hostnames - name: Hostnames - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - HTTPRoute provides a way to route HTTP requests. This includes the capability - to match requests by hostname, path, header, or query param. Filters can be - used to specify additional processing steps. Backends specify where matching - requests should be routed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of HTTPRoute. - properties: - hostnames: - description: |- - Hostnames defines a set of hostnames that should match against the HTTP Host - header to select a HTTPRoute used to process the request. Implementations - MUST ignore any port value specified in the HTTP Host header while - performing a match and (absent of any applicable header modification - configuration) MUST forward this header unmodified to the backend. - - Valid values for Hostnames are determined by RFC 1123 definition of a - hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - If a hostname is specified by both the Listener and HTTPRoute, there - must be at least one intersecting hostname for the HTTPRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches HTTPRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches HTTPRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `*.example.com`, `test.example.com`, and `foo.test.example.com` would - all match. On the other hand, `example.com` and `test.example.net` would - not match. - - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - - If both the Listener and HTTPRoute have specified hostnames, any - HTTPRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - HTTPRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and HTTPRoute have specified hostnames, and none - match with the criteria above, then the HTTPRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. - overlapping wildcard matching and exact matching hostnames), precedence must - be given to rules from the HTTPRoute with the largest number of: - - * Characters in a matching non-wildcard hostname. - * Characters in a matching hostname. - - If ties exist across multiple Routes, the matching precedence rules for - HTTPRouteMatches takes over. - - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - ParentRefs must be _distinct_. This means either that: - - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. - - Some examples: - - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. - - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. - - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''')) : true))' - - message: sectionName must be unique when parentRefs includes 2 or - more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)))) - rules: - default: - - matches: - - path: - type: PathPrefix - value: / - description: Rules are a list of HTTP matchers, filters and actions. - items: - description: |- - HTTPRouteRule defines semantics for matching an HTTP request based on - conditions (matches), processing it (filters), and forwarding the request to - an API object (backendRefs). - properties: - backendRefs: - description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. - - Failure behavior here depends on how many BackendRefs are specified and - how many are invalid. - - If *all* entries in BackendRefs are invalid, and there are also no filters - specified in this route rule, *all* traffic which matches this rule MUST - receive a 500 status code. - - See the HTTPBackendRef definition for the rules about what makes a single - HTTPBackendRef invalid. - - When a HTTPBackendRef is invalid, 500 status codes MUST be returned for - requests that would have otherwise been routed to an invalid backend. If - multiple backends are specified, and some are invalid, the proportion of - requests that would otherwise have been routed to an invalid backend - MUST receive a 500 status code. - - For example, if two backends are specified with equal weights, and one is - invalid, 50 percent of traffic must receive a 500. Implementations may - choose how that 50 percent is determined. - - When a HTTPBackendRef refers to a Service that has no ready endpoints, - implementations SHOULD return a 503 for requests to that backend instead. - If an implementation chooses to do this, all of the above rules for 500 responses - MUST also apply for responses that return a 503. - - Support: Core for Kubernetes Service - - Support: Extended for Kubernetes ServiceImport - - Support: Implementation-specific for any other resource - - Support for weight: Core - items: - description: |- - HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - properties: - filters: - description: |- - Filters defined at this level should be executed if and only if the - request is being forwarded to the backend defined here. - - Support: Implementation-specific (For broader support of filters, use the - Filters field in HTTPRouteRule.) - items: - description: |- - HTTPRouteFilter defines processing steps that must be completed during the - request or response lifecycle. HTTPRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - This filter can be used multiple times within the same rule. - - Support: Implementation-specific - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. - - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. - - If no port is specified, the redirect port MUST be derived using the - following rules: - - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. - - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: - - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. - - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations must support core filters. - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - Implementation-specific: Filters that are defined and supported by - specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` should be set to - "ExtensionRef" for custom filters. - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestMirror - - RequestRedirect - - URLRewrite - - ExtensionRef - type: string - urlRewrite: - description: |- - URLRewrite defines a schema for a filter that modifies a request during forwarding. - - Support: Extended - properties: - hostname: - description: |- - Hostname is the value to be used to replace the Host header value during - forwarding. - - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines a path rewrite. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - type: object - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil - if the filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type - != ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type - == ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil - if the filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type - != ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for - RequestMirror filter.type - rule: '!(!has(self.requestMirror) && self.type == - ''RequestMirror'')' - - message: filter.requestRedirect must be nil if the - filter.type is not RequestRedirect - rule: '!(has(self.requestRedirect) && self.type != - ''RequestRedirect'')' - - message: filter.requestRedirect must be specified - for RequestRedirect filter.type - rule: '!(!has(self.requestRedirect) && self.type == - ''RequestRedirect'')' - - message: filter.urlRewrite must be nil if the filter.type - is not URLRewrite - rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' - - message: filter.urlRewrite must be specified for URLRewrite - filter.type - rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for - ExtensionRef filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') - && self.exists(f, f.type == ''URLRewrite''))' - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - - message: RequestRedirect filter cannot be repeated - rule: self.filter(f, f.type == 'RequestRedirect').size() - <= 1 - - message: URLRewrite filter cannot be repeated - rule: self.filter(f, f.type == 'URLRewrite').size() - <= 1 - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - filters: - description: |- - Filters define the filters that are applied to requests that match - this rule. - - Wherever possible, implementations SHOULD implement filters in the order - they are specified. - - Implementations MAY choose to implement this ordering strictly, rejecting - any combination or order of filters that cannot be supported. If implementations - choose a strict interpretation of filter ordering, they MUST clearly document - that behavior. - - To reject an invalid combination or order of filters, implementations SHOULD - consider the Route Rules with this configuration invalid. If all Route Rules - in a Route are invalid, the entire Route would be considered invalid. If only - a portion of Route Rules are invalid, implementations MUST set the - "PartiallyInvalid" condition for the Route. - - Conformance-levels at this level are defined based on the type of filter: - - - ALL core filters MUST be supported by all implementations. - - Implementers are encouraged to support extended filters. - - Implementation-specific custom filters have no API guarantees across - implementations. - - Specifying the same filter multiple times is not supported unless explicitly - indicated in the filter. - - All filters are expected to be compatible with each other except for the - URLRewrite and RequestRedirect filters, which may not be combined. If an - implementation cannot support other combinations of filters, they must clearly - document that limitation. In cases where incompatible or unsupported - filters are specified and cause the `Accepted` condition to be set to status - `False`, implementations may use the `IncompatibleFilters` reason to specify - this configuration error. - - Support: Core - items: - description: |- - HTTPRouteFilter defines processing steps that must be completed during the - request or response lifecycle. HTTPRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - This filter can be used multiple times within the same rule. - - Support: Implementation-specific - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal to - denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be specified - in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. - - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified when - type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) - : true' - - message: type must be 'ReplaceFullPath' when replaceFullPath - is set - rule: 'has(self.replaceFullPath) ? self.type == - ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified when - type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) - : true' - - message: type must be 'ReplacePrefixMatch' when - replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. - - If no port is specified, the redirect port MUST be derived using the - following rules: - - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. - - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: - - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. - - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations must support core filters. - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - Implementation-specific: Filters that are defined and supported by - specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` should be set to - "ExtensionRef" for custom filters. - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestMirror - - RequestRedirect - - URLRewrite - - ExtensionRef - type: string - urlRewrite: - description: |- - URLRewrite defines a schema for a filter that modifies a request during forwarding. - - Support: Extended - properties: - hostname: - description: |- - Hostname is the value to be used to replace the Host header value during - forwarding. - - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines a path rewrite. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified when - type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) - : true' - - message: type must be 'ReplaceFullPath' when replaceFullPath - is set - rule: 'has(self.replaceFullPath) ? self.type == - ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified when - type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) - : true' - - message: type must be 'ReplacePrefixMatch' when - replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - type: object - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil if the - filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type != - ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type == - ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil if the - filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type != - ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for RequestMirror - filter.type - rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' - - message: filter.requestRedirect must be nil if the filter.type - is not RequestRedirect - rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' - - message: filter.requestRedirect must be specified for RequestRedirect - filter.type - rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' - - message: filter.urlRewrite must be nil if the filter.type - is not URLRewrite - rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' - - message: filter.urlRewrite must be specified for URLRewrite - filter.type - rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for ExtensionRef - filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') && - self.exists(f, f.type == ''URLRewrite''))' - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - - message: RequestRedirect filter cannot be repeated - rule: self.filter(f, f.type == 'RequestRedirect').size() <= - 1 - - message: URLRewrite filter cannot be repeated - rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 - matches: - default: - - path: - type: PathPrefix - value: / - description: |- - Matches define conditions used for matching the rule against incoming - HTTP requests. Each match is independent, i.e. this rule will be matched - if **any** one of the matches is satisfied. - - For example, take the following matches configuration: - - ``` - matches: - - path: - value: "/foo" - headers: - - name: "version" - value: "v2" - - path: - value: "/v2/foo" - ``` - - For a request to match against this rule, a request must satisfy - EITHER of the two conditions: - - - path prefixed with `/foo` AND contains the header `version: v2` - - path prefix of `/v2/foo` - - See the documentation for HTTPRouteMatch on how to specify multiple - match conditions that should be ANDed together. - - If no matches are specified, the default is a prefix - path match on "/", which has the effect of matching every - HTTP request. - - Proxy or Load Balancer routing configuration generated from HTTPRoutes - MUST prioritize matches based on the following criteria, continuing on - ties. Across all rules specified on applicable Routes, precedence must be - given to the match having: - - * "Exact" path match. - * "Prefix" path match with largest number of characters. - * Method match. - * Largest number of header matches. - * Largest number of query param matches. - - Note: The precedence of RegularExpression path matches are implementation-specific. - - If ties still exist across multiple Routes, matching precedence MUST be - determined in order of the following criteria, continuing on ties: - - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". - - If ties still exist within an HTTPRoute, matching precedence MUST be granted - to the FIRST matching rule (in list order) with a match meeting the above - criteria. - - When no rules matching a request have been successfully attached to the - parent a request is coming from, a HTTP 404 status code MUST be returned. - items: - description: "HTTPRouteMatch defines the predicate used to - match requests to a given\naction. Multiple match types - are ANDed together, i.e. the match will\nevaluate to true - only if all conditions are satisfied.\n\nFor example, the - match below will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n```" - properties: - headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. - items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: |- - Type specifies how to match against the value of the header. - - Support: Core (Exact) - - Support: Implementation-specific (RegularExpression) - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of HTTP Header to - be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - Support: Extended - enum: - - GET - - HEAD - - POST - - PUT - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - type: string - path: - default: - type: PathPrefix - value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. - properties: - type: - default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - Support: Core (Exact, PathPrefix) - - Support: Implementation-specific (RegularExpression) - enum: - - Exact - - PathPrefix - - RegularExpression - type: string - value: - default: / - description: Value of the HTTP path to match against. - maxLength: 1024 - type: string - type: object - x-kubernetes-validations: - - message: value must be an absolute path and start with - '/' when type one of ['Exact', 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') - : true' - - message: must not contain '//' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') - : true' - - message: must not contain '/./' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') - : true' - - message: must not contain '/../' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') - : true' - - message: must not contain '%2f' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') - : true' - - message: must not contain '%2F' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') - : true' - - message: must not contain '#' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') - : true' - - message: must not end with '/..' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') - : true' - - message: must not end with '/.' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') - : true' - - message: type must be one of ['Exact', 'PathPrefix', - 'RegularExpression'] - rule: self.type in ['Exact','PathPrefix'] || self.type - == 'RegularExpression' - - message: must only contain valid characters (matching - ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) - for types ['Exact', 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") - : true' - queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - Support: Extended - items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. - properties: - name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - Support: Extended (Exact) - - Support: Implementation-specific (RegularExpression) - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of HTTP query param - to be matched. - maxLength: 1024 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - timeouts: - description: |- - Timeouts defines the timeouts that can be configured for an HTTP request. - - Support: Extended - properties: - backendRequest: - description: |- - BackendRequest specifies a timeout for an individual request from the gateway - to a backend. This covers the time from when the request first starts being - sent from the gateway to when the full response has been received from the backend. - - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout - completely. Implementations that cannot completely disable the timeout MUST - instead interpret the zero duration as the longest possible value to which - the timeout can be set. - - An entire client HTTP transaction with a gateway, covered by the Request timeout, - may result in more than one call from the gateway to the destination backend, - for example, if automatic retries are supported. - - The value of BackendRequest must be a Gateway API Duration string as defined by - GEP-2257. When this field is unspecified, its behavior is implementation-specific; - when specified, the value of BackendRequest must be no more than the value of the - Request timeout (since the Request timeout encompasses the BackendRequest timeout). - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - request: - description: |- - Request specifies the maximum duration for a gateway to respond to an HTTP request. - If the gateway has not been able to respond before this deadline is met, the gateway - MUST return a timeout error. - - For example, setting the `rules.timeouts.request` field to the value `10s` in an - `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds - to complete. - - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout - completely. Implementations that cannot completely disable the timeout MUST - instead interpret the zero duration as the longest possible value to which - the timeout can be set. - - This timeout is intended to cover as close to the whole request-response transaction - as possible although an implementation MAY choose to start the timeout after the entire - request stream has been received instead of immediately after the transaction is - initiated by the client. - - The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - field is unspecified, request timeout behavior is implementation-specific. - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - type: object - x-kubernetes-validations: - - message: backendRequest timeout cannot be longer than request - timeout - rule: '!(has(self.request) && has(self.backendRequest) && - duration(self.request) != duration(''0s'') && duration(self.backendRequest) - > duration(self.request))' - type: object - x-kubernetes-validations: - - message: RequestRedirect filter must not be used together with - backendRefs - rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? - (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): - true' - - message: When using RequestRedirect filter with path.replacePrefixMatch, - exactly one PathPrefix match must be specified - rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) - && has(f.requestRedirect.path) && f.requestRedirect.path.type - == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) - ? ((size(self.matches) != 1 || !has(self.matches[0].path) || - self.matches[0].path.type != ''PathPrefix'') ? false : true) - : true' - - message: When using URLRewrite filter with path.replacePrefixMatch, - exactly one PathPrefix match must be specified - rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) - && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' - && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) - != 1 || !has(self.matches[0].path) || self.matches[0].path.type - != ''PathPrefix'') ? false : true) : true' - - message: Within backendRefs, when using RequestRedirect filter - with path.replacePrefixMatch, exactly one PathPrefix match must - be specified - rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, - (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) - && has(f.requestRedirect.path) && f.requestRedirect.path.type - == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) - )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) - || self.matches[0].path.type != ''PathPrefix'') ? false : true) - : true' - - message: Within backendRefs, When using URLRewrite filter with - path.replacePrefixMatch, exactly one PathPrefix match must be - specified - rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, - (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) - && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' - && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) - != 1 || !has(self.matches[0].path) || self.matches[0].path.type - != ''PathPrefix'') ? false : true) : true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: While 16 rules and 64 matches per rule are allowed, the - total number of matches across all rules in a route must be less - than 128 - rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() - > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() - : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() - > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() - : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() - > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() - : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() - > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() - : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() - > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() - : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' - type: object - status: - description: Status defines the current state of HTTPRoute. - properties: - parents: - description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. - - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. - items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. - properties: - conditions: - description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. - - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: - - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - required: - - conditions - - controllerName - - parentRef - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - required: - - parents - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.hostnames - name: Hostnames - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HTTPRoute provides a way to route HTTP requests. This includes the capability - to match requests by hostname, path, header, or query param. Filters can be - used to specify additional processing steps. Backends specify where matching - requests should be routed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of HTTPRoute. - properties: - hostnames: - description: |- - Hostnames defines a set of hostnames that should match against the HTTP Host - header to select a HTTPRoute used to process the request. Implementations - MUST ignore any port value specified in the HTTP Host header while - performing a match and (absent of any applicable header modification - configuration) MUST forward this header unmodified to the backend. - - Valid values for Hostnames are determined by RFC 1123 definition of a - hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - If a hostname is specified by both the Listener and HTTPRoute, there - must be at least one intersecting hostname for the HTTPRoute to be - attached to the Listener. For example: - - * A Listener with `test.example.com` as the hostname matches HTTPRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches HTTPRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `*.example.com`, `test.example.com`, and `foo.test.example.com` would - all match. On the other hand, `example.com` and `test.example.net` would - not match. - - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - - If both the Listener and HTTPRoute have specified hostnames, any - HTTPRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - HTTPRoute specified `test.example.com` and `test.example.net`, - `test.example.net` must not be considered for a match. - - If both the Listener and HTTPRoute have specified hostnames, and none - match with the criteria above, then the HTTPRoute is not accepted. The - implementation must raise an 'Accepted' Condition with a status of - `False` in the corresponding RouteParentStatus. - - In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. - overlapping wildcard matching and exact matching hostnames), precedence must - be given to rules from the HTTPRoute with the largest number of: - - * Characters in a matching non-wildcard hostname. - * Characters in a matching hostname. - - If ties exist across multiple Routes, the matching precedence rules for - HTTPRouteMatches takes over. - - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - parentRefs: - description: |- - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - ParentRefs must be _distinct_. This means either that: - - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. - - Some examples: - - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. - - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. - - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - This API may be extended in the future to support additional kinds of parent - resources. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: sectionName must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''')) : true))' - - message: sectionName must be unique when parentRefs includes 2 or - more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)))) - rules: - default: - - matches: - - path: - type: PathPrefix - value: / - description: Rules are a list of HTTP matchers, filters and actions. - items: - description: |- - HTTPRouteRule defines semantics for matching an HTTP request based on - conditions (matches), processing it (filters), and forwarding the request to - an API object (backendRefs). - properties: - backendRefs: - description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. - - Failure behavior here depends on how many BackendRefs are specified and - how many are invalid. - - If *all* entries in BackendRefs are invalid, and there are also no filters - specified in this route rule, *all* traffic which matches this rule MUST - receive a 500 status code. - - See the HTTPBackendRef definition for the rules about what makes a single - HTTPBackendRef invalid. - - When a HTTPBackendRef is invalid, 500 status codes MUST be returned for - requests that would have otherwise been routed to an invalid backend. If - multiple backends are specified, and some are invalid, the proportion of - requests that would otherwise have been routed to an invalid backend - MUST receive a 500 status code. - - For example, if two backends are specified with equal weights, and one is - invalid, 50 percent of traffic must receive a 500. Implementations may - choose how that 50 percent is determined. - - When a HTTPBackendRef refers to a Service that has no ready endpoints, - implementations SHOULD return a 503 for requests to that backend instead. - If an implementation chooses to do this, all of the above rules for 500 responses - MUST also apply for responses that return a 503. - - Support: Core for Kubernetes Service - - Support: Extended for Kubernetes ServiceImport - - Support: Implementation-specific for any other resource - - Support for weight: Core - items: - description: |- - HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - properties: - filters: - description: |- - Filters defined at this level should be executed if and only if the - request is being forwarded to the backend defined here. - - Support: Implementation-specific (For broader support of filters, use the - Filters field in HTTPRouteRule.) - items: - description: |- - HTTPRouteFilter defines processing steps that must be completed during the - request or response lifecycle. HTTPRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - This filter can be used multiple times within the same rule. - - Support: Implementation-specific - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal - to denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be - specified in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. - - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. - - If no port is specified, the redirect port MUST be derived using the - following rules: - - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. - - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: - - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. - - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations must support core filters. - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - Implementation-specific: Filters that are defined and supported by - specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` should be set to - "ExtensionRef" for custom filters. - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestMirror - - RequestRedirect - - URLRewrite - - ExtensionRef - type: string - urlRewrite: - description: |- - URLRewrite defines a schema for a filter that modifies a request during forwarding. - - Support: Extended - properties: - hostname: - description: |- - Hostname is the value to be used to replace the Host header value during - forwarding. - - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines a path rewrite. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified - when type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? - has(self.replaceFullPath) : true' - - message: type must be 'ReplaceFullPath' when - replaceFullPath is set - rule: 'has(self.replaceFullPath) ? self.type - == ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified - when type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' - ? has(self.replacePrefixMatch) : true' - - message: type must be 'ReplacePrefixMatch' - when replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - type: object - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil - if the filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type - != ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type - == ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil - if the filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type - != ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for - RequestMirror filter.type - rule: '!(!has(self.requestMirror) && self.type == - ''RequestMirror'')' - - message: filter.requestRedirect must be nil if the - filter.type is not RequestRedirect - rule: '!(has(self.requestRedirect) && self.type != - ''RequestRedirect'')' - - message: filter.requestRedirect must be specified - for RequestRedirect filter.type - rule: '!(!has(self.requestRedirect) && self.type == - ''RequestRedirect'')' - - message: filter.urlRewrite must be nil if the filter.type - is not URLRewrite - rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' - - message: filter.urlRewrite must be specified for URLRewrite - filter.type - rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for - ExtensionRef filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') - && self.exists(f, f.type == ''URLRewrite''))' - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - - message: RequestRedirect filter cannot be repeated - rule: self.filter(f, f.type == 'RequestRedirect').size() - <= 1 - - message: URLRewrite filter cannot be repeated - rule: self.filter(f, f.type == 'URLRewrite').size() - <= 1 - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - filters: - description: |- - Filters define the filters that are applied to requests that match - this rule. - - Wherever possible, implementations SHOULD implement filters in the order - they are specified. - - Implementations MAY choose to implement this ordering strictly, rejecting - any combination or order of filters that cannot be supported. If implementations - choose a strict interpretation of filter ordering, they MUST clearly document - that behavior. - - To reject an invalid combination or order of filters, implementations SHOULD - consider the Route Rules with this configuration invalid. If all Route Rules - in a Route are invalid, the entire Route would be considered invalid. If only - a portion of Route Rules are invalid, implementations MUST set the - "PartiallyInvalid" condition for the Route. - - Conformance-levels at this level are defined based on the type of filter: - - - ALL core filters MUST be supported by all implementations. - - Implementers are encouraged to support extended filters. - - Implementation-specific custom filters have no API guarantees across - implementations. - - Specifying the same filter multiple times is not supported unless explicitly - indicated in the filter. - - All filters are expected to be compatible with each other except for the - URLRewrite and RequestRedirect filters, which may not be combined. If an - implementation cannot support other combinations of filters, they must clearly - document that limitation. In cases where incompatible or unsupported - filters are specified and cause the `Accepted` condition to be set to status - `False`, implementations may use the `IncompatibleFilters` reason to specify - this configuration error. - - Support: Core - items: - description: |- - HTTPRouteFilter defines processing steps that must be completed during the - request or response lifecycle. HTTPRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - This filter can be used multiple times within the same rule. - - Support: Implementation-specific - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - Support: Extended for Kubernetes Service - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - fraction: - description: |- - Fraction represents the fraction of requests that should be - mirrored to BackendRef. - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - properties: - denominator: - default: 100 - format: int32 - minimum: 1 - type: integer - numerator: - format: int32 - minimum: 0 - type: integer - required: - - numerator - type: object - x-kubernetes-validations: - - message: numerator must be less than or equal to - denominator - rule: self.numerator <= self.denominator - percent: - description: |- - Percent represents the percentage of requests that should be - mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - requests) and its maximum value is 100 (indicating 100% of requests). - - Only one of Fraction or Percent may be specified. If neither field - is specified, 100% of requests will be mirrored. - format: int32 - maximum: 100 - minimum: 0 - type: integer - required: - - backendRef - type: object - x-kubernetes-validations: - - message: Only one of percent or fraction may be specified - in HTTPRequestMirrorFilter - rule: '!(has(self.percent) && has(self.fraction))' - requestRedirect: - description: |- - RequestRedirect defines a schema for a filter that responds to the - request with an HTTP redirection. - - Support: Core - properties: - hostname: - description: |- - Hostname is the hostname to be used in the value of the `Location` - header in the response. - When empty, the hostname in the `Host` header of the request is used. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines parameters used to modify the path of the incoming request. - The modified path is then used to construct the `Location` header. When - empty, the request path is used as-is. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified when - type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) - : true' - - message: type must be 'ReplaceFullPath' when replaceFullPath - is set - rule: 'has(self.replaceFullPath) ? self.type == - ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified when - type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) - : true' - - message: type must be 'ReplacePrefixMatch' when - replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - port: - description: |- - Port is the port to be used in the value of the `Location` - header in the response. - - If no port is specified, the redirect port MUST be derived using the - following rules: - - * If redirect scheme is not-empty, the redirect port MUST be the well-known - port associated with the redirect scheme. Specifically "http" to port 80 - and "https" to port 443. If the redirect scheme does not have a - well-known port, the listener port of the Gateway SHOULD be used. - * If redirect scheme is empty, the redirect port MUST be the Gateway - Listener port. - - Implementations SHOULD NOT add the port number in the 'Location' - header in the following cases: - - * A Location header that will use HTTP (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 80. - * A Location header that will use HTTPS (whether that is determined via - the Listener protocol or the Scheme field) _and_ use port 443. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - scheme: - description: |- - Scheme is the scheme to be used in the value of the `Location` header in - the response. When empty, the scheme of the request is used. - - Scheme redirects can affect the port of the redirect, for more information, - refer to the documentation for the port field of this filter. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Extended - enum: - - http - - https - type: string - statusCode: - default: 302 - description: |- - StatusCode is the HTTP status code to be used in response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - - Support: Core - enum: - - 301 - - 302 - type: integer - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - add: - - name: "my-header" - value: "bar,baz" - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - Config: - remove: ["my-header1", "my-header3"] - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - Input: - GET /foo HTTP/1.1 - my-header: foo - - Config: - set: - - name: "my-header" - value: "bar" - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |- - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations must support core filters. - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - Implementation-specific: Filters that are defined and supported by - specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` should be set to - "ExtensionRef" for custom filters. - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - RequestHeaderModifier - - ResponseHeaderModifier - - RequestMirror - - RequestRedirect - - URLRewrite - - ExtensionRef - type: string - urlRewrite: - description: |- - URLRewrite defines a schema for a filter that modifies a request during forwarding. - - Support: Extended - properties: - hostname: - description: |- - Hostname is the value to be used to replace the Host header value during - forwarding. - - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - path: - description: |- - Path defines a path rewrite. - - Support: Extended - properties: - replaceFullPath: - description: |- - ReplaceFullPath specifies the value with which to replace the full path - of a request during a rewrite or redirect. - maxLength: 1024 - type: string - replacePrefixMatch: - description: |- - ReplacePrefixMatch specifies the value with which to replace the prefix - match of a request during a rewrite or redirect. For example, a request - to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch - of "/xyz" would be modified to "/xyz/bar". - - Note that this matches the behavior of the PathPrefix match type. This - matches full path elements. A path element refers to the list of labels - in the path split by the `/` separator. When specified, a trailing `/` is - ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all - match the prefix `/abc`, but the path `/abcd` would not. - - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. - Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in - the implementation setting the Accepted Condition for the Route to `status: False`. - - Request Path | Prefix Match | Replace Prefix | Modified Path - maxLength: 1024 - type: string - type: - description: |- - Type defines the type of path modifier. Additional types may be - added in a future release of the API. - - Note that values may be added to this enum, implementations - must ensure that unknown values will not cause a crash. - - Unknown values here must result in the implementation setting the - Accepted Condition for the Route to `status: False`, with a - Reason of `UnsupportedValue`. - enum: - - ReplaceFullPath - - ReplacePrefixMatch - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: replaceFullPath must be specified when - type is set to 'ReplaceFullPath' - rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) - : true' - - message: type must be 'ReplaceFullPath' when replaceFullPath - is set - rule: 'has(self.replaceFullPath) ? self.type == - ''ReplaceFullPath'' : true' - - message: replacePrefixMatch must be specified when - type is set to 'ReplacePrefixMatch' - rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) - : true' - - message: type must be 'ReplacePrefixMatch' when - replacePrefixMatch is set - rule: 'has(self.replacePrefixMatch) ? self.type - == ''ReplacePrefixMatch'' : true' - type: object - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil if the - filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type != - ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type == - ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil if the - filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type != - ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for RequestMirror - filter.type - rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' - - message: filter.requestRedirect must be nil if the filter.type - is not RequestRedirect - rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' - - message: filter.requestRedirect must be specified for RequestRedirect - filter.type - rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' - - message: filter.urlRewrite must be nil if the filter.type - is not URLRewrite - rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' - - message: filter.urlRewrite must be specified for URLRewrite - filter.type - rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for ExtensionRef - filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect - or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') && - self.exists(f, f.type == ''URLRewrite''))' - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - - message: RequestRedirect filter cannot be repeated - rule: self.filter(f, f.type == 'RequestRedirect').size() <= - 1 - - message: URLRewrite filter cannot be repeated - rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 - matches: - default: - - path: - type: PathPrefix - value: / - description: |- - Matches define conditions used for matching the rule against incoming - HTTP requests. Each match is independent, i.e. this rule will be matched - if **any** one of the matches is satisfied. - - For example, take the following matches configuration: - - ``` - matches: - - path: - value: "/foo" - headers: - - name: "version" - value: "v2" - - path: - value: "/v2/foo" - ``` - - For a request to match against this rule, a request must satisfy - EITHER of the two conditions: - - - path prefixed with `/foo` AND contains the header `version: v2` - - path prefix of `/v2/foo` - - See the documentation for HTTPRouteMatch on how to specify multiple - match conditions that should be ANDed together. - - If no matches are specified, the default is a prefix - path match on "/", which has the effect of matching every - HTTP request. - - Proxy or Load Balancer routing configuration generated from HTTPRoutes - MUST prioritize matches based on the following criteria, continuing on - ties. Across all rules specified on applicable Routes, precedence must be - given to the match having: - - * "Exact" path match. - * "Prefix" path match with largest number of characters. - * Method match. - * Largest number of header matches. - * Largest number of query param matches. - - Note: The precedence of RegularExpression path matches are implementation-specific. - - If ties still exist across multiple Routes, matching precedence MUST be - determined in order of the following criteria, continuing on ties: - - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". - - If ties still exist within an HTTPRoute, matching precedence MUST be granted - to the FIRST matching rule (in list order) with a match meeting the above - criteria. - - When no rules matching a request have been successfully attached to the - parent a request is coming from, a HTTP 404 status code MUST be returned. - items: - description: "HTTPRouteMatch defines the predicate used to - match requests to a given\naction. Multiple match types - are ANDed together, i.e. the match will\nevaluate to true - only if all conditions are satisfied.\n\nFor example, the - match below will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n```" - properties: - headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. - items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: |- - Type specifies how to match against the value of the header. - - Support: Core (Exact) - - Support: Implementation-specific (RegularExpression) - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of HTTP Header to - be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - Support: Extended - enum: - - GET - - HEAD - - POST - - PUT - - DELETE - - CONNECT - - OPTIONS - - TRACE - - PATCH - type: string - path: - default: - type: PathPrefix - value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. - properties: - type: - default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - Support: Core (Exact, PathPrefix) - - Support: Implementation-specific (RegularExpression) - enum: - - Exact - - PathPrefix - - RegularExpression - type: string - value: - default: / - description: Value of the HTTP path to match against. - maxLength: 1024 - type: string - type: object - x-kubernetes-validations: - - message: value must be an absolute path and start with - '/' when type one of ['Exact', 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') - : true' - - message: must not contain '//' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') - : true' - - message: must not contain '/./' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') - : true' - - message: must not contain '/../' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') - : true' - - message: must not contain '%2f' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') - : true' - - message: must not contain '%2F' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') - : true' - - message: must not contain '#' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') - : true' - - message: must not end with '/..' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') - : true' - - message: must not end with '/.' when type one of ['Exact', - 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') - : true' - - message: type must be one of ['Exact', 'PathPrefix', - 'RegularExpression'] - rule: self.type in ['Exact','PathPrefix'] || self.type - == 'RegularExpression' - - message: must only contain valid characters (matching - ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) - for types ['Exact', 'PathPrefix'] - rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") - : true' - queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - Support: Extended - items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. - properties: - name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - Support: Extended (Exact) - - Support: Implementation-specific (RegularExpression) - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of HTTP query param - to be matched. - maxLength: 1024 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - name: - description: |- - Name is the name of the route rule. This name MUST be unique within a Route if it is set. - - Support: Extended - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - timeouts: - description: |- - Timeouts defines the timeouts that can be configured for an HTTP request. - - Support: Extended - properties: - backendRequest: - description: |- - BackendRequest specifies a timeout for an individual request from the gateway - to a backend. This covers the time from when the request first starts being - sent from the gateway to when the full response has been received from the backend. - - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout - completely. Implementations that cannot completely disable the timeout MUST - instead interpret the zero duration as the longest possible value to which - the timeout can be set. - - An entire client HTTP transaction with a gateway, covered by the Request timeout, - may result in more than one call from the gateway to the destination backend, - for example, if automatic retries are supported. - - The value of BackendRequest must be a Gateway API Duration string as defined by - GEP-2257. When this field is unspecified, its behavior is implementation-specific; - when specified, the value of BackendRequest must be no more than the value of the - Request timeout (since the Request timeout encompasses the BackendRequest timeout). - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - request: - description: |- - Request specifies the maximum duration for a gateway to respond to an HTTP request. - If the gateway has not been able to respond before this deadline is met, the gateway - MUST return a timeout error. - - For example, setting the `rules.timeouts.request` field to the value `10s` in an - `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds - to complete. - - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout - completely. Implementations that cannot completely disable the timeout MUST - instead interpret the zero duration as the longest possible value to which - the timeout can be set. - - This timeout is intended to cover as close to the whole request-response transaction - as possible although an implementation MAY choose to start the timeout after the entire - request stream has been received instead of immediately after the transaction is - initiated by the client. - - The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - field is unspecified, request timeout behavior is implementation-specific. - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - type: object - x-kubernetes-validations: - - message: backendRequest timeout cannot be longer than request - timeout - rule: '!(has(self.request) && has(self.backendRequest) && - duration(self.request) != duration(''0s'') && duration(self.backendRequest) - > duration(self.request))' - type: object - x-kubernetes-validations: - - message: RequestRedirect filter must not be used together with - backendRefs - rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? - (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): - true' - - message: When using RequestRedirect filter with path.replacePrefixMatch, - exactly one PathPrefix match must be specified - rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) - && has(f.requestRedirect.path) && f.requestRedirect.path.type - == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) - ? ((size(self.matches) != 1 || !has(self.matches[0].path) || - self.matches[0].path.type != ''PathPrefix'') ? false : true) - : true' - - message: When using URLRewrite filter with path.replacePrefixMatch, - exactly one PathPrefix match must be specified - rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) - && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' - && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) - != 1 || !has(self.matches[0].path) || self.matches[0].path.type - != ''PathPrefix'') ? false : true) : true' - - message: Within backendRefs, when using RequestRedirect filter - with path.replacePrefixMatch, exactly one PathPrefix match must - be specified - rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, - (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) - && has(f.requestRedirect.path) && f.requestRedirect.path.type - == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) - )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) - || self.matches[0].path.type != ''PathPrefix'') ? false : true) - : true' - - message: Within backendRefs, When using URLRewrite filter with - path.replacePrefixMatch, exactly one PathPrefix match must be - specified - rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, - (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) - && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' - && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) - != 1 || !has(self.matches[0].path) || self.matches[0].path.type - != ''PathPrefix'') ? false : true) : true' - maxItems: 16 - type: array - x-kubernetes-list-type: atomic - x-kubernetes-validations: - - message: While 16 rules and 64 matches per rule are allowed, the - total number of matches across all rules in a route must be less - than 128 - rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() - > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() - : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() - > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() - : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() - > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() - : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() - > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() - : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() - > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() - : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' - type: object - status: - description: Status defines the current state of HTTPRoute. - properties: - parents: - description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. - - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. - items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. - properties: - conditions: - description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. - - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: - - * The Route refers to a nonexistent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - Example: "example.net/gateway-controller". - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - There are two kinds of parent resources with "Core" support: - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - required: - - conditions - - controllerName - - parentRef - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - required: - - parents - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# -# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml -# -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.4.0 - gateway.networking.k8s.io/channel: standard - name: referencegrants.gateway.networking.k8s.io -spec: - group: gateway.networking.k8s.io - names: - categories: - - gateway-api - kind: ReferenceGrant - listKind: ReferenceGrantList - plural: referencegrants - shortNames: - - refgrant - singular: referencegrant - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. - - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. - - All cross-namespace references in Gateway API (with the exception of cross-namespace - Gateway-route attachment) require a ReferenceGrant. - - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of ReferenceGrant. - properties: - from: - description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. - - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. - - When used to permit a SecretObjectReference: - - * Gateway - - When used to permit a BackendObjectReference: - - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: - description: |- - Namespace is the namespace of the referent. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. - - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: - - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - x-kubernetes-list-type: atomic - required: - - from - - to - type: object - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_accesscontrolpolicies.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: accesscontrolpolicies.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: AccessControlPolicy - listKind: AccessControlPolicyList - plural: accesscontrolpolicies - singular: accesscontrolpolicy - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: AccessControlPolicy defines an access control policy. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccessControlPolicySpec configures an access control policy. - properties: - apiKey: - description: AccessControlPolicyAPIKey configure an APIKey control - policy. - properties: - forwardHeaders: - additionalProperties: - type: string - description: ForwardHeaders instructs the middleware to forward - key metadata as header values upon successful authentication. - type: object - keySource: - description: KeySource defines how to extract API keys from requests. - properties: - cookie: - description: Cookie is the name of a cookie. - type: string - header: - description: Header is the name of a header. - type: string - headerAuthScheme: - description: |- - HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization". - If set, this scheme is removed from the token, and all requests not including it are dropped. - type: string - query: - description: Query is the name of a query parameter. - type: string - type: object - keys: - description: Keys define the set of authorized keys to access - a protected resource. - items: - description: AccessControlPolicyAPIKeyKey defines an API key. - properties: - id: - description: ID is the unique identifier of the key. - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds arbitrary metadata for this - key, can be used by ForwardHeaders. - type: object - value: - description: Value is the SHAKE-256 hash (using 64 bytes) - of the API key. - type: string - required: - - id - - value - type: object - type: array - required: - - keySource - type: object - basicAuth: - description: AccessControlPolicyBasicAuth holds the HTTP basic authentication - configuration. - properties: - forwardUsernameHeader: - type: string - realm: - type: string - stripAuthorizationHeader: - type: boolean - users: - items: - type: string - type: array - type: object - jwt: - description: AccessControlPolicyJWT configures a JWT access control - policy. - properties: - claims: - type: string - forwardHeaders: - additionalProperties: - type: string - type: object - jwksFile: - type: string - jwksUrl: - type: string - publicKey: - type: string - signingSecret: - type: string - signingSecretBase64Encoded: - type: boolean - stripAuthorizationHeader: - type: boolean - tokenQueryKey: - type: string - type: object - oAuthIntro: - description: AccessControlOAuthIntro configures an OAuth 2.0 Token - Introspection access control policy. - properties: - claims: - type: string - clientConfig: - description: AccessControlOAuthIntroClientConfig configures the - OAuth 2.0 client for issuing token introspection requests. - properties: - headers: - additionalProperties: - type: string - description: Headers to set when sending requests to the Authorization - Server. - type: object - maxRetries: - default: 3 - description: MaxRetries defines the number of retries for - introspection requests. - type: integer - timeoutSeconds: - default: 5 - description: TimeoutSeconds configures the maximum amount - of seconds to wait before giving up on requests. - type: integer - tls: - description: TLS configures TLS communication with the Authorization - Server. - properties: - ca: - description: CA sets the CA bundle used to sign the Authorization - Server certificate. - type: string - insecureSkipVerify: - description: |- - InsecureSkipVerify skips the Authorization Server certificate validation. - For testing purposes only, do not use in production. - type: boolean - type: object - tokenTypeHint: - description: |- - TokenTypeHint is a hint to pass to the Authorization Server. - See https://tools.ietf.org/html/rfc7662#section-2.1 for more information. - type: string - url: - description: URL of the Authorization Server. - type: string - required: - - url - type: object - forwardHeaders: - additionalProperties: - type: string - type: object - tokenSource: - description: |- - TokenSource describes how to extract tokens from HTTP requests. - If multiple sources are set, the order is the following: header > query > cookie. - properties: - cookie: - description: Cookie is the name of a cookie. - type: string - header: - description: Header is the name of a header. - type: string - headerAuthScheme: - description: |- - HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization". - If set, this scheme is removed from the token, and all requests not including it are dropped. - type: string - query: - description: Query is the name of a query parameter. - type: string - type: object - required: - - clientConfig - - tokenSource - type: object - oidc: - description: AccessControlPolicyOIDC holds the OIDC authentication - configuration. - properties: - authParams: - additionalProperties: - type: string - type: object - claims: - type: string - clientId: - type: string - disableAuthRedirectionPaths: - items: - type: string - type: array - forwardHeaders: - additionalProperties: - type: string - type: object - issuer: - type: string - logoutUrl: - type: string - redirectUrl: - type: string - scopes: - items: - type: string - type: array - secret: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - session: - description: Session holds session configuration. - properties: - domain: - type: string - path: - type: string - refresh: - type: boolean - sameSite: - type: string - secure: - type: boolean - type: object - stateCookie: - description: StateCookie holds state cookie configuration. - properties: - domain: - type: string - path: - type: string - sameSite: - type: string - secure: - type: boolean - type: object - type: object - oidcGoogle: - description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication - configuration. - properties: - authParams: - additionalProperties: - type: string - type: object - clientId: - type: string - emails: - description: Emails are the allowed emails to connect. - items: - type: string - minItems: 1 - type: array - forwardHeaders: - additionalProperties: - type: string - type: object - logoutUrl: - type: string - redirectUrl: - type: string - secret: - description: |- - SecretReference represents a Secret Reference. It has enough information to retrieve secret - in any namespace - properties: - name: - description: name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: namespace defines the space within which the - secret name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - session: - description: Session holds session configuration. - properties: - domain: - type: string - path: - type: string - refresh: - type: boolean - sameSite: - type: string - secure: - type: boolean - type: object - stateCookie: - description: StateCookie holds state cookie configuration. - properties: - domain: - type: string - path: - type: string - sameSite: - type: string - secure: - type: boolean - type: object - type: object - type: object - status: - description: The current status of this access control policy. - properties: - specHash: - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_aiservices.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: aiservices.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: AIService - listKind: AIServiceList - plural: aiservices - singular: aiservice - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: AIService is a Kubernetes-like Service to interact with a text-based - LLM provider. It defines the parameters and credentials required to interact - with various LLM providers. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this AIService. - properties: - anthropic: - description: Anthropic configures Anthropic backend. - properties: - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - token: - description: SecretReference references a kubernetes secret. - properties: - secretName: - maxLength: 253 - type: string - required: - - secretName - type: object - type: object - azureOpenai: - description: AzureOpenAI configures AzureOpenAI. - properties: - apiKeySecret: - description: SecretReference references a kubernetes secret. - properties: - secretName: - maxLength: 253 - type: string - required: - - secretName - type: object - baseUrl: - type: string - deploymentName: - type: string - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - required: - - baseUrl - - deploymentName - type: object - bedrock: - description: Bedrock configures Bedrock backend. - properties: - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - region: - type: string - systemMessage: - type: boolean - type: object - cohere: - description: Cohere configures Cohere backend. - properties: - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - token: - description: SecretReference references a kubernetes secret. - properties: - secretName: - maxLength: 253 - type: string - required: - - secretName - type: object - type: object - deepSeek: - description: DeepSeek configures DeepSeek. - properties: - baseUrl: - type: string - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - token: - description: SecretReference references a kubernetes secret. - properties: - secretName: - maxLength: 253 - type: string - required: - - secretName - type: object - type: object - gemini: - description: Gemini configures Gemini backend. - properties: - apiKey: - description: SecretReference references a kubernetes secret. - properties: - secretName: - maxLength: 253 - type: string - required: - - secretName - type: object - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - type: object - mistral: - description: Mistral configures Mistral AI backend. - properties: - apiKey: - description: SecretReference references a kubernetes secret. - properties: - secretName: - maxLength: 253 - type: string - required: - - secretName - type: object - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - type: object - ollama: - description: Ollama configures Ollama backend. - properties: - baseUrl: - type: string - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - required: - - baseUrl - type: object - openai: - description: OpenAI configures OpenAI. - properties: - baseUrl: - type: string - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - token: - description: SecretReference references a kubernetes secret. - properties: - secretName: - maxLength: 253 - type: string - required: - - secretName - type: object - type: object - qWen: - description: QWen configures QWen. - properties: - baseUrl: - type: string - model: - type: string - params: - description: Params holds the LLM hyperparameters. - properties: - frequencyPenalty: - type: number - maxTokens: - type: integer - presencePenalty: - type: number - temperature: - type: number - topP: - type: number - type: object - token: - description: SecretReference references a kubernetes secret. - properties: - secretName: - maxLength: 253 - type: string - required: - - secretName - type: object - type: object - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apiauths.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apiauths.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: APIAuth - listKind: APIAuthList - plural: apiauths - singular: apiauth - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: APIAuth defines the authentication configuration for APIs. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this APIAuth. - properties: - apiKey: - description: APIKey configures API key authentication. - type: object - x-kubernetes-preserve-unknown-fields: true - isDefault: - description: |- - IsDefault specifies if this APIAuth should be used as the default API authentication method for the namespace. - Only one APIAuth per namespace should have isDefault set to true. - type: boolean - jwt: - description: JWT configures JWT authentication. - properties: - appIdClaim: - description: |- - AppIDClaim is the name of the claim holding the identifier of the application. - This field is sometimes named `client_id`. - type: string - forwardHeaders: - additionalProperties: - type: string - description: ForwardHeaders specifies additional headers to forward - with the request. - type: object - jwksFile: - description: JWKSFile contains the JWKS file content for JWT verification. - type: string - jwksUrl: - description: JWKSURL is the URL to fetch the JWKS for JWT verification. - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - publicKey: - description: PublicKey is the PEM-encoded public key for JWT verification. - type: string - signingSecretName: - description: |- - SigningSecretName is the name of the Kubernetes Secret containing the signing secret. - The secret must be of type Opaque and contain a key named 'value'. - maxLength: 253 - type: string - stripAuthorizationHeader: - description: StripAuthorizationHeader determines whether to strip - the Authorization header before forwarding the request. - type: boolean - tokenNameClaim: - description: |- - TokenNameClaim is the name of the claim holding the name of the token. - This name, if provided, will be used in the metrics. - type: string - tokenQueryKey: - description: TokenQueryKey specifies the query parameter name - for the JWT token. - type: string - required: - - appIdClaim - type: object - x-kubernetes-validations: - - message: exactly one of signingSecretName, publicKey, jwksFile, - or jwksUrl must be specified - rule: '[has(self.signingSecretName), has(self.publicKey), has(self.jwksFile), - has(self.jwksUrl)].filter(x, x).size() == 1' - ldap: - description: LDAP configures LDAP authentication. - properties: - attribute: - default: cn - description: |- - Attribute is the LDAP object attribute used to form a bind DN when sending bind queries. - The bind DN is formed as =,. - type: string - baseDn: - description: BaseDN is the base domain name that should be used - for bind and search queries. - type: string - bindDn: - description: |- - BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode. - If empty, an anonymous bind will be done. - type: string - bindPasswordSecretName: - description: |- - BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN. - The secret must contain a key named 'password'. - maxLength: 253 - type: string - certificateAuthority: - description: |- - CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the - connection uses TLS but that the certificate was signed by a custom Certificate Authority. - type: string - insecureSkipVerify: - description: InsecureSkipVerify controls whether the server's - certificate chain and host name is verified. - type: boolean - searchFilter: - description: |- - SearchFilter is used to filter LDAP search queries. - Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s)) - %s can be used as a placeholder for the username. - type: string - startTls: - description: StartTLS instructs the middleware to issue a StartTLS - request when initializing the connection with the LDAP server. - type: boolean - url: - description: URL is the URL of the LDAP server, including the - protocol (ldap or ldaps) and the port. - type: string - x-kubernetes-validations: - - message: must be a valid LDAP URL - rule: isURL(self) && (self.startsWith('ldap://') || self.startsWith('ldaps://')) - required: - - baseDn - - url - type: object - required: - - isDefault - type: object - x-kubernetes-validations: - - message: exactly one authentication method must be specified - rule: '[has(self.apiKey), has(self.jwt), has(self.ldap)].filter(x, x).size() - == 1' - status: - description: The current status of this APIAuth. - properties: - hash: - description: Hash is a hash representing the APIAuth. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apibundles.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apibundles.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: APIBundle - listKind: APIBundleList - plural: apibundles - singular: apibundle - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: APIBundle defines a set of APIs. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this APIBundle. - properties: - apiSelector: - description: |- - APISelector selects the APIs that will be accessible to the configured audience. - Multiple APIBundles can select the same set of APIs. - This field is optional and follows standard label selector semantics. - An empty APISelector matches any API. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - apis: - description: |- - APIs defines a set of APIs that will be accessible to the configured audience. - Multiple APIBundles can select the same APIs. - When combined with APISelector, this set of APIs is appended to the matching APIs. - items: - description: APIReference references an API. - properties: - name: - description: Name of the API. - maxLength: 253 - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-validations: - - message: duplicated apis - rule: self.all(x, self.exists_one(y, x.name == y.name)) - title: - description: Title is the human-readable name of the APIBundle that - will be used on the portal. - maxLength: 253 - type: string - type: object - status: - description: The current status of this APIBundle. - properties: - hash: - description: Hash is a hash representing the APIBundle. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apicatalogitems.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apicatalogitems.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: APICatalogItem - listKind: APICatalogItemList - plural: apicatalogitems - singular: apicatalogitem - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: APICatalogItem defines APIs that will be part of the API catalog - on the portal. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this APICatalogItem. - properties: - apiBundles: - description: |- - APIBundles defines a set of APIBundle that will be visible to the configured audience. - Multiple APICatalogItem can select the same APIBundles. - items: - description: APIBundleReference references an APIBundle. - properties: - name: - description: Name of the APIBundle. - maxLength: 253 - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-validations: - - message: duplicated apiBundles - rule: self.all(x, self.exists_one(y, x.name == y.name)) - apiPlan: - description: |- - APIPlan defines which APIPlan will be available. - If multiple APICatalogItem specify the same API with different APIPlan, the API consumer will be able to pick - a plan from this list. - properties: - name: - description: Name of the APIPlan. - maxLength: 253 - type: string - required: - - name - type: object - apiSelector: - description: |- - APISelector selects the APIs that will be visible to the configured audience. - Multiple APICatalogItem can select the same set of APIs. - This field is optional and follows standard label selector semantics. - An empty APISelector matches any API. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - apis: - description: |- - APIs defines a set of APIs that will be visible to the configured audience. - Multiple APICatalogItem can select the same APIs. - When combined with APISelector, this set of APIs is appended to the matching APIs. - items: - description: APIReference references an API. - properties: - name: - description: Name of the API. - maxLength: 253 - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-validations: - - message: duplicated apis - rule: self.all(x, self.exists_one(y, x.name == y.name)) - everyone: - description: Everyone indicates that all users will see these APIs. - type: boolean - groups: - description: Groups are the consumer groups that will see the APIs. - items: - type: string - type: array - operationFilter: - description: |- - OperationFilter specifies the visible operations on APIs and APIVersions. - If not set, all operations are available. - An empty OperationFilter prohibits all operations. - properties: - include: - description: Include defines the names of OperationSets that will - be accessible. - items: - type: string - maxItems: 100 - type: array - type: object - type: object - x-kubernetes-validations: - - message: groups and everyone are mutually exclusive - rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone && - self.groups.size() > 0) : true' - status: - description: The current status of this APICatalogItem. - properties: - hash: - description: Hash is a hash representing the APICatalogItem. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apiplans.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apiplans.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: APIPlan - listKind: APIPlanList - plural: apiplans - singular: apiplan - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: APIPlan defines API Plan policy. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this APIPlan. - properties: - description: - description: Description describes the plan. - type: string - quota: - description: Quota defines the quota policy. - properties: - bucket: - default: subscription - description: Bucket defines the bucket strategy for the quota. - enum: - - subscription - - application-api - - application - type: string - limit: - description: Limit is the maximum number of token in the bucket. - type: integer - x-kubernetes-validations: - - message: must be a positive number - rule: self >= 0 - period: - description: Period is the unit of time for the Limit. - format: duration - type: string - x-kubernetes-validations: - - message: must be between 1s and 9999h - rule: self >= duration('1s') && self <= duration('9999h') - required: - - limit - type: object - rateLimit: - description: RateLimit defines the rate limit policy. - properties: - bucket: - default: subscription - description: Bucket defines the bucket strategy for the rate limit. - enum: - - subscription - - application-api - - application - type: string - limit: - description: Limit is the maximum number of token in the bucket. - type: integer - x-kubernetes-validations: - - message: must be a positive number - rule: self >= 0 - period: - description: Period is the unit of time for the Limit. - format: duration - type: string - x-kubernetes-validations: - - message: must be between 1s and 1h - rule: self >= duration('1s') && self <= duration('1h') - required: - - limit - type: object - title: - description: Title is the human-readable name of the plan. - type: string - required: - - title - type: object - status: - description: The current status of this APIPlan. - properties: - hash: - description: Hash is a hash representing the APIPlan. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apiportalauths.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apiportalauths.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: APIPortalAuth - listKind: APIPortalAuthList - plural: apiportalauths - singular: apiportalauth - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: APIPortalAuth defines the authentication configuration for an - APIPortal. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this APIPortalAuth. - properties: - ldap: - description: LDAP configures the LDAP authentication. - properties: - attribute: - default: cn - description: |- - Attribute is the LDAP object attribute used to form a bind DN when sending bind queries. - The bind DN is formed as =,. - type: string - attributes: - description: Attributes configures LDAP attribute mappings for - user attributes. - properties: - company: - description: Company is the LDAP attribute for user company. - type: string - email: - description: Email is the LDAP attribute for user email. - type: string - firstname: - description: Firstname is the LDAP attribute for user first - name. - type: string - lastname: - description: Lastname is the LDAP attribute for user last - name. - type: string - userId: - description: UserID is the LDAP attribute for user ID mapping. - type: string - type: object - baseDn: - description: BaseDN is the base domain name that should be used - for bind and search queries. - type: string - bindDn: - description: |- - BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode. - If empty, an anonymous bind will be done. - type: string - bindPasswordSecretName: - description: |- - BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN. - The secret must contain a key named 'password'. - maxLength: 253 - type: string - certificateAuthority: - description: |- - CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the - connection uses TLS but that the certificate was signed by a custom Certificate Authority. - type: string - groups: - description: Groups configures group extraction. - properties: - memberOfAttribute: - default: memberOf - description: MemberOfAttribute is the LDAP attribute containing - group memberships (e.g., "memberOf"). - type: string - type: object - insecureSkipVerify: - description: InsecureSkipVerify controls whether the server's - certificate chain and host name is verified. - type: boolean - searchFilter: - description: |- - SearchFilter is used to filter LDAP search queries. - Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s)) - %s can be used as a placeholder for the username. - type: string - startTls: - description: StartTLS instructs the middleware to issue a StartTLS - request when initializing the connection with the LDAP server. - type: boolean - syncedAttributes: - description: SyncedAttributes are the user attributes to synchronize - with Hub platform. - items: - enum: - - groups - - userId - - firstname - - lastname - - email - - company - type: string - maxItems: 6 - type: array - url: - description: URL is the URL of the LDAP server, including the - protocol (ldap or ldaps) and the port. - type: string - x-kubernetes-validations: - - message: must be a valid LDAP URL - rule: isURL(self) && (self.startsWith('ldap://') || self.startsWith('ldaps://')) - required: - - baseDn - - url - type: object - oidc: - description: OIDC configures the OIDC authentication. - properties: - claims: - description: Claims configures JWT claim mappings for user attributes. - properties: - company: - description: Company is the JWT claim for user company. - type: string - email: - description: Email is the JWT claim for user email. - type: string - firstname: - description: Firstname is the JWT claim for user first name. - type: string - groups: - description: Groups is the JWT claim for user groups. This - field is required for authorization. - type: string - lastname: - description: Lastname is the JWT claim for user last name. - type: string - userId: - description: UserID is the JWT claim for user ID mapping. - type: string - required: - - groups - type: object - issuerUrl: - description: IssuerURL is the OIDC provider issuer URL. - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - scopes: - description: Scopes is a list of OAuth2 scopes. - items: - type: string - type: array - secretName: - description: SecretName is the name of the Kubernetes Secret containing - clientId and clientSecret keys. - maxLength: 253 - type: string - syncedAttributes: - description: SyncedAttributes are the user attributes to synchronize - with Hub platform. - items: - enum: - - groups - - userId - - firstname - - lastname - - email - - company - type: string - maxItems: 6 - type: array - required: - - claims - - issuerUrl - - secretName - type: object - type: object - x-kubernetes-validations: - - message: exactly one of oidc or ldap must be specified - rule: '[has(self.oidc), has(self.ldap)].filter(x, x).size() == 1' - status: - description: The current status of this APIPortalAuth. - properties: - hash: - description: Hash is a hash representing the APIPortalAuth. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apiportals.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apiportals.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: APIPortal - listKind: APIPortalList - plural: apiportals - singular: apiportal - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: APIPortal defines a developer portal for accessing the documentation - of APIs. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this APIPortal. - properties: - auth: - description: Auth references the APIPortalAuth resource for authentication - configuration. - properties: - name: - description: Name is the name of the APIPortalAuth resource. - maxLength: 253 - type: string - required: - - name - type: object - description: - description: Description of the APIPortal. - type: string - title: - description: Title is the public facing name of the APIPortal. - type: string - trustedUrls: - description: TrustedURLs are the urls that are trusted by the OAuth - 2.0 authorization server. - items: - type: string - maxItems: 1 - minItems: 1 - type: array - x-kubernetes-validations: - - message: must be a valid URLs - rule: self.all(x, isURL(x)) - ui: - description: UI holds the UI customization options. - properties: - logoUrl: - description: LogoURL is the public URL of the logo. - type: string - type: object - required: - - trustedUrls - type: object - status: - description: The current status of this APIPortal. - properties: - hash: - description: Hash is a hash representing the APIPortal. - type: string - oidc: - description: OIDC is the OIDC configuration for accessing the exposed - APIPortal WebUI. - properties: - clientId: - description: ClientID is the OIDC ClientID for accessing the exposed - APIPortal WebUI. - type: string - companyClaim: - description: CompanyClaim is the name of the JWT claim containing - the user company. - type: string - emailClaim: - description: EmailClaim is the name of the JWT claim containing - the user email. - type: string - firstnameClaim: - description: FirstnameClaim is the name of the JWT claim containing - the user firstname. - type: string - generic: - description: Generic indicates whether or not the APIPortal authentication - relies on Generic OIDC. - type: boolean - groupsClaim: - description: GroupsClaim is the name of the JWT claim containing - the user groups. - type: string - issuer: - description: Issuer is the OIDC issuer for accessing the exposed - APIPortal WebUI. - type: string - lastnameClaim: - description: LastnameClaim is the name of the JWT claim containing - the user lastname. - type: string - scopes: - description: Scopes is the OIDC scopes for getting user attributes - during the authentication to the exposed APIPortal WebUI. - type: string - secretName: - description: SecretName is the name of the secret containing the - OIDC ClientSecret for accessing the exposed APIPortal WebUI. - type: string - syncedAttributes: - description: SyncedAttributes configure the user attributes to - sync. - items: - type: string - type: array - userIdClaim: - description: UserIDClaim is the name of the JWT claim containing - the user ID. - type: string - type: object - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apiratelimits.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apiratelimits.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: APIRateLimit - listKind: APIRateLimitList - plural: apiratelimits - singular: apiratelimit - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: APIRateLimit defines how group of consumers are rate limited - on a set of APIs. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this APIRateLimit. - properties: - apiSelector: - description: |- - APISelector selects the APIs that will be rate limited. - Multiple APIRateLimits can select the same set of APIs. - This field is optional and follows standard label selector semantics. - An empty APISelector matches any API. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - apis: - description: |- - APIs defines a set of APIs that will be rate limited. - Multiple APIRateLimits can select the same APIs. - When combined with APISelector, this set of APIs is appended to the matching APIs. - items: - description: APIReference references an API. - properties: - name: - description: Name of the API. - maxLength: 253 - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-validations: - - message: duplicated apis - rule: self.all(x, self.exists_one(y, x.name == y.name)) - everyone: - description: |- - Everyone indicates that all users will, by default, be rate limited with this configuration. - If an APIRateLimit explicitly target a group, the default rate limit will be ignored. - type: boolean - groups: - description: |- - Groups are the consumer groups that will be rate limited. - Multiple APIRateLimits can target the same set of consumer groups, the most restrictive one applies. - When a consumer belongs to multiple groups, the least restrictive APIRateLimit applies. - items: - type: string - type: array - limit: - description: Limit is the maximum number of token in the bucket. - type: integer - x-kubernetes-validations: - - message: must be a positive number - rule: self >= 0 - period: - description: Period is the unit of time for the Limit. - format: duration - type: string - x-kubernetes-validations: - - message: must be between 1s and 1h - rule: self >= duration('1s') && self <= duration('1h') - strategy: - description: |- - Strategy defines how the bucket state will be synchronized between the different Traefik Hub instances. - It can be, either "local" or "distributed". - enum: - - local - - distributed - type: string - required: - - limit - type: object - x-kubernetes-validations: - - message: groups and everyone are mutually exclusive - rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone && - self.groups.size() > 0) : true' - status: - description: The current status of this APIRateLimit. - properties: - hash: - description: Hash is a hash representing the APIRateLimit. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apis.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apis.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: API - listKind: APIList - plural: apis - singular: api - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - API defines an HTTP interface that is exposed to external clients. It specifies the supported versions - and provides instructions for accessing its documentation. Once instantiated, an API object is associated - with an Ingress, IngressRoute, or HTTPRoute resource, enabling the exposure of the described API to the outside world. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: APISpec describes the API. - properties: - cors: - description: Cors defines the Cross-Origin Resource Sharing configuration. - properties: - addVaryHeader: - description: AddVaryHeader defines whether the Vary header is - automatically added/updated when the AllowOriginsList is set. - type: boolean - allowCredentials: - description: AllowCredentials defines whether the request can - include user credentials. - type: boolean - allowHeadersList: - description: AllowHeadersList defines the Access-Control-Request-Headers - values sent in preflight response. - items: - type: string - type: array - allowMethodsList: - description: AllowMethodsList defines the Access-Control-Request-Method - values sent in preflight response. - items: - type: string - type: array - allowOriginListRegex: - description: AllowOriginListRegex is a list of allowable origins - written following the Regular Expression syntax (https://golang.org/pkg/regexp/). - items: - type: string - type: array - allowOriginsList: - description: AllowOriginsList is a list of allowable origins. - Can also be a wildcard origin "*". - items: - type: string - type: array - exposeHeadersList: - description: ExposeHeadersList defines the Access-Control-Expose-Headers - values sent in preflight response. - items: - type: string - type: array - maxAge: - description: MaxAge defines the time that a preflight request - may be cached. - format: int64 - type: integer - type: object - description: - description: Description explains what the API does. - type: string - openApiSpec: - description: OpenAPISpec defines the API contract as an OpenAPI specification. - properties: - operationSets: - description: OperationSets defines the sets of operations to be - referenced for granular filtering in APICatalogItems or ManagedSubscriptions. - items: - description: |- - OperationSet gives a name to a set of matching OpenAPI operations. - This set of operations can then be referenced for granular filtering in APICatalogItems or ManagedSubscriptions. - properties: - matchers: - description: Matchers defines a list of alternative rules - for matching OpenAPI operations. - items: - description: OperationMatcher defines criteria for matching - an OpenAPI operation. - minProperties: 1 - properties: - methods: - description: Methods specifies the HTTP methods to - be included for selection. - items: - type: string - maxItems: 10 - type: array - path: - description: Path specifies the exact path of the - operations to select. - maxLength: 255 - type: string - x-kubernetes-validations: - - message: must start with a '/' - rule: self.startsWith('/') - - message: cannot contains '../' - rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' - pathPrefix: - description: PathPrefix specifies the path prefix - of the operations to select. - maxLength: 255 - type: string - x-kubernetes-validations: - - message: must start with a '/' - rule: self.startsWith('/') - - message: cannot contains '../' - rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' - pathRegex: - description: PathRegex specifies a regular expression - pattern for matching operations based on their paths. - type: string - type: object - x-kubernetes-validations: - - message: path, pathPrefix and pathRegex are mutually - exclusive - rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x, - x).size() <= 1' - maxItems: 100 - minItems: 1 - type: array - name: - description: Name is the name of the OperationSet to reference - in APICatalogItems or ManagedSubscriptions. - maxLength: 253 - type: string - required: - - matchers - - name - type: object - maxItems: 100 - type: array - override: - description: Override holds data used to override OpenAPI specification. - properties: - servers: - items: - properties: - url: - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - required: - - url - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - servers - type: object - path: - description: |- - Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained. - The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached. - It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services. - The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. - maxLength: 255 - type: string - x-kubernetes-validations: - - message: must start with a '/' - rule: self.startsWith('/') - - message: cannot contains '../' - rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' - url: - description: |- - URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification. - The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - validateRequestMethodAndPath: - description: |- - ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification. - This option overrides the default behavior configured in the static configuration. - type: boolean - type: object - x-kubernetes-validations: - - message: path or url must be defined - rule: has(self.path) || has(self.url) - title: - description: Title is the human-readable name of the API that will - be used on the portal. - maxLength: 253 - type: string - versions: - description: Versions are the different APIVersions available. - items: - description: APIVersionRef references an APIVersion. - properties: - name: - description: Name of the APIVersion. - maxLength: 253 - type: string - required: - - name - type: object - maxItems: 100 - minItems: 1 - type: array - type: object - status: - description: The current status of this API. - properties: - hash: - description: Hash is a hash representing the API. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_apiversions.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: apiversions.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: APIVersion - listKind: APIVersionList - plural: apiversions - singular: apiversion - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.title - name: Title - type: string - - jsonPath: .spec.release - name: Release - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: APIVersion defines a version of an API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this APIVersion. - properties: - cors: - description: Cors defines the Cross-Origin Resource Sharing configuration. - properties: - addVaryHeader: - description: AddVaryHeader defines whether the Vary header is - automatically added/updated when the AllowOriginsList is set. - type: boolean - allowCredentials: - description: AllowCredentials defines whether the request can - include user credentials. - type: boolean - allowHeadersList: - description: AllowHeadersList defines the Access-Control-Request-Headers - values sent in preflight response. - items: - type: string - type: array - allowMethodsList: - description: AllowMethodsList defines the Access-Control-Request-Method - values sent in preflight response. - items: - type: string - type: array - allowOriginListRegex: - description: AllowOriginListRegex is a list of allowable origins - written following the Regular Expression syntax (https://golang.org/pkg/regexp/). - items: - type: string - type: array - allowOriginsList: - description: AllowOriginsList is a list of allowable origins. - Can also be a wildcard origin "*". - items: - type: string - type: array - exposeHeadersList: - description: ExposeHeadersList defines the Access-Control-Expose-Headers - values sent in preflight response. - items: - type: string - type: array - maxAge: - description: MaxAge defines the time that a preflight request - may be cached. - format: int64 - type: integer - type: object - description: - description: Description explains what the APIVersion does. - type: string - openApiSpec: - description: OpenAPISpec defines the API contract as an OpenAPI specification. - properties: - operationSets: - description: OperationSets defines the sets of operations to be - referenced for granular filtering in APICatalogItems or ManagedSubscriptions. - items: - description: |- - OperationSet gives a name to a set of matching OpenAPI operations. - This set of operations can then be referenced for granular filtering in APICatalogItems or ManagedSubscriptions. - properties: - matchers: - description: Matchers defines a list of alternative rules - for matching OpenAPI operations. - items: - description: OperationMatcher defines criteria for matching - an OpenAPI operation. - minProperties: 1 - properties: - methods: - description: Methods specifies the HTTP methods to - be included for selection. - items: - type: string - maxItems: 10 - type: array - path: - description: Path specifies the exact path of the - operations to select. - maxLength: 255 - type: string - x-kubernetes-validations: - - message: must start with a '/' - rule: self.startsWith('/') - - message: cannot contains '../' - rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' - pathPrefix: - description: PathPrefix specifies the path prefix - of the operations to select. - maxLength: 255 - type: string - x-kubernetes-validations: - - message: must start with a '/' - rule: self.startsWith('/') - - message: cannot contains '../' - rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' - pathRegex: - description: PathRegex specifies a regular expression - pattern for matching operations based on their paths. - type: string - type: object - x-kubernetes-validations: - - message: path, pathPrefix and pathRegex are mutually - exclusive - rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x, - x).size() <= 1' - maxItems: 100 - minItems: 1 - type: array - name: - description: Name is the name of the OperationSet to reference - in APICatalogItems or ManagedSubscriptions. - maxLength: 253 - type: string - required: - - matchers - - name - type: object - maxItems: 100 - type: array - override: - description: Override holds data used to override OpenAPI specification. - properties: - servers: - items: - properties: - url: - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - required: - - url - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - servers - type: object - path: - description: |- - Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained. - The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached. - It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services. - The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. - maxLength: 255 - type: string - x-kubernetes-validations: - - message: must start with a '/' - rule: self.startsWith('/') - - message: cannot contains '../' - rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' - url: - description: |- - URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification. - The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - validateRequestMethodAndPath: - description: |- - ValidateRequestMethodAndPath validates that the path and method matches an operation defined in the OpenAPI specification. - This option overrides the default behavior configured in the static configuration. - type: boolean - type: object - x-kubernetes-validations: - - message: path or url must be defined - rule: has(self.path) || has(self.url) - release: - description: |- - Release is the version number of the API. - This value must follow the SemVer format: https://semver.org/ - maxLength: 100 - type: string - x-kubernetes-validations: - - message: must be a valid semver version - rule: self.matches(r"""^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$""") - title: - description: Title is the public facing name of the APIVersion. - type: string - required: - - release - type: object - status: - description: The current status of this APIVersion. - properties: - hash: - description: Hash is a hash representing the APIVersion. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - subresources: {} - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_managedapplications.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: managedapplications.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: ManagedApplication - listKind: ManagedApplicationList - plural: managedapplications - singular: managedapplication - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ManagedApplication represents a managed application. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ManagedApplicationSpec describes the ManagedApplication. - properties: - apiKeys: - description: APIKeys references the API keys used to authenticate - the application when calling APIs. - items: - properties: - secretName: - description: SecretName references the name of the secret containing - the API key. - maxLength: 253 - type: string - suspended: - type: boolean - title: - type: string - value: - description: Value is the API key value. - maxLength: 4096 - type: string - type: object - x-kubernetes-validations: - - message: secretName and value are mutually exclusive - rule: '[has(self.secretName), has(self.value)].filter(x, x).size() - <= 1' - maxItems: 100 - type: array - appId: - description: |- - AppID is the identifier of the ManagedApplication. - It should be unique. - maxLength: 253 - type: string - notes: - description: Notes contains notes about application. - type: string - owner: - description: |- - Owner represents the owner of the ManagedApplication. - It should be: - - `sub` when using OIDC - - `externalID` when using external IDP - maxLength: 253 - type: string - required: - - appId - - owner - type: object - status: - description: The current status of this ManagedApplication. - properties: - apiKeyVersions: - additionalProperties: - type: string - type: object - hash: - description: Hash is a hash representing the ManagedApplication. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/hub.traefik.io_managedsubscriptions.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.17.1 - name: managedsubscriptions.hub.traefik.io -spec: - group: hub.traefik.io - names: - kind: ManagedSubscription - listKind: ManagedSubscriptionList - plural: managedsubscriptions - singular: managedsubscription - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ManagedSubscription defines a Subscription managed by the API manager as the result of a pre-negotiation with its - API consumers. This subscription grant consuming access to a set of APIs to a set of Applications. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: The desired behavior of this ManagedSubscription. - properties: - apiBundles: - description: |- - APIBundles defines a set of APIBundle that will be accessible. - Multiple ManagedSubscriptions can select the same APIBundles. - items: - description: APIBundleReference references an APIBundle. - properties: - name: - description: Name of the APIBundle. - maxLength: 253 - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-validations: - - message: duplicated apiBundles - rule: self.all(x, self.exists_one(y, x.name == y.name)) - apiPlan: - description: APIPlan defines which APIPlan will be used. - properties: - name: - description: Name of the APIPlan. - maxLength: 253 - type: string - required: - - name - type: object - apiSelector: - description: |- - APISelector selects the APIs that will be accessible. - Multiple ManagedSubscriptions can select the same set of APIs. - This field is optional and follows standard label selector semantics. - An empty APISelector matches any API. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - apis: - description: |- - APIs defines a set of APIs that will be accessible. - Multiple ManagedSubscriptions can select the same APIs. - When combined with APISelector, this set of APIs is appended to the matching APIs. - items: - description: APIReference references an API. - properties: - name: - description: Name of the API. - maxLength: 253 - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-validations: - - message: duplicated apis - rule: self.all(x, self.exists_one(y, x.name == y.name)) - applications: - description: |- - Applications references the Applications that will gain access to the specified APIs. - Multiple ManagedSubscriptions can select the same AppID. - Deprecated: Use ManagedApplications instead. - items: - description: ApplicationReference references an Application. - properties: - appId: - description: |- - AppID is the public identifier of the application. - In the case of OIDC, it corresponds to the clientId. - maxLength: 253 - type: string - required: - - appId - type: object - maxItems: 100 - type: array - claims: - description: Claims specifies an expression that validate claims in - order to authorize the request. - type: string - managedApplications: - description: |- - ManagedApplications references the ManagedApplications that will gain access to the specified APIs. - Multiple ManagedSubscriptions can select the same ManagedApplication. - items: - description: ManagedApplicationReference references a ManagedApplication. - properties: - name: - description: Name is the name of the ManagedApplication. - maxLength: 253 - type: string - required: - - name - type: object - maxItems: 100 - type: array - x-kubernetes-validations: - - message: duplicated managed applications - rule: self.all(x, self.exists_one(y, x.name == y.name)) - operationFilter: - description: |- - OperationFilter specifies the allowed operations on APIs and APIVersions. - If not set, all operations are available. - An empty OperationFilter prohibits all operations. - properties: - include: - description: Include defines the names of OperationSets that will - be accessible. - items: - type: string - maxItems: 100 - type: array - type: object - weight: - description: |- - Weight specifies the evaluation order of the APIPlan. - When multiple ManagedSubscriptions targets the same API and Application with different APIPlan, - the APIPlan with the highest weight will be enforced. If weights are equal, alphabetical order is used. - type: integer - x-kubernetes-validations: - - message: must be a positive number - rule: self >= 0 - required: - - apiPlan - type: object - status: - description: The current status of this ManagedSubscription. - properties: - hash: - description: Hash is a hash representing the ManagedSubscription. - type: string - syncedAt: - format: date-time - type: string - version: - type: string - type: object - type: object - served: true - storage: true - ---- -# Source: traefik/charts/traefik/crds/traefik.io_ingressroutes.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: ingressroutes.traefik.io -spec: - group: traefik.io - names: - kind: IngressRoute - listKind: IngressRouteList - plural: ingressroutes - singular: ingressroute - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: IngressRoute is the CRD implementation of a Traefik HTTP Router. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IngressRouteSpec defines the desired state of IngressRoute. - properties: - entryPoints: - description: |- - EntryPoints defines the list of entry point names to bind to. - Entry points have to be configured in the static configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/ - Default: all. - items: - type: string - type: array - parentRefs: - description: |- - ParentRefs defines references to parent IngressRoute resources for multi-layer routing. - When set, this IngressRoute's routers will be children of the referenced parent IngressRoute's routers. - More info: https://doc.traefik.io/traefik/v3.6/routing/routers/#parentrefs - items: - description: IngressRouteRef is a reference to an IngressRoute resource. - properties: - name: - description: Name defines the name of the referenced IngressRoute - resource. - type: string - namespace: - description: Namespace defines the namespace of the referenced - IngressRoute resource. - type: string - required: - - name - type: object - type: array - routes: - description: Routes defines the list of routes. - items: - description: Route holds the HTTP route configuration. - properties: - kind: - description: |- - Kind defines the kind of the route. - Rule is the only supported kind. - If not defined, defaults to Rule. - enum: - - Rule - type: string - match: - description: |- - Match defines the router's rule. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/ - type: string - middlewares: - description: |- - Middlewares defines the list of references to Middleware resources. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/middleware/ - items: - description: MiddlewareRef is a reference to a Middleware - resource. - properties: - name: - description: Name defines the name of the referenced Middleware - resource. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Middleware resource. - type: string - required: - - name - type: object - type: array - observability: - description: |- - Observability defines the observability configuration for a router. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/observability/ - properties: - accessLogs: - description: AccessLogs enables access logs for this router. - type: boolean - metrics: - description: Metrics enables metrics for this router. - type: boolean - traceVerbosity: - default: minimal - description: TraceVerbosity defines the verbosity level - of the tracing for this router. - enum: - - minimal - - detailed - type: string - tracing: - description: Tracing enables tracing for this router. - type: boolean - type: object - priority: - description: |- - Priority defines the router's priority. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#priority - maximum: 9223372036854775000 - type: integer - services: - description: |- - Services defines the list of Service. - It can contain any combination of TraefikService and/or reference to a Kubernetes Service. - items: - description: Service defines an upstream HTTP service to proxy - traffic to. - properties: - healthCheck: - description: Healthcheck defines health checks for ExternalName - services. - properties: - followRedirects: - description: |- - FollowRedirects defines whether redirects should be followed during the health check calls. - Default: true - type: boolean - headers: - additionalProperties: - type: string - description: Headers defines custom headers to be - sent to the health check endpoint. - type: object - hostname: - description: Hostname defines the value of hostname - in the Host header of the health check request. - type: string - interval: - anyOf: - - type: integer - - type: string - description: |- - Interval defines the frequency of the health check calls for healthy targets. - Default: 30s - x-kubernetes-int-or-string: true - method: - description: Method defines the healthcheck method. - type: string - mode: - description: |- - Mode defines the health check mode. - If defined to grpc, will use the gRPC health check protocol to probe the server. - Default: http - type: string - path: - description: Path defines the server URL path for - the health check endpoint. - type: string - port: - description: Port defines the server URL port for - the health check endpoint. - type: integer - scheme: - description: Scheme replaces the server URL scheme - for the health check endpoint. - type: string - status: - description: Status defines the expected HTTP status - code of the response to the health check request. - type: integer - timeout: - anyOf: - - type: integer - - type: string - description: |- - Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. - Default: 5s - x-kubernetes-int-or-string: true - unhealthyInterval: - anyOf: - - type: integer - - type: string - description: |- - UnhealthyInterval defines the frequency of the health check calls for unhealthy targets. - When UnhealthyInterval is not defined, it defaults to the Interval value. - Default: 30s - x-kubernetes-int-or-string: true - type: object - kind: - description: Kind defines the kind of the Service. - enum: - - Service - - TraefikService - type: string - name: - description: |- - Name defines the name of the referenced Kubernetes Service or TraefikService. - The differentiation between the two is specified in the Kind field. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Kubernetes Service or TraefikService. - type: string - nativeLB: - description: |- - NativeLB controls, when creating the load-balancer, - whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. - The Kubernetes Service itself does load-balance to the pods. - By default, NativeLB is false. - type: boolean - nodePortLB: - description: |- - NodePortLB controls, when creating the load-balancer, - whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. - It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. - By default, NodePortLB is false. - type: boolean - passHostHeader: - description: |- - PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. - By default, passHostHeader is true. - type: boolean - passiveHealthCheck: - description: PassiveHealthCheck defines passive health - checks for ExternalName services. - properties: - failureWindow: - anyOf: - - type: integer - - type: string - description: FailureWindow defines the time window - during which the failed attempts must occur for - the server to be marked as unhealthy. It also defines - for how long the server will be considered unhealthy. - x-kubernetes-int-or-string: true - maxFailedAttempts: - description: MaxFailedAttempts is the number of consecutive - failed attempts allowed within the failure window - before marking the server as unhealthy. - type: integer - type: object - port: - anyOf: - - type: integer - - type: string - description: |- - Port defines the port of a Kubernetes Service. - This can be a reference to a named port. - x-kubernetes-int-or-string: true - responseForwarding: - description: ResponseForwarding defines how Traefik forwards - the response from the upstream Kubernetes Service to - the client. - properties: - flushInterval: - description: |- - FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. - A negative value means to flush immediately after each write to the client. - This configuration is ignored when ReverseProxy recognizes a response as a streaming response; - for such responses, writes are flushed to the client immediately. - Default: 100ms - type: string - type: object - scheme: - description: |- - Scheme defines the scheme to use for the request to the upstream Kubernetes Service. - It defaults to https when Kubernetes Service port is 443, http otherwise. - type: string - serversTransport: - description: |- - ServersTransport defines the name of ServersTransport resource to use. - It allows to configure the transport between Traefik and your servers. - Can only be used on a Kubernetes Service. - type: string - sticky: - description: |- - Sticky defines the sticky sessions configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions - properties: - cookie: - description: Cookie defines the sticky cookie configuration. - properties: - domain: - description: |- - Domain defines the host to which the cookie will be sent. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value - type: string - httpOnly: - description: HTTPOnly defines whether the cookie - can be accessed by client-side APIs, such as - JavaScript. - type: boolean - maxAge: - description: |- - MaxAge defines the number of seconds until the cookie expires. - When set to a negative number, the cookie expires immediately. - When set to zero, the cookie never expires. - type: integer - name: - description: Name defines the Cookie name. - type: string - path: - description: |- - Path defines the path that must exist in the requested URL for the browser to send the Cookie header. - When not provided the cookie will be sent on every request to the domain. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value - type: string - sameSite: - description: |- - SameSite defines the same site policy. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite - enum: - - none - - lax - - strict - type: string - secure: - description: Secure defines whether the cookie - can only be transmitted over an encrypted connection - (i.e. HTTPS). - type: boolean - type: object - type: object - strategy: - description: |- - Strategy defines the load balancing strategy between the servers. - Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time). - RoundRobin value is deprecated and supported for backward compatibility. - enum: - - wrr - - p2c - - hrw - - leasttime - - RoundRobin - type: string - weight: - description: |- - Weight defines the weight and should only be specified when Name references a TraefikService object - (and to be precise, one that embeds a Weighted Round Robin). - minimum: 0 - type: integer - required: - - name - type: object - type: array - syntax: - description: |- - Syntax defines the router's rule syntax. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax - Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax. - type: string - required: - - match - type: object - type: array - tls: - description: |- - TLS defines the TLS configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/router/#tls - properties: - certResolver: - description: |- - CertResolver defines the name of the certificate resolver to use. - Cert resolvers have to be configured in the static configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/ - type: string - domains: - description: |- - Domains defines the list of domains that will be used to issue certificates. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#domains - items: - description: Domain holds a domain name with SANs. - properties: - main: - description: Main defines the main domain name. - type: string - sans: - description: SANs defines the subject alternative domain - names. - items: - type: string - type: array - type: object - type: array - options: - description: |- - Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection. - If not defined, the `default` TLSOption is used. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-options/ - properties: - name: - description: |- - Name defines the name of the referenced TLSOption. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/ - type: string - namespace: - description: |- - Namespace defines the namespace of the referenced TLSOption. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/ - type: string - required: - - name - type: object - secretName: - description: SecretName is the name of the referenced Kubernetes - Secret to specify the certificate details. - type: string - store: - description: |- - Store defines the reference to the TLSStore, that will be used to store certificates. - Please note that only `default` TLSStore can be used. - properties: - name: - description: |- - Name defines the name of the referenced TLSStore. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/ - type: string - namespace: - description: |- - Namespace defines the namespace of the referenced TLSStore. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/ - type: string - required: - - name - type: object - type: object - required: - - routes - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_ingressroutetcps.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: ingressroutetcps.traefik.io -spec: - group: traefik.io - names: - kind: IngressRouteTCP - listKind: IngressRouteTCPList - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP. - properties: - entryPoints: - description: |- - EntryPoints defines the list of entry point names to bind to. - Entry points have to be configured in the static configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/ - Default: all. - items: - type: string - type: array - routes: - description: Routes defines the list of routes. - items: - description: RouteTCP holds the TCP route configuration. - properties: - match: - description: |- - Match defines the router's rule. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/ - type: string - middlewares: - description: Middlewares defines the list of references to MiddlewareTCP - resources. - items: - description: ObjectReference is a generic reference to a Traefik - resource. - properties: - name: - description: Name defines the name of the referenced Traefik - resource. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Traefik resource. - type: string - required: - - name - type: object - type: array - priority: - description: |- - Priority defines the router's priority. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#priority - maximum: 9223372036854775000 - type: integer - services: - description: Services defines the list of TCP services. - items: - description: ServiceTCP defines an upstream TCP service to - proxy traffic to. - properties: - name: - description: Name defines the name of the referenced Kubernetes - Service. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Kubernetes Service. - type: string - nativeLB: - description: |- - NativeLB controls, when creating the load-balancer, - whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. - The Kubernetes Service itself does load-balance to the pods. - By default, NativeLB is false. - type: boolean - nodePortLB: - description: |- - NodePortLB controls, when creating the load-balancer, - whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. - It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. - By default, NodePortLB is false. - type: boolean - port: - anyOf: - - type: integer - - type: string - description: |- - Port defines the port of a Kubernetes Service. - This can be a reference to a named port. - x-kubernetes-int-or-string: true - proxyProtocol: - description: |- - ProxyProtocol defines the PROXY protocol configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol - Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead. - properties: - version: - description: Version defines the PROXY Protocol version - to use. - maximum: 2 - minimum: 1 - type: integer - type: object - serversTransport: - description: |- - ServersTransport defines the name of ServersTransportTCP resource to use. - It allows to configure the transport between Traefik and your servers. - Can only be used on a Kubernetes Service. - type: string - terminationDelay: - description: |- - TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates - it has closed the writing capability of its connection, to close the reading capability as well, - hence fully terminating the connection. - It is a duration in milliseconds, defaulting to 100. - A negative value means an infinite deadline (i.e. the reading capability is never closed). - Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead. - type: integer - tls: - description: TLS determines whether to use TLS when dialing - with the backend. - type: boolean - weight: - description: Weight defines the weight used when balancing - requests between multiple Kubernetes Service. - minimum: 0 - type: integer - required: - - name - - port - type: object - type: array - syntax: - description: |- - Syntax defines the router's rule syntax. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax - Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax. - enum: - - v3 - - v2 - type: string - required: - - match - type: object - type: array - tls: - description: |- - TLS defines the TLS configuration on a layer 4 / TCP Route. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/router/#tls - properties: - certResolver: - description: |- - CertResolver defines the name of the certificate resolver to use. - Cert resolvers have to be configured in the static configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/ - type: string - domains: - description: |- - Domains defines the list of domains that will be used to issue certificates. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#domains - items: - description: Domain holds a domain name with SANs. - properties: - main: - description: Main defines the main domain name. - type: string - sans: - description: SANs defines the subject alternative domain - names. - items: - type: string - type: array - type: object - type: array - options: - description: |- - Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection. - If not defined, the `default` TLSOption is used. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#tls-options - properties: - name: - description: Name defines the name of the referenced Traefik - resource. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Traefik resource. - type: string - required: - - name - type: object - passthrough: - description: Passthrough defines whether a TLS router will terminate - the TLS connection. - type: boolean - secretName: - description: SecretName is the name of the referenced Kubernetes - Secret to specify the certificate details. - type: string - store: - description: |- - Store defines the reference to the TLSStore, that will be used to store certificates. - Please note that only `default` TLSStore can be used. - properties: - name: - description: Name defines the name of the referenced Traefik - resource. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Traefik resource. - type: string - required: - - name - type: object - type: object - required: - - routes - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_ingressrouteudps.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: ingressrouteudps.traefik.io -spec: - group: traefik.io - names: - kind: IngressRouteUDP - listKind: IngressRouteUDPList - plural: ingressrouteudps - singular: ingressrouteudp - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. - properties: - entryPoints: - description: |- - EntryPoints defines the list of entry point names to bind to. - Entry points have to be configured in the static configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/ - Default: all. - items: - type: string - type: array - routes: - description: Routes defines the list of routes. - items: - description: RouteUDP holds the UDP route configuration. - properties: - services: - description: Services defines the list of UDP services. - items: - description: ServiceUDP defines an upstream UDP service to - proxy traffic to. - properties: - name: - description: Name defines the name of the referenced Kubernetes - Service. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Kubernetes Service. - type: string - nativeLB: - description: |- - NativeLB controls, when creating the load-balancer, - whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. - The Kubernetes Service itself does load-balance to the pods. - By default, NativeLB is false. - type: boolean - nodePortLB: - description: |- - NodePortLB controls, when creating the load-balancer, - whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. - It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. - By default, NodePortLB is false. - type: boolean - port: - anyOf: - - type: integer - - type: string - description: |- - Port defines the port of a Kubernetes Service. - This can be a reference to a named port. - x-kubernetes-int-or-string: true - weight: - description: Weight defines the weight used when balancing - requests between multiple Kubernetes Service. - minimum: 0 - type: integer - required: - - name - - port - type: object - type: array - type: object - type: array - required: - - routes - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_middlewares.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: middlewares.traefik.io -spec: - group: traefik.io - names: - kind: Middleware - listKind: MiddlewareList - plural: middlewares - singular: middleware - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Middleware is the CRD implementation of a Traefik Middleware. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/overview/ - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: MiddlewareSpec defines the desired state of a Middleware. - properties: - addPrefix: - description: |- - AddPrefix holds the add prefix middleware configuration. - This middleware updates the path of a request before forwarding it. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/addprefix/ - properties: - prefix: - description: |- - Prefix is the string to add before the current path in the requested URL. - It should include a leading slash (/). - type: string - x-kubernetes-validations: - - message: must start with a '/' - rule: self.startsWith('/') - type: object - basicAuth: - description: |- - BasicAuth holds the basic auth middleware configuration. - This middleware restricts access to your services to known users. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/basicauth/ - properties: - headerField: - description: |- - HeaderField defines a header field to store the authenticated user. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/basicauth/#headerfield - type: string - realm: - description: |- - Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. - Default: traefik. - type: string - removeHeader: - description: |- - RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service. - Default: false. - type: boolean - secret: - description: Secret is the name of the referenced Kubernetes Secret - containing user credentials. - type: string - type: object - buffering: - description: |- - Buffering holds the buffering middleware configuration. - This middleware retries or limits the size of requests that can be forwarded to backends. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#maxrequestbodybytes - properties: - maxRequestBodyBytes: - description: |- - MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes). - If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response. - Default: 0 (no maximum). - format: int64 - type: integer - maxResponseBodyBytes: - description: |- - MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes). - If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead. - Default: 0 (no maximum). - format: int64 - type: integer - memRequestBodyBytes: - description: |- - MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory. - Default: 1048576 (1Mi). - format: int64 - type: integer - memResponseBodyBytes: - description: |- - MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory. - Default: 1048576 (1Mi). - format: int64 - type: integer - retryExpression: - description: |- - RetryExpression defines the retry conditions. - It is a logical combination of functions with operators AND (&&) and OR (||). - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#retryexpression - type: string - type: object - chain: - description: |- - Chain holds the configuration of the chain middleware. - This middleware enables to define reusable combinations of other pieces of middleware. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/chain/ - properties: - middlewares: - description: Middlewares is the list of MiddlewareRef which composes - the chain. - items: - description: MiddlewareRef is a reference to a Middleware resource. - properties: - name: - description: Name defines the name of the referenced Middleware - resource. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Middleware resource. - type: string - required: - - name - type: object - type: array - type: object - circuitBreaker: - description: CircuitBreaker holds the circuit breaker configuration. - properties: - checkPeriod: - anyOf: - - type: integer - - type: string - description: CheckPeriod is the interval between successive checks - of the circuit breaker condition (when in standby state). - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - expression: - description: Expression is the condition that triggers the tripped - state. - type: string - fallbackDuration: - anyOf: - - type: integer - - type: string - description: FallbackDuration is the duration for which the circuit - breaker will wait before trying to recover (from a tripped state). - x-kubernetes-int-or-string: true - recoveryDuration: - anyOf: - - type: integer - - type: string - description: RecoveryDuration is the duration for which the circuit - breaker will try to recover (as soon as it is in recovering - state). - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - responseCode: - description: ResponseCode is the status code that the circuit - breaker will return while it is in the open state. - maximum: 599 - minimum: 100 - type: integer - type: object - compress: - description: |- - Compress holds the compress middleware configuration. - This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/compress/ - properties: - defaultEncoding: - description: DefaultEncoding specifies the default encoding if - the `Accept-Encoding` header is not in the request or contains - a wildcard (`*`). - type: string - encodings: - description: Encodings defines the list of supported compression - algorithms. - items: - type: string - type: array - excludedContentTypes: - description: |- - ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing. - `application/grpc` is always excluded. - items: - type: string - type: array - includedContentTypes: - description: IncludedContentTypes defines the list of content - types to compare the Content-Type header of the responses before - compressing. - items: - type: string - type: array - minResponseBodyBytes: - description: |- - MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed. - Default: 1024. - minimum: 0 - type: integer - type: object - contentType: - description: |- - ContentType holds the content-type middleware configuration. - This middleware exists to enable the correct behavior until at least the default one can be changed in a future version. - properties: - autoDetect: - description: |- - AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend, - be automatically set to a value derived from the contents of the response. - Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option. - type: boolean - type: object - digestAuth: - description: |- - DigestAuth holds the digest auth middleware configuration. - This middleware restricts access to your services to known users. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/digestauth/ - properties: - headerField: - description: |- - HeaderField defines a header field to store the authenticated user. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/digestauth/#headerfield - type: string - realm: - description: |- - Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. - Default: traefik. - type: string - removeHeader: - description: RemoveHeader defines whether to remove the authorization - header before forwarding the request to the backend. - type: boolean - secret: - description: Secret is the name of the referenced Kubernetes Secret - containing user credentials. - type: string - type: object - errors: - description: |- - ErrorPage holds the custom error middleware configuration. - This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/ - properties: - query: - description: |- - Query defines the URL for the error page (hosted by service). - The {status} variable can be used in order to insert the status code in the URL. - The {originalStatus} variable can be used in order to insert the upstream status code in the URL. - The {url} variable can be used in order to insert the escaped request URL. - type: string - service: - description: |- - Service defines the reference to a Kubernetes Service that will serve the error page. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/#service - properties: - healthCheck: - description: Healthcheck defines health checks for ExternalName - services. - properties: - followRedirects: - description: |- - FollowRedirects defines whether redirects should be followed during the health check calls. - Default: true - type: boolean - headers: - additionalProperties: - type: string - description: Headers defines custom headers to be sent - to the health check endpoint. - type: object - hostname: - description: Hostname defines the value of hostname in - the Host header of the health check request. - type: string - interval: - anyOf: - - type: integer - - type: string - description: |- - Interval defines the frequency of the health check calls for healthy targets. - Default: 30s - x-kubernetes-int-or-string: true - method: - description: Method defines the healthcheck method. - type: string - mode: - description: |- - Mode defines the health check mode. - If defined to grpc, will use the gRPC health check protocol to probe the server. - Default: http - type: string - path: - description: Path defines the server URL path for the - health check endpoint. - type: string - port: - description: Port defines the server URL port for the - health check endpoint. - type: integer - scheme: - description: Scheme replaces the server URL scheme for - the health check endpoint. - type: string - status: - description: Status defines the expected HTTP status code - of the response to the health check request. - type: integer - timeout: - anyOf: - - type: integer - - type: string - description: |- - Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. - Default: 5s - x-kubernetes-int-or-string: true - unhealthyInterval: - anyOf: - - type: integer - - type: string - description: |- - UnhealthyInterval defines the frequency of the health check calls for unhealthy targets. - When UnhealthyInterval is not defined, it defaults to the Interval value. - Default: 30s - x-kubernetes-int-or-string: true - type: object - kind: - description: Kind defines the kind of the Service. - enum: - - Service - - TraefikService - type: string - name: - description: |- - Name defines the name of the referenced Kubernetes Service or TraefikService. - The differentiation between the two is specified in the Kind field. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Kubernetes Service or TraefikService. - type: string - nativeLB: - description: |- - NativeLB controls, when creating the load-balancer, - whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. - The Kubernetes Service itself does load-balance to the pods. - By default, NativeLB is false. - type: boolean - nodePortLB: - description: |- - NodePortLB controls, when creating the load-balancer, - whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. - It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. - By default, NodePortLB is false. - type: boolean - passHostHeader: - description: |- - PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. - By default, passHostHeader is true. - type: boolean - passiveHealthCheck: - description: PassiveHealthCheck defines passive health checks - for ExternalName services. - properties: - failureWindow: - anyOf: - - type: integer - - type: string - description: FailureWindow defines the time window during - which the failed attempts must occur for the server - to be marked as unhealthy. It also defines for how long - the server will be considered unhealthy. - x-kubernetes-int-or-string: true - maxFailedAttempts: - description: MaxFailedAttempts is the number of consecutive - failed attempts allowed within the failure window before - marking the server as unhealthy. - type: integer - type: object - port: - anyOf: - - type: integer - - type: string - description: |- - Port defines the port of a Kubernetes Service. - This can be a reference to a named port. - x-kubernetes-int-or-string: true - responseForwarding: - description: ResponseForwarding defines how Traefik forwards - the response from the upstream Kubernetes Service to the - client. - properties: - flushInterval: - description: |- - FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. - A negative value means to flush immediately after each write to the client. - This configuration is ignored when ReverseProxy recognizes a response as a streaming response; - for such responses, writes are flushed to the client immediately. - Default: 100ms - type: string - type: object - scheme: - description: |- - Scheme defines the scheme to use for the request to the upstream Kubernetes Service. - It defaults to https when Kubernetes Service port is 443, http otherwise. - type: string - serversTransport: - description: |- - ServersTransport defines the name of ServersTransport resource to use. - It allows to configure the transport between Traefik and your servers. - Can only be used on a Kubernetes Service. - type: string - sticky: - description: |- - Sticky defines the sticky sessions configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions - properties: - cookie: - description: Cookie defines the sticky cookie configuration. - properties: - domain: - description: |- - Domain defines the host to which the cookie will be sent. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value - type: string - httpOnly: - description: HTTPOnly defines whether the cookie can - be accessed by client-side APIs, such as JavaScript. - type: boolean - maxAge: - description: |- - MaxAge defines the number of seconds until the cookie expires. - When set to a negative number, the cookie expires immediately. - When set to zero, the cookie never expires. - type: integer - name: - description: Name defines the Cookie name. - type: string - path: - description: |- - Path defines the path that must exist in the requested URL for the browser to send the Cookie header. - When not provided the cookie will be sent on every request to the domain. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value - type: string - sameSite: - description: |- - SameSite defines the same site policy. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite - enum: - - none - - lax - - strict - type: string - secure: - description: Secure defines whether the cookie can - only be transmitted over an encrypted connection - (i.e. HTTPS). - type: boolean - type: object - type: object - strategy: - description: |- - Strategy defines the load balancing strategy between the servers. - Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time). - RoundRobin value is deprecated and supported for backward compatibility. - enum: - - wrr - - p2c - - hrw - - leasttime - - RoundRobin - type: string - weight: - description: |- - Weight defines the weight and should only be specified when Name references a TraefikService object - (and to be precise, one that embeds a Weighted Round Robin). - minimum: 0 - type: integer - required: - - name - type: object - status: - description: |- - Status defines which status or range of statuses should result in an error page. - It can be either a status code as a number (500), - as multiple comma-separated numbers (500,502), - as ranges by separating two codes with a dash (500-599), - or a combination of the two (404,418,500-599). - items: - pattern: ^([1-5][0-9]{2}[,-]?)+$ - type: string - type: array - statusRewrites: - additionalProperties: - type: integer - description: |- - StatusRewrites defines a mapping of status codes that should be returned instead of the original error status codes. - For example: "418": 404 or "410-418": 404 - type: object - type: object - forwardAuth: - description: |- - ForwardAuth holds the forward auth middleware configuration. - This middleware delegates the request authentication to a Service. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/ - properties: - addAuthCookiesToResponse: - description: AddAuthCookiesToResponse defines the list of cookies - to copy from the authentication server response to the response. - items: - type: string - type: array - address: - description: Address defines the authentication server address. - type: string - authRequestHeaders: - description: |- - AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server. - If not set or empty then all request headers are passed. - items: - type: string - type: array - authResponseHeaders: - description: AuthResponseHeaders defines the list of headers to - copy from the authentication server response and set on forwarded - request, replacing any existing conflicting headers. - items: - type: string - type: array - authResponseHeadersRegex: - description: |- - AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/#authresponseheadersregex - type: string - forwardBody: - description: ForwardBody defines whether to send the request body - to the authentication server. - type: boolean - headerField: - description: |- - HeaderField defines a header field to store the authenticated user. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/#headerfield - type: string - maxBodySize: - description: MaxBodySize defines the maximum body size in bytes - allowed to be forwarded to the authentication server. - format: int64 - type: integer - preserveLocationHeader: - description: PreserveLocationHeader defines whether to forward - the Location header to the client as is or prefix it with the - domain name of the authentication server. - type: boolean - preserveRequestMethod: - description: PreserveRequestMethod defines whether to preserve - the original request method while forwarding the request to - the authentication server. - type: boolean - tls: - description: TLS defines the configuration used to secure the - connection to the authentication server. - properties: - caOptional: - description: 'Deprecated: TLS client authentication is a server - side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).' - type: boolean - caSecret: - description: |- - CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate. - The CA certificate is extracted from key `tls.ca` or `ca.crt`. - type: string - certSecret: - description: |- - CertSecret is the name of the referenced Kubernetes Secret containing the client certificate. - The client certificate is extracted from the keys `tls.crt` and `tls.key`. - type: string - insecureSkipVerify: - description: InsecureSkipVerify defines whether the server - certificates should be validated. - type: boolean - type: object - trustForwardHeader: - description: 'TrustForwardHeader defines whether to trust (ie: - forward) all X-Forwarded-* headers.' - type: boolean - type: object - grpcWeb: - description: |- - GrpcWeb holds the gRPC web middleware configuration. - This middleware converts a gRPC web request to an HTTP/2 gRPC request. - properties: - allowOrigins: - description: |- - AllowOrigins is a list of allowable origins. - Can also be a wildcard origin "*". - items: - type: string - type: array - type: object - headers: - description: |- - Headers holds the headers middleware configuration. - This middleware manages the requests and responses headers. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/headers/#customrequestheaders - properties: - accessControlAllowCredentials: - description: AccessControlAllowCredentials defines whether the - request can include user credentials. - type: boolean - accessControlAllowHeaders: - description: AccessControlAllowHeaders defines the Access-Control-Request-Headers - values sent in preflight response. - items: - type: string - type: array - accessControlAllowMethods: - description: AccessControlAllowMethods defines the Access-Control-Request-Method - values sent in preflight response. - items: - type: string - type: array - accessControlAllowOriginList: - description: AccessControlAllowOriginList is a list of allowable - origins. Can also be a wildcard origin "*". - items: - type: string - type: array - accessControlAllowOriginListRegex: - description: AccessControlAllowOriginListRegex is a list of allowable - origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). - items: - type: string - type: array - accessControlExposeHeaders: - description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers - values sent in preflight response. - items: - type: string - type: array - accessControlMaxAge: - description: AccessControlMaxAge defines the time that a preflight - request may be cached. - format: int64 - type: integer - addVaryHeader: - description: AddVaryHeader defines whether the Vary header is - automatically added/updated when the AccessControlAllowOriginList - is set. - type: boolean - allowedHosts: - description: AllowedHosts defines the fully qualified list of - allowed domain names. - items: - type: string - type: array - browserXssFilter: - description: BrowserXSSFilter defines whether to add the X-XSS-Protection - header with the value 1; mode=block. - type: boolean - contentSecurityPolicy: - description: ContentSecurityPolicy defines the Content-Security-Policy - header value. - type: string - contentSecurityPolicyReportOnly: - description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only - header value. - type: string - contentTypeNosniff: - description: ContentTypeNosniff defines whether to add the X-Content-Type-Options - header with the nosniff value. - type: boolean - customBrowserXSSValue: - description: |- - CustomBrowserXSSValue defines the X-XSS-Protection header value. - This overrides the BrowserXssFilter option. - type: string - customFrameOptionsValue: - description: |- - CustomFrameOptionsValue defines the X-Frame-Options header value. - This overrides the FrameDeny option. - type: string - customRequestHeaders: - additionalProperties: - type: string - description: CustomRequestHeaders defines the header names and - values to apply to the request. - type: object - customResponseHeaders: - additionalProperties: - type: string - description: CustomResponseHeaders defines the header names and - values to apply to the response. - type: object - featurePolicy: - description: 'Deprecated: FeaturePolicy option is deprecated, - please use PermissionsPolicy instead.' - type: string - forceSTSHeader: - description: ForceSTSHeader defines whether to add the STS header - even when the connection is HTTP. - type: boolean - frameDeny: - description: FrameDeny defines whether to add the X-Frame-Options - header with the DENY value. - type: boolean - hostsProxyHeaders: - description: HostsProxyHeaders defines the header keys that may - hold a proxied hostname value for the request. - items: - type: string - type: array - isDevelopment: - description: |- - IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing. - Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain. - If you would like your development environment to mimic production with complete Host blocking, SSL redirects, - and STS headers, leave this as false. - type: boolean - permissionsPolicy: - description: |- - PermissionsPolicy defines the Permissions-Policy header value. - This allows sites to control browser features. - type: string - publicKey: - description: PublicKey is the public key that implements HPKP - to prevent MITM attacks with forged certificates. - type: string - referrerPolicy: - description: |- - ReferrerPolicy defines the Referrer-Policy header value. - This allows sites to control whether browsers forward the Referer header to other sites. - type: string - sslForceHost: - description: 'Deprecated: SSLForceHost option is deprecated, please - use RedirectRegex instead.' - type: boolean - sslHost: - description: 'Deprecated: SSLHost option is deprecated, please - use RedirectRegex instead.' - type: string - sslProxyHeaders: - additionalProperties: - type: string - description: |- - SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request. - It can be useful when using other proxies (example: "X-Forwarded-Proto": "https"). - type: object - sslRedirect: - description: 'Deprecated: SSLRedirect option is deprecated, please - use EntryPoint redirection or RedirectScheme instead.' - type: boolean - sslTemporaryRedirect: - description: 'Deprecated: SSLTemporaryRedirect option is deprecated, - please use EntryPoint redirection or RedirectScheme instead.' - type: boolean - stsIncludeSubdomains: - description: STSIncludeSubdomains defines whether the includeSubDomains - directive is appended to the Strict-Transport-Security header. - type: boolean - stsPreload: - description: STSPreload defines whether the preload flag is appended - to the Strict-Transport-Security header. - type: boolean - stsSeconds: - description: |- - STSSeconds defines the max-age of the Strict-Transport-Security header. - If set to 0, the header is not set. - format: int64 - minimum: 0 - type: integer - type: object - inFlightReq: - description: |- - InFlightReq holds the in-flight request middleware configuration. - This middleware limits the number of requests being processed and served concurrently. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/inflightreq/ - properties: - amount: - description: |- - Amount defines the maximum amount of allowed simultaneous in-flight request. - The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy). - format: int64 - minimum: 0 - type: integer - sourceCriterion: - description: |- - SourceCriterion defines what criterion is used to group requests as originating from a common source. - If several strategies are defined at the same time, an error will be raised. - If none are set, the default is to use the requestHost. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/inflightreq/#sourcecriterion - properties: - ipStrategy: - description: |- - IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy - properties: - depth: - description: Depth tells Traefik to use the X-Forwarded-For - header and take the IP located at the depth position - (starting from the right). - minimum: 0 - type: integer - excludedIPs: - description: ExcludedIPs configures Traefik to scan the - X-Forwarded-For header and select the first IP not in - the list. - items: - type: string - type: array - ipv6Subnet: - description: IPv6Subnet configures Traefik to consider - all IPv6 addresses from the defined subnet as originating - from the same IP. Applies to RemoteAddrStrategy and - DepthStrategy. - type: integer - type: object - requestHeaderName: - description: RequestHeaderName defines the name of the header - used to group incoming requests. - type: string - requestHost: - description: RequestHost defines whether to consider the request - Host as the source. - type: boolean - type: object - type: object - ipAllowList: - description: |- - IPAllowList holds the IP allowlist middleware configuration. - This middleware limits allowed requests based on the client IP. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/ - properties: - ipStrategy: - description: |- - IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy - properties: - depth: - description: Depth tells Traefik to use the X-Forwarded-For - header and take the IP located at the depth position (starting - from the right). - minimum: 0 - type: integer - excludedIPs: - description: ExcludedIPs configures Traefik to scan the X-Forwarded-For - header and select the first IP not in the list. - items: - type: string - type: array - ipv6Subnet: - description: IPv6Subnet configures Traefik to consider all - IPv6 addresses from the defined subnet as originating from - the same IP. Applies to RemoteAddrStrategy and DepthStrategy. - type: integer - type: object - rejectStatusCode: - description: |- - RejectStatusCode defines the HTTP status code used for refused requests. - If not set, the default is 403 (Forbidden). - type: integer - sourceRange: - description: SourceRange defines the set of allowed IPs (or ranges - of allowed IPs by using CIDR notation). - items: - type: string - type: array - type: object - ipWhiteList: - description: 'Deprecated: please use IPAllowList instead.' - properties: - ipStrategy: - description: |- - IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy - properties: - depth: - description: Depth tells Traefik to use the X-Forwarded-For - header and take the IP located at the depth position (starting - from the right). - minimum: 0 - type: integer - excludedIPs: - description: ExcludedIPs configures Traefik to scan the X-Forwarded-For - header and select the first IP not in the list. - items: - type: string - type: array - ipv6Subnet: - description: IPv6Subnet configures Traefik to consider all - IPv6 addresses from the defined subnet as originating from - the same IP. Applies to RemoteAddrStrategy and DepthStrategy. - type: integer - type: object - sourceRange: - description: SourceRange defines the set of allowed IPs (or ranges - of allowed IPs by using CIDR notation). Required. - items: - type: string - type: array - type: object - passTLSClientCert: - description: |- - PassTLSClientCert holds the pass TLS client cert middleware configuration. - This middleware adds the selected data from the passed client TLS certificate to a header. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/passtlsclientcert/ - properties: - info: - description: Info selects the specific client certificate details - you want to add to the X-Forwarded-Tls-Client-Cert-Info header. - properties: - issuer: - description: Issuer defines the client certificate issuer - details to add to the X-Forwarded-Tls-Client-Cert-Info header. - properties: - commonName: - description: CommonName defines whether to add the organizationalUnit - information into the issuer. - type: boolean - country: - description: Country defines whether to add the country - information into the issuer. - type: boolean - domainComponent: - description: DomainComponent defines whether to add the - domainComponent information into the issuer. - type: boolean - locality: - description: Locality defines whether to add the locality - information into the issuer. - type: boolean - organization: - description: Organization defines whether to add the organization - information into the issuer. - type: boolean - province: - description: Province defines whether to add the province - information into the issuer. - type: boolean - serialNumber: - description: SerialNumber defines whether to add the serialNumber - information into the issuer. - type: boolean - type: object - notAfter: - description: NotAfter defines whether to add the Not After - information from the Validity part. - type: boolean - notBefore: - description: NotBefore defines whether to add the Not Before - information from the Validity part. - type: boolean - sans: - description: Sans defines whether to add the Subject Alternative - Name information from the Subject Alternative Name part. - type: boolean - serialNumber: - description: SerialNumber defines whether to add the client - serialNumber information. - type: boolean - subject: - description: Subject defines the client certificate subject - details to add to the X-Forwarded-Tls-Client-Cert-Info header. - properties: - commonName: - description: CommonName defines whether to add the organizationalUnit - information into the subject. - type: boolean - country: - description: Country defines whether to add the country - information into the subject. - type: boolean - domainComponent: - description: DomainComponent defines whether to add the - domainComponent information into the subject. - type: boolean - locality: - description: Locality defines whether to add the locality - information into the subject. - type: boolean - organization: - description: Organization defines whether to add the organization - information into the subject. - type: boolean - organizationalUnit: - description: OrganizationalUnit defines whether to add - the organizationalUnit information into the subject. - type: boolean - province: - description: Province defines whether to add the province - information into the subject. - type: boolean - serialNumber: - description: SerialNumber defines whether to add the serialNumber - information into the subject. - type: boolean - type: object - type: object - pem: - description: PEM sets the X-Forwarded-Tls-Client-Cert header with - the certificate. - type: boolean - type: object - plugin: - additionalProperties: - x-kubernetes-preserve-unknown-fields: true - description: |- - Plugin defines the middleware plugin configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/overview/#community-middlewares - type: object - rateLimit: - description: |- - RateLimit holds the rate limit configuration. - This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/ratelimit/ - properties: - average: - description: |- - Average is the maximum rate, by default in requests/s, allowed for the given source. - It defaults to 0, which means no rate limiting. - The rate is actually defined by dividing Average by Period. So for a rate below 1req/s, - one needs to define a Period larger than a second. - format: int64 - minimum: 0 - type: integer - burst: - description: |- - Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time. - It defaults to 1. - format: int64 - minimum: 0 - type: integer - period: - anyOf: - - type: integer - - type: string - description: |- - Period, in combination with Average, defines the actual maximum rate, such as: - r = Average / Period. It defaults to a second. - x-kubernetes-int-or-string: true - redis: - description: Redis hold the configs of Redis as bucket in rate - limiter. - properties: - db: - description: DB defines the Redis database that will be selected - after connecting to the server. - type: integer - dialTimeout: - anyOf: - - type: integer - - type: string - description: |- - DialTimeout sets the timeout for establishing new connections. - Default value is 5 seconds. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - endpoints: - description: |- - Endpoints contains either a single address or a seed list of host:port addresses. - Default value is ["localhost:6379"]. - items: - type: string - type: array - maxActiveConns: - description: |- - MaxActiveConns defines the maximum number of connections allocated by the pool at a given time. - Default value is 0, meaning there is no limit. - type: integer - minIdleConns: - description: |- - MinIdleConns defines the minimum number of idle connections. - Default value is 0, and idle connections are not closed by default. - type: integer - poolSize: - description: |- - PoolSize defines the initial number of socket connections. - If the pool runs out of available connections, additional ones will be created beyond PoolSize. - This can be limited using MaxActiveConns. - // Default value is 0, meaning 10 connections per every available CPU as reported by runtime.GOMAXPROCS. - type: integer - readTimeout: - anyOf: - - type: integer - - type: string - description: |- - ReadTimeout defines the timeout for socket read operations. - Default value is 3 seconds. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - secret: - description: Secret defines the name of the referenced Kubernetes - Secret containing Redis credentials. - type: string - tls: - description: |- - TLS defines TLS-specific configurations, including the CA, certificate, and key, - which can be provided as a file path or file content. - properties: - caSecret: - description: |- - CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate. - The CA certificate is extracted from key `tls.ca` or `ca.crt`. - type: string - certSecret: - description: |- - CertSecret is the name of the referenced Kubernetes Secret containing the client certificate. - The client certificate is extracted from the keys `tls.crt` and `tls.key`. - type: string - insecureSkipVerify: - description: InsecureSkipVerify defines whether the server - certificates should be validated. - type: boolean - type: object - writeTimeout: - anyOf: - - type: integer - - type: string - description: |- - WriteTimeout defines the timeout for socket write operations. - Default value is 3 seconds. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - type: object - sourceCriterion: - description: |- - SourceCriterion defines what criterion is used to group requests as originating from a common source. - If several strategies are defined at the same time, an error will be raised. - If none are set, the default is to use the request's remote address field (as an ipStrategy). - properties: - ipStrategy: - description: |- - IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy - properties: - depth: - description: Depth tells Traefik to use the X-Forwarded-For - header and take the IP located at the depth position - (starting from the right). - minimum: 0 - type: integer - excludedIPs: - description: ExcludedIPs configures Traefik to scan the - X-Forwarded-For header and select the first IP not in - the list. - items: - type: string - type: array - ipv6Subnet: - description: IPv6Subnet configures Traefik to consider - all IPv6 addresses from the defined subnet as originating - from the same IP. Applies to RemoteAddrStrategy and - DepthStrategy. - type: integer - type: object - requestHeaderName: - description: RequestHeaderName defines the name of the header - used to group incoming requests. - type: string - requestHost: - description: RequestHost defines whether to consider the request - Host as the source. - type: boolean - type: object - type: object - redirectRegex: - description: |- - RedirectRegex holds the redirect regex middleware configuration. - This middleware redirects a request using regex matching and replacement. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/redirectregex/#regex - properties: - permanent: - description: Permanent defines whether the redirection is permanent - (308). - type: boolean - regex: - description: Regex defines the regex used to match and capture - elements from the request URL. - type: string - replacement: - description: Replacement defines how to modify the URL to have - the new target URL. - type: string - type: object - redirectScheme: - description: |- - RedirectScheme holds the redirect scheme middleware configuration. - This middleware redirects requests from a scheme/port to another. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/redirectscheme/ - properties: - permanent: - description: Permanent defines whether the redirection is permanent - (308). - type: boolean - port: - description: Port defines the port of the new URL. - type: string - scheme: - description: Scheme defines the scheme of the new URL. - type: string - type: object - replacePath: - description: |- - ReplacePath holds the replace path middleware configuration. - This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/replacepath/ - properties: - path: - description: Path defines the path to use as replacement in the - request URL. - type: string - type: object - replacePathRegex: - description: |- - ReplacePathRegex holds the replace path regex middleware configuration. - This middleware replaces the path of a URL using regex matching and replacement. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/replacepathregex/ - properties: - regex: - description: Regex defines the regular expression used to match - and capture the path from the request URL. - type: string - replacement: - description: Replacement defines the replacement path format, - which can include captured variables. - type: string - type: object - retry: - description: |- - Retry holds the retry middleware configuration. - This middleware reissues requests a given number of times to a backend server if that server does not reply. - As soon as the server answers, the middleware stops retrying, regardless of the response status. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/retry/ - properties: - attempts: - description: Attempts defines how many times the request should - be retried. - minimum: 0 - type: integer - initialInterval: - anyOf: - - type: integer - - type: string - description: |- - InitialInterval defines the first wait time in the exponential backoff series. - The maximum interval is calculated as twice the initialInterval. - If unspecified, requests will be retried immediately. - The value of initialInterval should be provided in seconds or as a valid duration format, - see https://pkg.go.dev/time#ParseDuration. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - type: object - stripPrefix: - description: |- - StripPrefix holds the strip prefix middleware configuration. - This middleware removes the specified prefixes from the URL path. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/stripprefix/ - properties: - forceSlash: - description: |- - Deprecated: ForceSlash option is deprecated, please remove any usage of this option. - ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary. - Default: true. - type: boolean - prefixes: - description: Prefixes defines the prefixes to strip from the request - URL. - items: - type: string - type: array - type: object - stripPrefixRegex: - description: |- - StripPrefixRegex holds the strip prefix regex middleware configuration. - This middleware removes the matching prefixes from the URL path. - More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/stripprefixregex/ - properties: - regex: - description: Regex defines the regular expression to match the - path prefix from the request URL. - items: - type: string - type: array - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_middlewaretcps.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: middlewaretcps.traefik.io -spec: - group: traefik.io - names: - kind: MiddlewareTCP - listKind: MiddlewareTCPList - plural: middlewaretcps - singular: middlewaretcp - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/overview/ - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. - properties: - inFlightConn: - description: InFlightConn defines the InFlightConn middleware configuration. - properties: - amount: - description: |- - Amount defines the maximum amount of allowed simultaneous connections. - The middleware closes the connection if there are already amount connections opened. - format: int64 - minimum: 0 - type: integer - type: object - ipAllowList: - description: |- - IPAllowList defines the IPAllowList middleware configuration. - This middleware accepts/refuses connections based on the client IP. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipallowlist/ - properties: - sourceRange: - description: SourceRange defines the allowed IPs (or ranges of - allowed IPs by using CIDR notation). - items: - type: string - type: array - type: object - ipWhiteList: - description: |- - IPWhiteList defines the IPWhiteList middleware configuration. - This middleware accepts/refuses connections based on the client IP. - Deprecated: please use IPAllowList instead. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/ - properties: - sourceRange: - description: SourceRange defines the allowed IPs (or ranges of - allowed IPs by using CIDR notation). - items: - type: string - type: array - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_serverstransports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: serverstransports.traefik.io -spec: - group: traefik.io - names: - kind: ServersTransport - listKind: ServersTransportList - plural: serverstransports - singular: serverstransport - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ServersTransport is the CRD implementation of a ServersTransport. - If no serversTransport is specified, the default@internal will be used. - The default@internal serversTransport is created from the static configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/serverstransport/ - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ServersTransportSpec defines the desired state of a ServersTransport. - properties: - certificatesSecrets: - description: CertificatesSecrets defines a list of secret storing - client certificates for mTLS. - items: - type: string - type: array - disableHTTP2: - description: DisableHTTP2 disables HTTP/2 for connections with backend - servers. - type: boolean - forwardingTimeouts: - description: ForwardingTimeouts defines the timeouts for requests - forwarded to the backend servers. - properties: - dialTimeout: - anyOf: - - type: integer - - type: string - description: DialTimeout is the amount of time to wait until a - connection to a backend server can be established. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - idleConnTimeout: - anyOf: - - type: integer - - type: string - description: IdleConnTimeout is the maximum period for which an - idle HTTP keep-alive connection will remain open before closing - itself. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - pingTimeout: - anyOf: - - type: integer - - type: string - description: PingTimeout is the timeout after which the HTTP/2 - connection will be closed if a response to ping is not received. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - readIdleTimeout: - anyOf: - - type: integer - - type: string - description: ReadIdleTimeout is the timeout after which a health - check using ping frame will be carried out if no frame is received - on the HTTP/2 connection. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - responseHeaderTimeout: - anyOf: - - type: integer - - type: string - description: ResponseHeaderTimeout is the amount of time to wait - for a server's response headers after fully writing the request - (including its body, if any). - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - type: object - insecureSkipVerify: - description: InsecureSkipVerify disables SSL certificate verification. - type: boolean - maxIdleConnsPerHost: - description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) - to keep per-host. - minimum: -1 - type: integer - peerCertURI: - description: PeerCertURI defines the peer cert URI used to match against - SAN URI during the peer certificate verification. - type: string - rootCAs: - description: RootCAs defines a list of CA certificate Secrets or ConfigMaps - used to validate server certificates. - items: - description: |- - RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate. - If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence. - properties: - configMap: - description: |- - ConfigMap defines the name of a ConfigMap that holds a CA certificate. - The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key. - type: string - secret: - description: |- - Secret defines the name of a Secret that holds a CA certificate. - The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key. - type: string - type: object - x-kubernetes-validations: - - message: RootCA cannot have both Secret and ConfigMap defined. - rule: '!has(self.secret) || !has(self.configMap)' - type: array - rootCAsSecrets: - description: |- - RootCAsSecrets defines a list of CA secret used to validate self-signed certificate. - Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead. - items: - type: string - type: array - serverName: - description: ServerName defines the server name used to contact the - server. - type: string - spiffe: - description: Spiffe defines the SPIFFE configuration. - properties: - ids: - description: IDs defines the allowed SPIFFE IDs (takes precedence - over the SPIFFE TrustDomain). - items: - type: string - type: array - trustDomain: - description: TrustDomain defines the allowed SPIFFE trust domain. - type: string - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_serverstransporttcps.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: serverstransporttcps.traefik.io -spec: - group: traefik.io - names: - kind: ServersTransportTCP - listKind: ServersTransportTCPList - plural: serverstransporttcps - singular: serverstransporttcp - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ServersTransportTCP is the CRD implementation of a TCPServersTransport. - If no tcpServersTransport is specified, a default one named default@internal will be used. - The default@internal tcpServersTransport can be configured in the static configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/serverstransport/ - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP. - properties: - dialKeepAlive: - anyOf: - - type: integer - - type: string - description: DialKeepAlive is the interval between keep-alive probes - for an active network connection. If zero, keep-alive probes are - sent with a default value (currently 15 seconds), if supported by - the protocol and operating system. Network protocols or operating - systems that do not support keep-alives ignore this field. If negative, - keep-alive probes are disabled. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - dialTimeout: - anyOf: - - type: integer - - type: string - description: DialTimeout is the amount of time to wait until a connection - to a backend server can be established. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - proxyProtocol: - description: ProxyProtocol holds the PROXY Protocol configuration. - properties: - version: - description: Version defines the PROXY Protocol version to use. - maximum: 2 - minimum: 1 - type: integer - type: object - terminationDelay: - anyOf: - - type: integer - - type: string - description: TerminationDelay defines the delay to wait before fully - terminating the connection, after one connected peer has closed - its writing capability. - pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$ - x-kubernetes-int-or-string: true - tls: - description: TLS defines the TLS configuration - properties: - certificatesSecrets: - description: CertificatesSecrets defines a list of secret storing - client certificates for mTLS. - items: - type: string - type: array - insecureSkipVerify: - description: InsecureSkipVerify disables TLS certificate verification. - type: boolean - peerCertURI: - description: |- - MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host. - PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification. - type: string - rootCAs: - description: RootCAs defines a list of CA certificate Secrets - or ConfigMaps used to validate server certificates. - items: - description: |- - RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate. - If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence. - properties: - configMap: - description: |- - ConfigMap defines the name of a ConfigMap that holds a CA certificate. - The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key. - type: string - secret: - description: |- - Secret defines the name of a Secret that holds a CA certificate. - The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key. - type: string - type: object - x-kubernetes-validations: - - message: RootCA cannot have both Secret and ConfigMap defined. - rule: '!has(self.secret) || !has(self.configMap)' - type: array - rootCAsSecrets: - description: |- - RootCAsSecrets defines a list of CA secret used to validate self-signed certificate. - Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead. - items: - type: string - type: array - serverName: - description: ServerName defines the server name used to contact - the server. - type: string - spiffe: - description: Spiffe defines the SPIFFE configuration. - properties: - ids: - description: IDs defines the allowed SPIFFE IDs (takes precedence - over the SPIFFE TrustDomain). - items: - type: string - type: array - trustDomain: - description: TrustDomain defines the allowed SPIFFE trust - domain. - type: string - type: object - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_tlsoptions.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: tlsoptions.traefik.io -spec: - group: traefik.io - names: - kind: TLSOption - listKind: TLSOptionList - plural: tlsoptions - singular: tlsoption - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TLSOptionSpec defines the desired state of a TLSOption. - properties: - alpnProtocols: - description: |- - ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols - items: - type: string - type: array - cipherSuites: - description: |- - CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites - items: - type: string - type: array - clientAuth: - description: ClientAuth defines the server's policy for TLS Client - Authentication. - properties: - clientAuthType: - description: ClientAuthType defines the client authentication - type to apply. - enum: - - NoClientCert - - RequestClientCert - - RequireAnyClientCert - - VerifyClientCertIfGiven - - RequireAndVerifyClientCert - type: string - secretNames: - description: SecretNames defines the names of the referenced Kubernetes - Secret storing certificate details. - items: - type: string - type: array - type: object - curvePreferences: - description: |- - CurvePreferences defines the preferred elliptic curves. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences - items: - type: string - type: array - disableSessionTickets: - description: DisableSessionTickets disables TLS session resumption - via session tickets. - type: boolean - maxVersion: - description: |- - MaxVersion defines the maximum TLS version that Traefik will accept. - Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - Default: None. - type: string - minVersion: - description: |- - MinVersion defines the minimum TLS version that Traefik will accept. - Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - Default: VersionTLS10. - type: string - preferServerCipherSuites: - description: |- - PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's. - It is enabled automatically when minVersion or maxVersion is set. - Deprecated: https://github.com/golang/go/issues/45430 - type: boolean - sniStrict: - description: SniStrict defines whether Traefik allows connections - from clients connections that do not specify a server_name extension. - type: boolean - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_tlsstores.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: tlsstores.traefik.io -spec: - group: traefik.io - names: - kind: TLSStore - listKind: TLSStoreList - plural: tlsstores - singular: tlsstore - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - TLSStore is the CRD implementation of a Traefik TLS Store. - For the time being, only the TLSStore named default is supported. - This means that you cannot have two stores that are named default in different Kubernetes namespaces. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TLSStoreSpec defines the desired state of a TLSStore. - properties: - certificates: - description: Certificates is a list of secret names, each secret holding - a key/certificate pair to add to the store. - items: - description: Certificate holds a secret name for the TLSStore resource. - properties: - secretName: - description: SecretName is the name of the referenced Kubernetes - Secret to specify the certificate details. - type: string - required: - - secretName - type: object - type: array - defaultCertificate: - description: DefaultCertificate defines the default certificate configuration. - properties: - secretName: - description: SecretName is the name of the referenced Kubernetes - Secret to specify the certificate details. - type: string - required: - - secretName - type: object - defaultGeneratedCert: - description: DefaultGeneratedCert defines the default generated certificate - configuration. - properties: - domain: - description: Domain is the domain definition for the DefaultCertificate. - properties: - main: - description: Main defines the main domain name. - type: string - sans: - description: SANs defines the subject alternative domain names. - items: - type: string - type: array - type: object - resolver: - description: Resolver is the name of the resolver that will be - used to issue the DefaultCertificate. - type: string - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/charts/traefik/crds/traefik.io_traefikservices.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.1 - name: traefikservices.traefik.io -spec: - group: traefik.io - names: - kind: TraefikService - listKind: TraefikServiceList - plural: traefikservices - singular: traefikservice - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - TraefikService is the CRD implementation of a Traefik Service. - TraefikService object allows to: - - Apply weight to Services on load-balancing - - Mirror traffic on services - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/traefikservice/ - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TraefikServiceSpec defines the desired state of a TraefikService. - properties: - highestRandomWeight: - description: HighestRandomWeight defines the highest random weight - service configuration. - properties: - services: - description: Services defines the list of Kubernetes Service and/or - TraefikService to load-balance, with weight. - items: - description: Service defines an upstream HTTP service to proxy - traffic to. - properties: - healthCheck: - description: Healthcheck defines health checks for ExternalName - services. - properties: - followRedirects: - description: |- - FollowRedirects defines whether redirects should be followed during the health check calls. - Default: true - type: boolean - headers: - additionalProperties: - type: string - description: Headers defines custom headers to be sent - to the health check endpoint. - type: object - hostname: - description: Hostname defines the value of hostname - in the Host header of the health check request. - type: string - interval: - anyOf: - - type: integer - - type: string - description: |- - Interval defines the frequency of the health check calls for healthy targets. - Default: 30s - x-kubernetes-int-or-string: true - method: - description: Method defines the healthcheck method. - type: string - mode: - description: |- - Mode defines the health check mode. - If defined to grpc, will use the gRPC health check protocol to probe the server. - Default: http - type: string - path: - description: Path defines the server URL path for the - health check endpoint. - type: string - port: - description: Port defines the server URL port for the - health check endpoint. - type: integer - scheme: - description: Scheme replaces the server URL scheme for - the health check endpoint. - type: string - status: - description: Status defines the expected HTTP status - code of the response to the health check request. - type: integer - timeout: - anyOf: - - type: integer - - type: string - description: |- - Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. - Default: 5s - x-kubernetes-int-or-string: true - unhealthyInterval: - anyOf: - - type: integer - - type: string - description: |- - UnhealthyInterval defines the frequency of the health check calls for unhealthy targets. - When UnhealthyInterval is not defined, it defaults to the Interval value. - Default: 30s - x-kubernetes-int-or-string: true - type: object - kind: - description: Kind defines the kind of the Service. - enum: - - Service - - TraefikService - type: string - name: - description: |- - Name defines the name of the referenced Kubernetes Service or TraefikService. - The differentiation between the two is specified in the Kind field. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Kubernetes Service or TraefikService. - type: string - nativeLB: - description: |- - NativeLB controls, when creating the load-balancer, - whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. - The Kubernetes Service itself does load-balance to the pods. - By default, NativeLB is false. - type: boolean - nodePortLB: - description: |- - NodePortLB controls, when creating the load-balancer, - whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. - It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. - By default, NodePortLB is false. - type: boolean - passHostHeader: - description: |- - PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. - By default, passHostHeader is true. - type: boolean - passiveHealthCheck: - description: PassiveHealthCheck defines passive health checks - for ExternalName services. - properties: - failureWindow: - anyOf: - - type: integer - - type: string - description: FailureWindow defines the time window during - which the failed attempts must occur for the server - to be marked as unhealthy. It also defines for how - long the server will be considered unhealthy. - x-kubernetes-int-or-string: true - maxFailedAttempts: - description: MaxFailedAttempts is the number of consecutive - failed attempts allowed within the failure window - before marking the server as unhealthy. - type: integer - type: object - port: - anyOf: - - type: integer - - type: string - description: |- - Port defines the port of a Kubernetes Service. - This can be a reference to a named port. - x-kubernetes-int-or-string: true - responseForwarding: - description: ResponseForwarding defines how Traefik forwards - the response from the upstream Kubernetes Service to the - client. - properties: - flushInterval: - description: |- - FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. - A negative value means to flush immediately after each write to the client. - This configuration is ignored when ReverseProxy recognizes a response as a streaming response; - for such responses, writes are flushed to the client immediately. - Default: 100ms - type: string - type: object - scheme: - description: |- - Scheme defines the scheme to use for the request to the upstream Kubernetes Service. - It defaults to https when Kubernetes Service port is 443, http otherwise. - type: string - serversTransport: - description: |- - ServersTransport defines the name of ServersTransport resource to use. - It allows to configure the transport between Traefik and your servers. - Can only be used on a Kubernetes Service. - type: string - sticky: - description: |- - Sticky defines the sticky sessions configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions - properties: - cookie: - description: Cookie defines the sticky cookie configuration. - properties: - domain: - description: |- - Domain defines the host to which the cookie will be sent. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value - type: string - httpOnly: - description: HTTPOnly defines whether the cookie - can be accessed by client-side APIs, such as JavaScript. - type: boolean - maxAge: - description: |- - MaxAge defines the number of seconds until the cookie expires. - When set to a negative number, the cookie expires immediately. - When set to zero, the cookie never expires. - type: integer - name: - description: Name defines the Cookie name. - type: string - path: - description: |- - Path defines the path that must exist in the requested URL for the browser to send the Cookie header. - When not provided the cookie will be sent on every request to the domain. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value - type: string - sameSite: - description: |- - SameSite defines the same site policy. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite - enum: - - none - - lax - - strict - type: string - secure: - description: Secure defines whether the cookie can - only be transmitted over an encrypted connection - (i.e. HTTPS). - type: boolean - type: object - type: object - strategy: - description: |- - Strategy defines the load balancing strategy between the servers. - Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time). - RoundRobin value is deprecated and supported for backward compatibility. - enum: - - wrr - - p2c - - hrw - - leasttime - - RoundRobin - type: string - weight: - description: |- - Weight defines the weight and should only be specified when Name references a TraefikService object - (and to be precise, one that embeds a Weighted Round Robin). - minimum: 0 - type: integer - required: - - name - type: object - type: array - type: object - mirroring: - description: Mirroring defines the Mirroring service configuration. - properties: - healthCheck: - description: Healthcheck defines health checks for ExternalName - services. - properties: - followRedirects: - description: |- - FollowRedirects defines whether redirects should be followed during the health check calls. - Default: true - type: boolean - headers: - additionalProperties: - type: string - description: Headers defines custom headers to be sent to - the health check endpoint. - type: object - hostname: - description: Hostname defines the value of hostname in the - Host header of the health check request. - type: string - interval: - anyOf: - - type: integer - - type: string - description: |- - Interval defines the frequency of the health check calls for healthy targets. - Default: 30s - x-kubernetes-int-or-string: true - method: - description: Method defines the healthcheck method. - type: string - mode: - description: |- - Mode defines the health check mode. - If defined to grpc, will use the gRPC health check protocol to probe the server. - Default: http - type: string - path: - description: Path defines the server URL path for the health - check endpoint. - type: string - port: - description: Port defines the server URL port for the health - check endpoint. - type: integer - scheme: - description: Scheme replaces the server URL scheme for the - health check endpoint. - type: string - status: - description: Status defines the expected HTTP status code - of the response to the health check request. - type: integer - timeout: - anyOf: - - type: integer - - type: string - description: |- - Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. - Default: 5s - x-kubernetes-int-or-string: true - unhealthyInterval: - anyOf: - - type: integer - - type: string - description: |- - UnhealthyInterval defines the frequency of the health check calls for unhealthy targets. - When UnhealthyInterval is not defined, it defaults to the Interval value. - Default: 30s - x-kubernetes-int-or-string: true - type: object - kind: - description: Kind defines the kind of the Service. - enum: - - Service - - TraefikService - type: string - maxBodySize: - description: |- - MaxBodySize defines the maximum size allowed for the body of the request. - If the body is larger, the request is not mirrored. - Default value is -1, which means unlimited size. - format: int64 - type: integer - mirrorBody: - description: |- - MirrorBody defines whether the body of the request should be mirrored. - Default value is true. - type: boolean - mirrors: - description: Mirrors defines the list of mirrors where Traefik - will duplicate the traffic. - items: - description: MirrorService holds the mirror configuration. - properties: - healthCheck: - description: Healthcheck defines health checks for ExternalName - services. - properties: - followRedirects: - description: |- - FollowRedirects defines whether redirects should be followed during the health check calls. - Default: true - type: boolean - headers: - additionalProperties: - type: string - description: Headers defines custom headers to be sent - to the health check endpoint. - type: object - hostname: - description: Hostname defines the value of hostname - in the Host header of the health check request. - type: string - interval: - anyOf: - - type: integer - - type: string - description: |- - Interval defines the frequency of the health check calls for healthy targets. - Default: 30s - x-kubernetes-int-or-string: true - method: - description: Method defines the healthcheck method. - type: string - mode: - description: |- - Mode defines the health check mode. - If defined to grpc, will use the gRPC health check protocol to probe the server. - Default: http - type: string - path: - description: Path defines the server URL path for the - health check endpoint. - type: string - port: - description: Port defines the server URL port for the - health check endpoint. - type: integer - scheme: - description: Scheme replaces the server URL scheme for - the health check endpoint. - type: string - status: - description: Status defines the expected HTTP status - code of the response to the health check request. - type: integer - timeout: - anyOf: - - type: integer - - type: string - description: |- - Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. - Default: 5s - x-kubernetes-int-or-string: true - unhealthyInterval: - anyOf: - - type: integer - - type: string - description: |- - UnhealthyInterval defines the frequency of the health check calls for unhealthy targets. - When UnhealthyInterval is not defined, it defaults to the Interval value. - Default: 30s - x-kubernetes-int-or-string: true - type: object - kind: - description: Kind defines the kind of the Service. - enum: - - Service - - TraefikService - type: string - name: - description: |- - Name defines the name of the referenced Kubernetes Service or TraefikService. - The differentiation between the two is specified in the Kind field. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Kubernetes Service or TraefikService. - type: string - nativeLB: - description: |- - NativeLB controls, when creating the load-balancer, - whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. - The Kubernetes Service itself does load-balance to the pods. - By default, NativeLB is false. - type: boolean - nodePortLB: - description: |- - NodePortLB controls, when creating the load-balancer, - whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. - It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. - By default, NodePortLB is false. - type: boolean - passHostHeader: - description: |- - PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. - By default, passHostHeader is true. - type: boolean - passiveHealthCheck: - description: PassiveHealthCheck defines passive health checks - for ExternalName services. - properties: - failureWindow: - anyOf: - - type: integer - - type: string - description: FailureWindow defines the time window during - which the failed attempts must occur for the server - to be marked as unhealthy. It also defines for how - long the server will be considered unhealthy. - x-kubernetes-int-or-string: true - maxFailedAttempts: - description: MaxFailedAttempts is the number of consecutive - failed attempts allowed within the failure window - before marking the server as unhealthy. - type: integer - type: object - percent: - description: |- - Percent defines the part of the traffic to mirror. - Supported values: 0 to 100. - type: integer - port: - anyOf: - - type: integer - - type: string - description: |- - Port defines the port of a Kubernetes Service. - This can be a reference to a named port. - x-kubernetes-int-or-string: true - responseForwarding: - description: ResponseForwarding defines how Traefik forwards - the response from the upstream Kubernetes Service to the - client. - properties: - flushInterval: - description: |- - FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. - A negative value means to flush immediately after each write to the client. - This configuration is ignored when ReverseProxy recognizes a response as a streaming response; - for such responses, writes are flushed to the client immediately. - Default: 100ms - type: string - type: object - scheme: - description: |- - Scheme defines the scheme to use for the request to the upstream Kubernetes Service. - It defaults to https when Kubernetes Service port is 443, http otherwise. - type: string - serversTransport: - description: |- - ServersTransport defines the name of ServersTransport resource to use. - It allows to configure the transport between Traefik and your servers. - Can only be used on a Kubernetes Service. - type: string - sticky: - description: |- - Sticky defines the sticky sessions configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions - properties: - cookie: - description: Cookie defines the sticky cookie configuration. - properties: - domain: - description: |- - Domain defines the host to which the cookie will be sent. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value - type: string - httpOnly: - description: HTTPOnly defines whether the cookie - can be accessed by client-side APIs, such as JavaScript. - type: boolean - maxAge: - description: |- - MaxAge defines the number of seconds until the cookie expires. - When set to a negative number, the cookie expires immediately. - When set to zero, the cookie never expires. - type: integer - name: - description: Name defines the Cookie name. - type: string - path: - description: |- - Path defines the path that must exist in the requested URL for the browser to send the Cookie header. - When not provided the cookie will be sent on every request to the domain. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value - type: string - sameSite: - description: |- - SameSite defines the same site policy. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite - enum: - - none - - lax - - strict - type: string - secure: - description: Secure defines whether the cookie can - only be transmitted over an encrypted connection - (i.e. HTTPS). - type: boolean - type: object - type: object - strategy: - description: |- - Strategy defines the load balancing strategy between the servers. - Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time). - RoundRobin value is deprecated and supported for backward compatibility. - enum: - - wrr - - p2c - - hrw - - leasttime - - RoundRobin - type: string - weight: - description: |- - Weight defines the weight and should only be specified when Name references a TraefikService object - (and to be precise, one that embeds a Weighted Round Robin). - minimum: 0 - type: integer - required: - - name - type: object - type: array - name: - description: |- - Name defines the name of the referenced Kubernetes Service or TraefikService. - The differentiation between the two is specified in the Kind field. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Kubernetes Service or TraefikService. - type: string - nativeLB: - description: |- - NativeLB controls, when creating the load-balancer, - whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. - The Kubernetes Service itself does load-balance to the pods. - By default, NativeLB is false. - type: boolean - nodePortLB: - description: |- - NodePortLB controls, when creating the load-balancer, - whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. - It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. - By default, NodePortLB is false. - type: boolean - passHostHeader: - description: |- - PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. - By default, passHostHeader is true. - type: boolean - passiveHealthCheck: - description: PassiveHealthCheck defines passive health checks - for ExternalName services. - properties: - failureWindow: - anyOf: - - type: integer - - type: string - description: FailureWindow defines the time window during - which the failed attempts must occur for the server to be - marked as unhealthy. It also defines for how long the server - will be considered unhealthy. - x-kubernetes-int-or-string: true - maxFailedAttempts: - description: MaxFailedAttempts is the number of consecutive - failed attempts allowed within the failure window before - marking the server as unhealthy. - type: integer - type: object - port: - anyOf: - - type: integer - - type: string - description: |- - Port defines the port of a Kubernetes Service. - This can be a reference to a named port. - x-kubernetes-int-or-string: true - responseForwarding: - description: ResponseForwarding defines how Traefik forwards the - response from the upstream Kubernetes Service to the client. - properties: - flushInterval: - description: |- - FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. - A negative value means to flush immediately after each write to the client. - This configuration is ignored when ReverseProxy recognizes a response as a streaming response; - for such responses, writes are flushed to the client immediately. - Default: 100ms - type: string - type: object - scheme: - description: |- - Scheme defines the scheme to use for the request to the upstream Kubernetes Service. - It defaults to https when Kubernetes Service port is 443, http otherwise. - type: string - serversTransport: - description: |- - ServersTransport defines the name of ServersTransport resource to use. - It allows to configure the transport between Traefik and your servers. - Can only be used on a Kubernetes Service. - type: string - sticky: - description: |- - Sticky defines the sticky sessions configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions - properties: - cookie: - description: Cookie defines the sticky cookie configuration. - properties: - domain: - description: |- - Domain defines the host to which the cookie will be sent. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value - type: string - httpOnly: - description: HTTPOnly defines whether the cookie can be - accessed by client-side APIs, such as JavaScript. - type: boolean - maxAge: - description: |- - MaxAge defines the number of seconds until the cookie expires. - When set to a negative number, the cookie expires immediately. - When set to zero, the cookie never expires. - type: integer - name: - description: Name defines the Cookie name. - type: string - path: - description: |- - Path defines the path that must exist in the requested URL for the browser to send the Cookie header. - When not provided the cookie will be sent on every request to the domain. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value - type: string - sameSite: - description: |- - SameSite defines the same site policy. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite - enum: - - none - - lax - - strict - type: string - secure: - description: Secure defines whether the cookie can only - be transmitted over an encrypted connection (i.e. HTTPS). - type: boolean - type: object - type: object - strategy: - description: |- - Strategy defines the load balancing strategy between the servers. - Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time). - RoundRobin value is deprecated and supported for backward compatibility. - enum: - - wrr - - p2c - - hrw - - leasttime - - RoundRobin - type: string - weight: - description: |- - Weight defines the weight and should only be specified when Name references a TraefikService object - (and to be precise, one that embeds a Weighted Round Robin). - minimum: 0 - type: integer - required: - - name - type: object - weighted: - description: Weighted defines the Weighted Round Robin configuration. - properties: - services: - description: Services defines the list of Kubernetes Service and/or - TraefikService to load-balance, with weight. - items: - description: Service defines an upstream HTTP service to proxy - traffic to. - properties: - healthCheck: - description: Healthcheck defines health checks for ExternalName - services. - properties: - followRedirects: - description: |- - FollowRedirects defines whether redirects should be followed during the health check calls. - Default: true - type: boolean - headers: - additionalProperties: - type: string - description: Headers defines custom headers to be sent - to the health check endpoint. - type: object - hostname: - description: Hostname defines the value of hostname - in the Host header of the health check request. - type: string - interval: - anyOf: - - type: integer - - type: string - description: |- - Interval defines the frequency of the health check calls for healthy targets. - Default: 30s - x-kubernetes-int-or-string: true - method: - description: Method defines the healthcheck method. - type: string - mode: - description: |- - Mode defines the health check mode. - If defined to grpc, will use the gRPC health check protocol to probe the server. - Default: http - type: string - path: - description: Path defines the server URL path for the - health check endpoint. - type: string - port: - description: Port defines the server URL port for the - health check endpoint. - type: integer - scheme: - description: Scheme replaces the server URL scheme for - the health check endpoint. - type: string - status: - description: Status defines the expected HTTP status - code of the response to the health check request. - type: integer - timeout: - anyOf: - - type: integer - - type: string - description: |- - Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. - Default: 5s - x-kubernetes-int-or-string: true - unhealthyInterval: - anyOf: - - type: integer - - type: string - description: |- - UnhealthyInterval defines the frequency of the health check calls for unhealthy targets. - When UnhealthyInterval is not defined, it defaults to the Interval value. - Default: 30s - x-kubernetes-int-or-string: true - type: object - kind: - description: Kind defines the kind of the Service. - enum: - - Service - - TraefikService - type: string - name: - description: |- - Name defines the name of the referenced Kubernetes Service or TraefikService. - The differentiation between the two is specified in the Kind field. - type: string - namespace: - description: Namespace defines the namespace of the referenced - Kubernetes Service or TraefikService. - type: string - nativeLB: - description: |- - NativeLB controls, when creating the load-balancer, - whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. - The Kubernetes Service itself does load-balance to the pods. - By default, NativeLB is false. - type: boolean - nodePortLB: - description: |- - NodePortLB controls, when creating the load-balancer, - whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. - It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. - By default, NodePortLB is false. - type: boolean - passHostHeader: - description: |- - PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. - By default, passHostHeader is true. - type: boolean - passiveHealthCheck: - description: PassiveHealthCheck defines passive health checks - for ExternalName services. - properties: - failureWindow: - anyOf: - - type: integer - - type: string - description: FailureWindow defines the time window during - which the failed attempts must occur for the server - to be marked as unhealthy. It also defines for how - long the server will be considered unhealthy. - x-kubernetes-int-or-string: true - maxFailedAttempts: - description: MaxFailedAttempts is the number of consecutive - failed attempts allowed within the failure window - before marking the server as unhealthy. - type: integer - type: object - port: - anyOf: - - type: integer - - type: string - description: |- - Port defines the port of a Kubernetes Service. - This can be a reference to a named port. - x-kubernetes-int-or-string: true - responseForwarding: - description: ResponseForwarding defines how Traefik forwards - the response from the upstream Kubernetes Service to the - client. - properties: - flushInterval: - description: |- - FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. - A negative value means to flush immediately after each write to the client. - This configuration is ignored when ReverseProxy recognizes a response as a streaming response; - for such responses, writes are flushed to the client immediately. - Default: 100ms - type: string - type: object - scheme: - description: |- - Scheme defines the scheme to use for the request to the upstream Kubernetes Service. - It defaults to https when Kubernetes Service port is 443, http otherwise. - type: string - serversTransport: - description: |- - ServersTransport defines the name of ServersTransport resource to use. - It allows to configure the transport between Traefik and your servers. - Can only be used on a Kubernetes Service. - type: string - sticky: - description: |- - Sticky defines the sticky sessions configuration. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions - properties: - cookie: - description: Cookie defines the sticky cookie configuration. - properties: - domain: - description: |- - Domain defines the host to which the cookie will be sent. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value - type: string - httpOnly: - description: HTTPOnly defines whether the cookie - can be accessed by client-side APIs, such as JavaScript. - type: boolean - maxAge: - description: |- - MaxAge defines the number of seconds until the cookie expires. - When set to a negative number, the cookie expires immediately. - When set to zero, the cookie never expires. - type: integer - name: - description: Name defines the Cookie name. - type: string - path: - description: |- - Path defines the path that must exist in the requested URL for the browser to send the Cookie header. - When not provided the cookie will be sent on every request to the domain. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value - type: string - sameSite: - description: |- - SameSite defines the same site policy. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite - enum: - - none - - lax - - strict - type: string - secure: - description: Secure defines whether the cookie can - only be transmitted over an encrypted connection - (i.e. HTTPS). - type: boolean - type: object - type: object - strategy: - description: |- - Strategy defines the load balancing strategy between the servers. - Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time). - RoundRobin value is deprecated and supported for backward compatibility. - enum: - - wrr - - p2c - - hrw - - leasttime - - RoundRobin - type: string - weight: - description: |- - Weight defines the weight and should only be specified when Name references a TraefikService object - (and to be precise, one that embeds a Weighted Round Robin). - minimum: 0 - type: integer - required: - - name - type: object - type: array - sticky: - description: |- - Sticky defines whether sticky sessions are enabled. - More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/traefikservice/#stickiness-and-load-balancing - properties: - cookie: - description: Cookie defines the sticky cookie configuration. - properties: - domain: - description: |- - Domain defines the host to which the cookie will be sent. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value - type: string - httpOnly: - description: HTTPOnly defines whether the cookie can be - accessed by client-side APIs, such as JavaScript. - type: boolean - maxAge: - description: |- - MaxAge defines the number of seconds until the cookie expires. - When set to a negative number, the cookie expires immediately. - When set to zero, the cookie never expires. - type: integer - name: - description: Name defines the Cookie name. - type: string - path: - description: |- - Path defines the path that must exist in the requested URL for the browser to send the Cookie header. - When not provided the cookie will be sent on every request to the domain. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value - type: string - sameSite: - description: |- - SameSite defines the same site policy. - More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite - enum: - - none - - lax - - strict - type: string - secure: - description: Secure defines whether the cookie can only - be transmitted over an encrypted connection (i.e. HTTPS). - type: boolean - type: object - type: object - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -# Source: traefik/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik - app.kubernetes.io/part-of: traefik - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: traefik/charts/traefik/templates/rbac/serviceaccount.yaml -kind: ServiceAccount -apiVersion: v1 -metadata: - name: traefik - namespace: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm - annotations: -automountServiceAccountToken: false ---- -# Source: traefik/charts/traefik/templates/rbac/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: traefik-traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - configmaps - - nodes - - services - verbs: - - get - - list - - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - traefik.io - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - serverstransports - - serverstransporttcps - - tlsoptions - - tlsstores - - traefikservices - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - - secrets - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - gateway.networking.k8s.io - resources: - - backendtlspolicies - - gatewayclasses - - gateways - - grpcroutes - - httproutes - - referencegrants - - tcproutes - - tlsroutes - verbs: - - get - - list - - watch - - apiGroups: - - gateway.networking.k8s.io - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - tcproutes/status - - tlsroutes/status - verbs: - - update ---- -# Source: traefik/charts/traefik/templates/rbac/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: traefik-traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-traefik -subjects: - - kind: ServiceAccount - name: traefik - namespace: traefik ---- -# Source: traefik/charts/traefik/templates/service-metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: traefik-metrics - namespace: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - app.kubernetes.io/component: metrics - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm - annotations: -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - ports: - - port: 9100 - name: metrics - targetPort: metrics - protocol: TCP ---- -# Source: traefik/charts/traefik/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: traefik - namespace: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm - annotations: -spec: - type: LoadBalancer - selector: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - externalIPs: - - 10.232.1.21 - ports: - - port: 22 - name: ssh - targetPort: ssh - protocol: TCP - - port: 80 - name: web - targetPort: web - protocol: TCP - - port: 443 - name: websecure - targetPort: websecure - protocol: TCP ---- -# Source: traefik/charts/traefik/templates/daemonset.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: traefik - namespace: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm - annotations: -spec: - selector: - matchLabels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: 1 - minReadySeconds: 0 - template: - metadata: - annotations: - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: traefik - automountServiceAccountToken: true - terminationGracePeriodSeconds: 60 - hostNetwork: false - containers: - - image: docker.io/traefik:v3.6.2 - imagePullPolicy: IfNotPresent - name: traefik - resources: - readinessProbe: - httpGet: - path: /ping - port: 8080 - scheme: HTTP - failureThreshold: 1 - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - livenessProbe: - httpGet: - path: /ping - port: 8080 - scheme: HTTP - failureThreshold: 3 - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - lifecycle: - ports: - - name: metrics - containerPort: 9100 - protocol: TCP - - name: ssh - containerPort: 22 - protocol: TCP - - name: traefik - containerPort: 8080 - protocol: TCP - - name: web - containerPort: 8000 - protocol: TCP - - name: websecure - containerPort: 8443 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - name: data - mountPath: /data - - name: tmp - mountPath: /tmp - - args: - - "--entryPoints.metrics.address=:9100/tcp" - - "--entryPoints.ssh.address=:22/tcp" - - "--entryPoints.traefik.address=:8080/tcp" - - "--entryPoints.web.address=:8000/tcp" - - "--entryPoints.websecure.address=:8443/tcp" - - "--api.dashboard=true" - - "--ping=true" - - "--metrics.prometheus=true" - - "--metrics.prometheus.entrypoint=metrics" - - - - "--providers.kubernetescrd" - - "--providers.kubernetescrd.allowCrossNamespace=true" - - "--providers.kubernetescrd.allowEmptyServices=true" - - "--providers.kubernetesgateway" - - "--providers.kubernetesgateway.statusaddress.ip=10.232.1.21" - - "--providers.kubernetesgateway.statusaddress.service.name=traefik" - - "--providers.kubernetesgateway.statusaddress.service.namespace=traefik" - - "--providers.kubernetesgateway.experimentalchannel=true" - - "--entryPoints.ssh.http.tls=true" - - "--entryPoints.ssh.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7" - - "--entryPoints.ssh.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7" - - "--entryPoints.web.http.redirections.entryPoint.to=:443" - - "--entryPoints.web.http.redirections.entryPoint.scheme=https" - - "--entryPoints.web.http.redirections.entryPoint.permanent=true" - - "--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7" - - "--entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7" - - "--entryPoints.websecure.http.tls=true" - - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7" - - "--entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7" - - "--log.level=INFO" - - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: USER - value: traefik - volumes: - - name: data - emptyDir: {} - - name: tmp - emptyDir: {} - securityContext: - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 ---- -# Source: traefik/templates/certificate.yaml -# apiVersion: cert-manager.io/v1 -# kind: Certificate -# metadata: -# name: traefik-certificate -# namespace: traefik -# labels: -# app.kubernetes.io/name: traefik-certificate -# app.kubernetes.io/instance: traefik -# app.kubernetes.io/part-of: traefik -# spec: -# secretName: traefik-secret-tls -# dnsNames: -# - "alexlebens.net" -# - "*.alexlebens.net" -# issuerRef: -# name: letsencrypt-issuer -# kind: ClusterIssuer ---- -# Source: traefik/charts/traefik/templates/gateway.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: traefik-gateway - namespace: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm - annotations: - cert-manager.io/cluster-issuer: letsencrypt-issuer -spec: - gatewayClassName: traefik - listeners: - - name: ssh - port: 22 - protocol: TCP - allowedRoutes: - namespaces: - from: All - - - - name: web - port: 8000 - protocol: HTTP - hostname: '*.alexlebens.net' - allowedRoutes: - namespaces: - from: All - - - - name: websecure - port: 8443 - protocol: HTTPS - hostname: '*.alexlebens.net' - allowedRoutes: - namespaces: - from: All - - - tls: - - mode: Terminate - - certificateRefs: - - group: "" - kind: Secret - name: websecure-gateway-cert - namespace: traefik ---- -# Source: traefik/charts/traefik/templates/gatewayclass.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass -metadata: - name: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm -spec: - controllerName: traefik.io/gateway-controller ---- -# Source: traefik/charts/traefik/templates/ingressroute.yaml -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-dashboard - namespace: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm -spec: - entryPoints: - - websecure - routes: - - match: (Host(`traefik-cl01tl.alexlebens.net`) && (PathPrefix(`/api/`) || PathPrefix(`/dashboard/`))) - kind: Rule - services: - - kind: TraefikService - name: api@internal ---- -# Source: traefik/charts/traefik/templates/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: traefik - namespace: traefik - labels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - app.kubernetes.io/component: metrics - helm.sh/chart: traefik-37.4.0 - app.kubernetes.io/managed-by: Helm -spec: - jobLabel: traefik - endpoints: - - targetPort: metrics - path: /metrics - namespaceSelector: - matchNames: - - traefik - selector: - matchLabels: - app.kubernetes.io/name: traefik - app.kubernetes.io/instance: traefik-traefik - app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/trivy/trivy.yaml b/clusters/cl01tl/manifests/trivy/trivy.yaml deleted file mode 100644 index caccd6313..000000000 --- a/clusters/cl01tl/manifests/trivy/trivy.yaml +++ /dev/null @@ -1,5222 +0,0 @@ ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustercompliancereports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: clustercompliancereports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterComplianceReport - listKind: ClusterComplianceReportList - plural: clustercompliancereports - shortNames: - - compliance - singular: clustercompliancereport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of checks that failed - jsonPath: .status.summary.failCount - name: Fail - priority: 1 - type: integer - - description: The number of checks that passed - jsonPath: .status.summary.passCount - name: Pass - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterComplianceReport is a specification for the ClusterComplianceReport - resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ReportSpec represent the compliance specification - properties: - compliance: - properties: - controls: - description: Control represent the cps controls data and mapping - checks - items: - description: Control represent the cps controls data and mapping - checks - properties: - checks: - items: - description: SpecCheck represent the scanner who perform - the control check - properties: - id: - description: id define the check id as produced by - scanner - type: string - required: - - id - type: object - type: array - commands: - items: - description: Commands represent the commands to be executed - by the node-collector - properties: - id: - description: id define the commands id - type: string - required: - - id - type: object - type: array - defaultStatus: - description: define the default value for check status in - case resource not found - enum: - - PASS - - WARN - - FAIL - type: string - description: - type: string - id: - description: id define the control check id - type: string - name: - type: string - severity: - description: define the severity of the control - enum: - - CRITICAL - - HIGH - - MEDIUM - - LOW - - UNKNOWN - type: string - required: - - id - - name - - severity - type: object - type: array - description: - type: string - id: - type: string - platform: - type: string - relatedResources: - items: - type: string - type: array - title: - type: string - type: - type: string - version: - type: string - required: - - controls - - description - - id - - platform - - relatedResources - - title - - type - - version - type: object - cron: - description: cron define the intervals for report generation - pattern: ^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) - ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) - ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) - ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) - ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$ - type: string - reportType: - enum: - - summary - - all - type: string - required: - - compliance - - cron - - reportType - type: object - status: - properties: - detailReport: - description: ComplianceReport represents a kubernetes scan report - properties: - description: - type: string - id: - type: string - relatedVersion: - items: - type: string - type: array - results: - items: - properties: - checks: - items: - description: ComplianceCheck provides the result of conducting - a single compliance step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links - to external resources to remediate failing check. - type: string - severity: - description: Severity level of a vulnerability or - a configuration audit check. - type: string - success: - type: boolean - target: - type: string - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - description: - type: string - id: - type: string - name: - type: string - severity: - type: string - status: - type: string - required: - - checks - type: object - type: array - title: - type: string - version: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - summary: - properties: - failCount: - type: integer - passCount: - type: integer - type: object - summaryReport: - description: SummaryReport represents a kubernetes scan report with - consolidated findings - properties: - controlCheck: - items: - properties: - id: - type: string - name: - type: string - severity: - type: string - totalFail: - type: integer - type: object - type: array - id: - type: string - title: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - updateTimestamp: - format: date-time - type: string - required: - - updateTimestamp - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: - status: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterconfigauditreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: clusterconfigauditreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterConfigAuditReport - listKind: ClusterConfigAuditReportList - plural: clusterconfigauditreports - shortNames: - - clusterconfigaudit - singular: clusterconfigauditreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of the config audit scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport - resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: ConfigAuditSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - updateTimestamp: - format: date-time - type: string - required: - - checks - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterinfraassessmentreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: clusterinfraassessmentreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterInfraAssessmentReport - listKind: ClusterInfraAssessmentReportList - plural: clusterinfraassessmentreports - shortNames: - - clusterinfraassessment - singular: clusterinfraassessmentreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of the infra assessement scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterInfraAssessmentReport is a specification for the ClusterInfraAssessmentReport - resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: InfraAssessmentSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - required: - - checks - - scanner - - summary - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterrbacassessmentreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: clusterrbacassessmentreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterRbacAssessmentReport - listKind: ClusterRbacAssessmentReportList - plural: clusterrbacassessmentreports - shortNames: - - clusterrbacassessmentreport - singular: clusterrbacassessmentreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of the rbac assessment scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport - resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: RbacAssessmentSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - required: - - checks - - scanner - - summary - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustersbomreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: clustersbomreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterSbomReport - listKind: ClusterSbomReportList - plural: clustersbomreports - shortNames: - - clustersbom - singular: clustersbomreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of image repository - jsonPath: .report.artifact.repository - name: Repository - type: string - - description: The name of image tag - jsonPath: .report.artifact.tag - name: Tag - type: string - - description: The name of the sbom generation scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of dependencies in bom - jsonPath: .report.summary.componentsCount - name: Components - priority: 1 - type: integer - - description: The the number of components in bom - jsonPath: .report.summary.dependenciesCount - name: Dependencies - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSbomReport summarizes components and dependencies found - in container image - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - description: Report is the actual sbom report data. - properties: - artifact: - description: |- - Artifact represents a standalone, executable package of software that includes everything needed to - run an application. - properties: - digest: - description: Digest is a unique and immutable identifier of an - Artifact. - type: string - mimeType: - description: MimeType represents a type and format of an Artifact. - type: string - repository: - description: Repository is the name of the repository in the Artifact - registry. - type: string - tag: - description: Tag is a mutable, human-readable string used to identify - an Artifact. - type: string - type: object - components: - description: Bom is artifact bill of materials. - properties: - bomFormat: - type: string - components: - items: - properties: - bom-ref: - type: string - group: - type: string - hashes: - items: - properties: - alg: - type: string - content: - type: string - type: object - type: array - licenses: - items: - properties: - expression: - type: string - license: - properties: - id: - type: string - name: - type: string - url: - type: string - type: object - type: object - type: array - name: - type: string - properties: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - purl: - type: string - supplier: - properties: - contact: - items: - properties: - email: - type: string - name: - type: string - phone: - type: string - type: object - type: array - name: - type: string - url: - items: - type: string - type: array - type: object - type: - type: string - version: - type: string - type: object - type: array - dependencies: - items: - properties: - dependsOn: - items: - type: string - type: array - ref: - type: string - type: object - type: array - metadata: - properties: - component: - properties: - bom-ref: - type: string - group: - type: string - hashes: - items: - properties: - alg: - type: string - content: - type: string - type: object - type: array - licenses: - items: - properties: - expression: - type: string - license: - properties: - id: - type: string - name: - type: string - url: - type: string - type: object - type: object - type: array - name: - type: string - properties: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - purl: - type: string - supplier: - properties: - contact: - items: - properties: - email: - type: string - name: - type: string - phone: - type: string - type: object - type: array - name: - type: string - url: - items: - type: string - type: array - type: object - type: - type: string - version: - type: string - type: object - timestamp: - type: string - tools: - properties: - components: - items: - properties: - bom-ref: - type: string - group: - type: string - hashes: - items: - properties: - alg: - type: string - content: - type: string - type: object - type: array - licenses: - items: - properties: - expression: - type: string - license: - properties: - id: - type: string - name: - type: string - url: - type: string - type: object - type: object - type: array - name: - type: string - properties: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - purl: - type: string - supplier: - properties: - contact: - items: - properties: - email: - type: string - name: - type: string - phone: - type: string - type: object - type: array - name: - type: string - url: - items: - type: string - type: array - type: object - type: - type: string - version: - type: string - type: object - type: array - type: object - type: object - serialNumber: - type: string - specVersion: - type: string - version: - type: integer - required: - - bomFormat - - specVersion - type: object - registry: - description: Registry is the registry the Artifact was pulled from. - properties: - server: - description: Server the FQDN of registry server. - type: string - type: object - scanner: - description: Scanner is the scanner that generated this report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: Summary is a summary of sbom report. - properties: - componentsCount: - description: ComponentsCount is the number of components in bom. - minimum: 0 - type: integer - dependenciesCount: - description: DependenciesCount is the number of dependencies in - bom. - minimum: 0 - type: integer - required: - - componentsCount - - dependenciesCount - type: object - updateTimestamp: - description: UpdateTimestamp is a timestamp representing the server - time in UTC when this report was updated. - format: date-time - type: string - required: - - artifact - - components - - scanner - - summary - - updateTimestamp - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: clustervulnerabilityreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterVulnerabilityReport - listKind: ClusterVulnerabilityReportList - plural: clustervulnerabilityreports - shortNames: - - clustervuln - singular: clustervulnerabilityreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of image repository - jsonPath: .report.artifact.repository - name: Repository - type: string - - description: The name of image tag - jsonPath: .report.artifact.tag - name: Tag - type: string - - description: The name of the vulnerability scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of critical vulnerabilities - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of high vulnerabilities - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of medium vulnerabilities - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of low vulnerabilities - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - - description: The number of unknown vulnerabilities - jsonPath: .report.summary.unknownCount - name: Unknown - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ClusterVulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages - built into container images. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - description: Report is the actual vulnerability report data. - properties: - artifact: - description: |- - Artifact represents a standalone, executable package of software that includes everything needed to - run an application. - properties: - digest: - description: Digest is a unique and immutable identifier of an - Artifact. - type: string - mimeType: - description: MimeType represents a type and format of an Artifact. - type: string - repository: - description: Repository is the name of the repository in the Artifact - registry. - type: string - tag: - description: Tag is a mutable, human-readable string used to identify - an Artifact. - type: string - type: object - os: - description: OS information of the artifact - properties: - eosl: - description: Eosl is true if OS version has reached end of service - life - type: boolean - family: - description: Operating System Family - type: string - name: - description: Name or version of the OS - type: string - type: object - registry: - description: Registry is the registry the Artifact was pulled from. - properties: - server: - description: Server the FQDN of registry server. - type: string - type: object - scanner: - description: Scanner is the scanner that generated this report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: Summary is a summary of Vulnerability counts grouped - by Severity. - properties: - criticalCount: - description: CriticalCount is the number of vulnerabilities with - Critical Severity. - minimum: 0 - type: integer - highCount: - description: HighCount is the number of vulnerabilities with High - Severity. - minimum: 0 - type: integer - lowCount: - description: LowCount is the number of vulnerabilities with Low - Severity. - minimum: 0 - type: integer - mediumCount: - description: MediumCount is the number of vulnerabilities with - Medium Severity. - minimum: 0 - type: integer - noneCount: - description: NoneCount is the number of packages without any vulnerability. - minimum: 0 - type: integer - unknownCount: - description: UnknownCount is the number of vulnerabilities with - unknown severity. - minimum: 0 - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - - unknownCount - type: object - updateTimestamp: - description: UpdateTimestamp is a timestamp representing the server - time in UTC when this report was updated. - format: date-time - type: string - vulnerabilities: - description: Vulnerabilities is a list of operating system (OS) or - application software Vulnerability items found in the Artifact. - items: - description: Vulnerability is the spec for a vulnerability record. - properties: - class: - type: string - cvss: - additionalProperties: - properties: - V2Score: - type: number - V2Vector: - type: string - V3Score: - type: number - V3Vector: - type: string - V40Score: - type: number - V40Vector: - type: string - type: object - type: object - cvsssource: - type: string - description: - type: string - fixedVersion: - description: FixedVersion indicates the version of the Resource - in which this vulnerability has been fixed. - type: string - installedVersion: - description: InstalledVersion indicates the installed version - of the Resource. - type: string - lastModifiedDate: - description: LastModifiedDate indicates the last date CVE has - been modified. - type: string - links: - items: - type: string - type: array - packagePURL: - type: string - packagePath: - type: string - packageType: - type: string - primaryLink: - type: string - publishedDate: - description: PublishedDate indicates the date of published CVE. - type: string - resource: - description: Resource is a vulnerable package, application, - or library. - type: string - score: - type: number - severity: - description: Severity level of a vulnerability or a configuration - audit check. - enum: - - CRITICAL - - HIGH - - MEDIUM - - LOW - - UNKNOWN - type: string - target: - type: string - title: - type: string - vulnerabilityID: - description: VulnerabilityID the vulnerability identifier. - type: string - required: - - fixedVersion - - installedVersion - - lastModifiedDate - - publishedDate - - resource - - severity - - title - - vulnerabilityID - type: object - type: array - required: - - artifact - - os - - scanner - - summary - - updateTimestamp - - vulnerabilities - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_configauditreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: configauditreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ConfigAuditReport - listKind: ConfigAuditReportList - plural: configauditreports - shortNames: - - configaudit - - configaudits - singular: configauditreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of the config audit scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ConfigAuditReport is a specification for the ConfigAuditReport - resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: ConfigAuditSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - updateTimestamp: - format: date-time - type: string - required: - - checks - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_exposedsecretreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: exposedsecretreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ExposedSecretReport - listKind: ExposedSecretReportList - plural: exposedsecretreports - shortNames: - - exposedsecret - - exposedsecrets - singular: exposedsecretreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of image repository - jsonPath: .report.artifact.repository - name: Repository - type: string - - description: The name of image tag - jsonPath: .report.artifact.tag - name: Tag - type: string - - description: The name of the exposed secret scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of critical exposed secrets - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of high exposed secrets - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of medium exposed secrets - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of low exposed secrets - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExposedSecretReport summarizes exposed secrets in plaintext files - built into container images. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - description: Report is the actual exposed secret report data. - properties: - artifact: - description: |- - Artifact represents a standalone, executable package of software that includes everything needed to - run an application. - properties: - digest: - description: Digest is a unique and immutable identifier of an - Artifact. - type: string - mimeType: - description: MimeType represents a type and format of an Artifact. - type: string - repository: - description: Repository is the name of the repository in the Artifact - registry. - type: string - tag: - description: Tag is a mutable, human-readable string used to identify - an Artifact. - type: string - type: object - registry: - description: Registry is the registry the Artifact was pulled from. - properties: - server: - description: Server the FQDN of registry server. - type: string - type: object - scanner: - description: Scanner is the scanner that generated this report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - secrets: - description: Exposed secrets is a list of passwords, api keys, tokens - and others items found in the Artifact. - items: - description: ExposedSecret is the spec for a exposed secret record. - properties: - category: - type: string - match: - description: Match where the exposed rule matched. - type: string - ruleID: - description: RuleID is rule the identifier. - type: string - severity: - description: Severity level of a vulnerability or a configuration - audit check. - enum: - - CRITICAL - - HIGH - - MEDIUM - - LOW - type: string - target: - description: Target is where the exposed secret was found. - type: string - title: - type: string - required: - - category - - match - - ruleID - - severity - - target - - title - type: object - type: array - summary: - description: Summary is the exposed secrets counts grouped by Severity. - properties: - criticalCount: - description: CriticalCount is the number of exposed secrets with - Critical Severity. - minimum: 0 - type: integer - highCount: - description: HighCount is the number of exposed secrets with High - Severity. - minimum: 0 - type: integer - lowCount: - description: LowCount is the number of exposed secrets with Low - Severity. - minimum: 0 - type: integer - mediumCount: - description: MediumCount is the number of exposed secrets with - Medium Severity. - minimum: 0 - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - updateTimestamp: - description: UpdateTimestamp is a timestamp representing the server - time in UTC when this report was updated. - format: date-time - type: string - required: - - artifact - - scanner - - secrets - - summary - - updateTimestamp - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_infraassessmentreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: infraassessmentreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: InfraAssessmentReport - listKind: InfraAssessmentReportList - plural: infraassessmentreports - shortNames: - - infraassessment - - infraassessments - singular: infraassessmentreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of the infra assessment scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: InfraAssessmentReport is a specification for the InfraAssessmentReport - resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: InfraAssessmentSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - required: - - checks - - scanner - - summary - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_rbacassessmentreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: rbacassessmentreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: RbacAssessmentReport - listKind: RbacAssessmentReportList - plural: rbacassessmentreports - shortNames: - - rbacassessment - - rbacassessments - singular: rbacassessmentreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of the rbac assessment scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: RbacAssessmentReport is a specification for the RbacAssessmentReport - resource. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: RbacAssessmentSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - required: - - checks - - scanner - - summary - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_sbomreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: sbomreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: SbomReport - listKind: SbomReportList - plural: sbomreports - shortNames: - - sbom - - sboms - singular: sbomreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of image repository - jsonPath: .report.artifact.repository - name: Repository - type: string - - description: The name of image tag - jsonPath: .report.artifact.tag - name: Tag - type: string - - description: The name of the sbom generation scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of dependencies in bom - jsonPath: .report.summary.componentsCount - name: Components - priority: 1 - type: integer - - description: The the number of components in bom - jsonPath: .report.summary.dependenciesCount - name: Dependencies - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: SbomReport summarizes components and dependencies found in container - image - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - description: Report is the actual sbom report data. - properties: - artifact: - description: |- - Artifact represents a standalone, executable package of software that includes everything needed to - run an application. - properties: - digest: - description: Digest is a unique and immutable identifier of an - Artifact. - type: string - mimeType: - description: MimeType represents a type and format of an Artifact. - type: string - repository: - description: Repository is the name of the repository in the Artifact - registry. - type: string - tag: - description: Tag is a mutable, human-readable string used to identify - an Artifact. - type: string - type: object - components: - description: Bom is artifact bill of materials. - properties: - bomFormat: - type: string - components: - items: - properties: - bom-ref: - type: string - group: - type: string - hashes: - items: - properties: - alg: - type: string - content: - type: string - type: object - type: array - licenses: - items: - properties: - expression: - type: string - license: - properties: - id: - type: string - name: - type: string - url: - type: string - type: object - type: object - type: array - name: - type: string - properties: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - purl: - type: string - supplier: - properties: - contact: - items: - properties: - email: - type: string - name: - type: string - phone: - type: string - type: object - type: array - name: - type: string - url: - items: - type: string - type: array - type: object - type: - type: string - version: - type: string - type: object - type: array - dependencies: - items: - properties: - dependsOn: - items: - type: string - type: array - ref: - type: string - type: object - type: array - metadata: - properties: - component: - properties: - bom-ref: - type: string - group: - type: string - hashes: - items: - properties: - alg: - type: string - content: - type: string - type: object - type: array - licenses: - items: - properties: - expression: - type: string - license: - properties: - id: - type: string - name: - type: string - url: - type: string - type: object - type: object - type: array - name: - type: string - properties: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - purl: - type: string - supplier: - properties: - contact: - items: - properties: - email: - type: string - name: - type: string - phone: - type: string - type: object - type: array - name: - type: string - url: - items: - type: string - type: array - type: object - type: - type: string - version: - type: string - type: object - timestamp: - type: string - tools: - properties: - components: - items: - properties: - bom-ref: - type: string - group: - type: string - hashes: - items: - properties: - alg: - type: string - content: - type: string - type: object - type: array - licenses: - items: - properties: - expression: - type: string - license: - properties: - id: - type: string - name: - type: string - url: - type: string - type: object - type: object - type: array - name: - type: string - properties: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - purl: - type: string - supplier: - properties: - contact: - items: - properties: - email: - type: string - name: - type: string - phone: - type: string - type: object - type: array - name: - type: string - url: - items: - type: string - type: array - type: object - type: - type: string - version: - type: string - type: object - type: array - type: object - type: object - serialNumber: - type: string - specVersion: - type: string - version: - type: integer - required: - - bomFormat - - specVersion - type: object - registry: - description: Registry is the registry the Artifact was pulled from. - properties: - server: - description: Server the FQDN of registry server. - type: string - type: object - scanner: - description: Scanner is the scanner that generated this report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: Summary is a summary of sbom report. - properties: - componentsCount: - description: ComponentsCount is the number of components in bom. - minimum: 0 - type: integer - dependenciesCount: - description: DependenciesCount is the number of dependencies in - bom. - minimum: 0 - type: integer - required: - - componentsCount - - dependenciesCount - type: object - updateTimestamp: - description: UpdateTimestamp is a timestamp representing the server - time in UTC when this report was updated. - format: date-time - type: string - required: - - artifact - - components - - scanner - - summary - - updateTimestamp - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_vulnerabilityreports.yaml ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: vulnerabilityreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: VulnerabilityReport - listKind: VulnerabilityReportList - plural: vulnerabilityreports - shortNames: - - vuln - - vulns - singular: vulnerabilityreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of image repository - jsonPath: .report.artifact.repository - name: Repository - type: string - - description: The name of image tag - jsonPath: .report.artifact.tag - name: Tag - type: string - - description: The name of the vulnerability scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of critical vulnerabilities - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of high vulnerabilities - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of medium vulnerabilities - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of low vulnerabilities - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - - description: The number of unknown vulnerabilities - jsonPath: .report.summary.unknownCount - name: Unknown - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - VulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages - built into container images. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - report: - description: Report is the actual vulnerability report data. - properties: - artifact: - description: |- - Artifact represents a standalone, executable package of software that includes everything needed to - run an application. - properties: - digest: - description: Digest is a unique and immutable identifier of an - Artifact. - type: string - mimeType: - description: MimeType represents a type and format of an Artifact. - type: string - repository: - description: Repository is the name of the repository in the Artifact - registry. - type: string - tag: - description: Tag is a mutable, human-readable string used to identify - an Artifact. - type: string - type: object - os: - description: OS information of the artifact - properties: - eosl: - description: Eosl is true if OS version has reached end of service - life - type: boolean - family: - description: Operating System Family - type: string - name: - description: Name or version of the OS - type: string - type: object - registry: - description: Registry is the registry the Artifact was pulled from. - properties: - server: - description: Server the FQDN of registry server. - type: string - type: object - scanner: - description: Scanner is the scanner that generated this report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: Summary is a summary of Vulnerability counts grouped - by Severity. - properties: - criticalCount: - description: CriticalCount is the number of vulnerabilities with - Critical Severity. - minimum: 0 - type: integer - highCount: - description: HighCount is the number of vulnerabilities with High - Severity. - minimum: 0 - type: integer - lowCount: - description: LowCount is the number of vulnerabilities with Low - Severity. - minimum: 0 - type: integer - mediumCount: - description: MediumCount is the number of vulnerabilities with - Medium Severity. - minimum: 0 - type: integer - noneCount: - description: NoneCount is the number of packages without any vulnerability. - minimum: 0 - type: integer - unknownCount: - description: UnknownCount is the number of vulnerabilities with - unknown severity. - minimum: 0 - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - - unknownCount - type: object - updateTimestamp: - description: UpdateTimestamp is a timestamp representing the server - time in UTC when this report was updated. - format: date-time - type: string - vulnerabilities: - description: Vulnerabilities is a list of operating system (OS) or - application software Vulnerability items found in the Artifact. - items: - description: Vulnerability is the spec for a vulnerability record. - properties: - class: - type: string - cvss: - additionalProperties: - properties: - V2Score: - type: number - V2Vector: - type: string - V3Score: - type: number - V3Vector: - type: string - V40Score: - type: number - V40Vector: - type: string - type: object - type: object - cvsssource: - type: string - description: - type: string - fixedVersion: - description: FixedVersion indicates the version of the Resource - in which this vulnerability has been fixed. - type: string - installedVersion: - description: InstalledVersion indicates the installed version - of the Resource. - type: string - lastModifiedDate: - description: LastModifiedDate indicates the last date CVE has - been modified. - type: string - links: - items: - type: string - type: array - packagePURL: - type: string - packagePath: - type: string - packageType: - type: string - primaryLink: - type: string - publishedDate: - description: PublishedDate indicates the date of published CVE. - type: string - resource: - description: Resource is a vulnerable package, application, - or library. - type: string - score: - type: number - severity: - description: Severity level of a vulnerability or a configuration - audit check. - enum: - - CRITICAL - - HIGH - - MEDIUM - - LOW - - UNKNOWN - type: string - target: - type: string - title: - type: string - vulnerabilityID: - description: VulnerabilityID the vulnerability identifier. - type: string - required: - - fixedVersion - - installedVersion - - lastModifiedDate - - publishedDate - - resource - - severity - - title - - vulnerabilityID - type: object - type: array - required: - - artifact - - os - - scanner - - summary - - updateTimestamp - - vulnerabilities - type: object - required: - - report - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: {} - ---- -# Source: trivy/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: trivy - labels: - app.kubernetes.io/name: trivy - app.kubernetes.io/instance: trivy - app.kubernetes.io/part-of: trivy - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: trivy/charts/trivy-operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: trivy-trivy-operator - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: trivy/charts/trivy-operator/templates/secrets/operator.yaml -apiVersion: v1 -kind: Secret -metadata: - name: trivy-operator - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -data: ---- -# Source: trivy/charts/trivy-operator/templates/secrets/trivy.yaml -apiVersion: v1 -kind: Secret -metadata: - name: trivy-operator-trivy-config - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -data: ---- -# Source: trivy/charts/trivy-operator/templates/configmaps/operator.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trivy-operator - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -data: - nodeCollector.tolerations: "[{\"effect\":\"NoSchedule\",\"key\":\"node-role.kubernetes.io/control-plane\",\"operator\":\"Exists\"}]" - nodeCollector.volumes: "[{\"hostPath\":{\"path\":\"/var/lib/etcd\"},\"name\":\"var-lib-etcd\"},{\"hostPath\":{\"path\":\"/var/lib/kubelet\"},\"name\":\"var-lib-kubelet\"},{\"hostPath\":{\"path\":\"/var/lib/kube-scheduler\"},\"name\":\"var-lib-kube-scheduler\"},{\"hostPath\":{\"path\":\"/var/lib/kube-controller-manager\"},\"name\":\"var-lib-kube-controller-manager\"},{\"hostPath\":{\"path\":\"/etc/kubernetes\"},\"name\":\"etc-kubernetes\"},{\"hostPath\":{\"path\":\"/etc/cni/net.d/\"},\"name\":\"etc-cni-netd\"}]" - nodeCollector.volumeMounts: "[{\"mountPath\":\"/var/lib/etcd\",\"name\":\"var-lib-etcd\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kubelet\",\"name\":\"var-lib-kubelet\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-scheduler\",\"name\":\"var-lib-kube-scheduler\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-controller-manager\",\"name\":\"var-lib-kube-controller-manager\",\"readOnly\":true},{\"mountPath\":\"/etc/kubernetes\",\"name\":\"etc-kubernetes\",\"readOnly\":true},{\"mountPath\":\"/etc/cni/net.d/\",\"name\":\"etc-cni-netd\",\"readOnly\":true}]" - scanJob.useGCRServiceAccount: "true" - scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" - scanJob.compressLogs: "true" - vulnerabilityReports.scanner: "Trivy" - vulnerabilityReports.scanJobsInSameNamespace: "false" - configAuditReports.scanner: "Trivy" - report.recordFailedChecksOnly: "true" - node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.3.1" - policies.bundle.oci.ref: "mirror.gcr.io/aquasec/trivy-checks:1" - policies.bundle.insecure: "false" - - node.collector.nodeSelector: "true" ---- -# Source: trivy/charts/trivy-operator/templates/configmaps/trivy-operator-config.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trivy-operator-config - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -data: - OPERATOR_LOG_DEV_MODE: "false" - OPERATOR_SCAN_JOB_TTL: "" - OPERATOR_SCAN_JOB_TIMEOUT: "5m" - OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10" - OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: "1" - OPERATOR_SCAN_JOB_RETRY_AFTER: "30s" - OPERATOR_BATCH_DELETE_LIMIT: "10" - OPERATOR_BATCH_DELETE_DELAY: "10s" - OPERATOR_METRICS_BIND_ADDRESS: ":8080" - OPERATOR_METRICS_FINDINGS_ENABLED: "true" - OPERATOR_METRICS_VULN_ID_ENABLED: "false" - OPERATOR_HEALTH_PROBE_BIND_ADDRESS: ":9090" - OPERATOR_PPROF_BIND_ADDRESS: "" - OPERATOR_VULNERABILITY_SCANNER_ENABLED: "false" - OPERATOR_SBOM_GENERATION_ENABLED: "false" - OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: "false" - OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" - OPERATOR_SCANNER_REPORT_TTL: "24h" - OPERATOR_CACHE_REPORT_TTL: "120h" - CONTROLLER_CACHE_SYNC_TIMEOUT: "5m" - OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true" - OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: "true" - OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: "false" - OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" - OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: "true" - OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: "false" - OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: "false" - OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: "false" - OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: "false" - OPERATOR_METRICS_IMAGE_INFO_ENABLED: "false" - OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "false" - OPERATOR_WEBHOOK_BROADCAST_URL: "" - OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: "30s" - OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS: "" - OPERATOR_SEND_DELETED_REPORTS: "false" - OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: "{}" - OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true" - OPERATOR_BUILT_IN_TRIVY_SERVER: "false" - TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: "10h" - OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: "false" - OPERATOR_CLUSTER_COMPLIANCE_ENABLED: "false" ---- -# Source: trivy/charts/trivy-operator/templates/configmaps/trivy.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trivy-operator-trivy-config - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -data: - trivy.repository: "mirror.gcr.io/aquasec/trivy" - trivy.tag: "0.68.1" - trivy.imagePullPolicy: "IfNotPresent" - trivy.additionalVulnerabilityReportFields: "" - trivy.registry.mirror.gcr.io: "proxy-gcr.io" - trivy.registry.mirror.ghcr.io: "proxy-ghcr.io" - trivy.registry.mirror.hub.docker: "proxy-hub.docker" - trivy.registry.mirror.quay.io: "proxy-quay.io" - trivy.registry.mirror.registry-1.docker.io: "proxy-registry-1.docker.io" - trivy.registry.mirror.registry.k8s.io: "proxy-registry.k8s" - trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - trivy.slow: "true" - trivy.skipJavaDBUpdate: "false" - trivy.includeDevDeps: "false" - trivy.imageScanCacheDir: "/tmp/trivy/.cache" - trivy.filesystemScanCacheDir: "/var/trivyoperator/trivy-db" - trivy.dbRepository: "mirror.gcr.io/aquasec/trivy-db" - trivy.javaDbRepository: "mirror.gcr.io/aquasec/trivy-java-db" - trivy.command: "image" - trivy.sbomSources: "" - trivy.dbRepositoryInsecure: "false" - trivy.useBuiltinRegoPolicies: "false" - trivy.useEmbeddedRegoPolicies: "true" - trivy.supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota" - trivy.timeout: "5m0s" - trivy.mode: "Standalone" - trivy.resources.requests.cpu: "100m" - trivy.resources.requests.memory: "128M" - trivy.resources.limits.cpu: "500m" - trivy.resources.limits.memory: "500M" ---- -# Source: trivy/charts/trivy-operator/templates/rbac/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: trivy-operator -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - limitranges - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list -- apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - resourcequotas - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - get - - list - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - clustercompliancedetailreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - clustercompliancereports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - clustercompliancereports/status - verbs: - - get - - patch - - update -- apiGroups: - - aquasecurity.github.io - resources: - - clusterconfigauditreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - clusterinfraassessmentreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - clusterrbacassessmentreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - clustersbomreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - clustervulnerabilityreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - configauditreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - exposedsecretreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - infraassessmentreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - rbacassessmentreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - sbomreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - aquasecurity.github.io - resources: - - vulnerabilityreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - batch - resources: - - cronjobs - verbs: - - get - - list - - watch -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - get - - list - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - get - - list - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - get - - list - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - update -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get ---- -# Source: trivy/charts/trivy-operator/templates/rbac/view-configauditreports-clusterrole.yaml -# permissions for end users to view configauditreports -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: aggregate-config-audit-reports-view - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" -rules: - - apiGroups: - - aquasecurity.github.io - resources: - - configauditreports - verbs: - - get - - list - - watch ---- -# Source: trivy/charts/trivy-operator/templates/rbac/view-exposedsecretreports-clusterrole.yaml -# permissions for end users to view exposedsecretreports -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: aggregate-exposed-secret-reports-view - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" -rules: - - apiGroups: - - aquasecurity.github.io - resources: - - exposedsecretreports - verbs: - - get - - list - - watch ---- -# Source: trivy/charts/trivy-operator/templates/rbac/view-vulnerabilityreports-clusterrole.yaml -# permissions for end users to view vulnerabilityreports -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: aggregate-vulnerability-reports-view - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" -rules: - - apiGroups: - - aquasecurity.github.io - resources: - - vulnerabilityreports - verbs: - - get - - list - - watch ---- -# Source: trivy/charts/trivy-operator/templates/rbac/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: trivy-trivy-operator - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: trivy-operator -subjects: - - kind: ServiceAccount - name: trivy-trivy-operator - namespace: trivy ---- -# Source: trivy/charts/trivy-operator/templates/rbac/leader-election-role.yaml -# permissions to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: trivy-trivy-operator-leader-election - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create ---- -# Source: trivy/charts/trivy-operator/templates/rbac/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: trivy-trivy-operator - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - delete - - update ---- -# Source: trivy/charts/trivy-operator/templates/rbac/leader-election-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: trivy-trivy-operator-leader-election - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: trivy-trivy-operator-leader-election -subjects: - - kind: ServiceAccount - name: trivy-trivy-operator - namespace: trivy ---- -# Source: trivy/charts/trivy-operator/templates/rbac/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: trivy-trivy-operator - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: trivy-trivy-operator -subjects: - - kind: ServiceAccount - name: trivy-trivy-operator - namespace: trivy ---- -# Source: trivy/charts/trivy-operator/templates/monitor/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: trivy-trivy-operator - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -spec: - clusterIP: None - ports: - - name: metrics - port: 80 - targetPort: metrics - protocol: TCP - appProtocol: TCP - selector: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - type: ClusterIP ---- -# Source: trivy/charts/trivy-operator/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: trivy-trivy-operator - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - template: - metadata: - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - spec: - serviceAccountName: trivy-trivy-operator - automountServiceAccountToken: true - containers: - - name: "trivy-operator" - image: "mirror.gcr.io/aquasec/trivy-operator:0.29.0" - imagePullPolicy: IfNotPresent - env: - - name: OPERATOR_NAMESPACE - value: trivy - - name: OPERATOR_TARGET_NAMESPACES - value: "" - - name: OPERATOR_EXCLUDE_NAMESPACES - value: "" - - name: OPERATOR_TARGET_WORKLOADS - value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" - - name: OPERATOR_SERVICE_ACCOUNT - value: "trivy-trivy-operator" - envFrom: - - configMapRef: - name: trivy-operator-config - ports: - - name: metrics - containerPort: 8080 - - name: probes - containerPort: 9090 - readinessProbe: - httpGet: - path: /readyz/ - port: probes - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - livenessProbe: - httpGet: - path: /healthz/ - port: probes - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /tmp - name: cache-policies - readOnly: false - volumes: - - emptyDir: {} - name: cache-policies ---- -# Source: trivy/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml -apiVersion: aquasecurity.github.io/v1alpha1 -kind: ClusterComplianceReport -metadata: - name: k8s-cis-1.23 - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.29.0 - app.kubernetes.io/managed-by: kubectl -spec: - cron: "0 5 * * *" - reportType: "summary" - compliance: - id: k8s-cis-1.23 - title: CIS Kubernetes Benchmarks v1.23 - description: CIS Kubernetes Benchmarks - platform: k8s - type: cis - relatedResources: - - https://www.cisecurity.org/benchmark/kubernetes - version: "1.23" - controls: - - id: 1.1.1 - name: Ensure that the API server pod specification file permissions are set to - 600 or more restrictive - description: Ensure that the API server pod specification file has permissions - of 600 or more restrictive - checks: - - id: AVD-KCV-0048 - commands: - - id: CMD-0001 - severity: HIGH - - id: 1.1.2 - name: Ensure that the API server pod specification file ownership is set to - root:root - description: Ensure that the API server pod specification file ownership is set - to root:root - checks: - - id: AVD-KCV-0049 - commands: - - id: CMD-0002 - severity: HIGH - - id: 1.1.3 - name: Ensure that the controller manager pod specification file permissions are - set to 600 or more restrictive - description: Ensure that the controller manager pod specification file has - permissions of 600 or more restrictive - checks: - - id: AVD-KCV-0050 - commands: - - id: CMD-0003 - severity: HIGH - - id: 1.1.4 - name: Ensure that the controller manager pod specification file ownership is set - to root:root - description: Ensure that the controller manager pod specification file ownership - is set to root:root - checks: - - id: AVD-KCV-0051 - commands: - - id: CMD-0004 - severity: HIGH - - id: 1.1.5 - name: Ensure that the scheduler pod specification file permissions are set to - 600 or more restrictive - description: Ensure that the scheduler pod specification file has permissions of - 600 or more restrictive - checks: - - id: AVD-KCV-0052 - commands: - - id: CMD-0005 - severity: HIGH - - id: 1.1.6 - name: Ensure that the scheduler pod specification file ownership is set to - root:root - description: Ensure that the scheduler pod specification file ownership is set - to root:root - checks: - - id: AVD-KCV-0053 - commands: - - id: CMD-0006 - severity: HIGH - - id: 1.1.7 - name: Ensure that the etcd pod specification file permissions are set to 600 or - more restrictive - description: Ensure that the etcd pod specification file has permissions of 600 - or more restrictive - checks: - - id: AVD-KCV-0054 - commands: - - id: CMD-0007 - severity: HIGH - - id: 1.1.8 - name: Ensure that the etcd pod specification file ownership is set to root:root - description: Ensure that the etcd pod specification file ownership is set to - root:root. - checks: - - id: AVD-KCV-0055 - commands: - - id: CMD-0008 - severity: HIGH - - id: 1.1.9 - name: Ensure that the Container Network Interface file permissions are set to - 600 or more restrictive - description: Ensure that the Container Network Interface files have permissions - of 600 or more restrictive - checks: - - id: AVD-KCV-0056 - commands: - - id: CMD-0009 - severity: HIGH - - id: 1.1.10 - name: Ensure that the Container Network Interface file ownership is set to - root:root - description: Ensure that the Container Network Interface files have ownership - set to root:root - checks: - - id: AVD-KCV-0057 - commands: - - id: CMD-0010 - severity: HIGH - - id: 1.1.11 - name: Ensure that the etcd data directory permissions are set to 700 or more - restrictive - description: Ensure that the etcd data directory has permissions of 700 or more - restrictive - checks: - - id: AVD-KCV-0058 - commands: - - id: CMD-0011 - severity: HIGH - - id: 1.1.12 - name: Ensure that the etcd data directory ownership is set to etcd:etcd - description: Ensure that the etcd data directory ownership is set to etcd:etcd - checks: - - id: AVD-KCV-0059 - commands: - - id: CMD-0012 - severity: LOW - - id: 1.1.13 - name: Ensure that the admin.conf file permissions are set to 600 - description: Ensure that the admin.conf file has permissions of 600 - checks: - - id: AVD-KCV-0060 - commands: - - id: CMD-0013 - severity: CRITICAL - - id: 1.1.14 - name: Ensure that the admin.conf file ownership is set to root:root - description: Ensure that the admin.conf file ownership is set to root:root - checks: - - id: AVD-KCV-0061 - commands: - - id: CMD-0014 - severity: CRITICAL - - id: 1.1.15 - name: Ensure that the scheduler.conf file permissions are set to 600 or more - restrictive - description: Ensure that the scheduler.conf file has permissions of 600 or more - restrictive - checks: - - id: AVD-KCV-0062 - commands: - - id: CMD-0015 - severity: HIGH - - id: 1.1.16 - name: Ensure that the scheduler.conf file ownership is set to root:root - description: Ensure that the scheduler.conf file ownership is set to root:root - checks: - - id: AVD-KCV-0063 - commands: - - id: CMD-0016 - severity: HIGH - - id: 1.1.17 - name: Ensure that the controller-manager.conf file permissions are set to 600 or - more restrictive - description: Ensure that the controller-manager.conf file has permissions of 600 - or more restrictive - checks: - - id: AVD-KCV-0064 - commands: - - id: CMD-0017 - severity: HIGH - - id: 1.1.18 - name: Ensure that the controller-manager.conf file ownership is set to root:root - description: Ensure that the controller-manager.conf file ownership is set to - root:root. - checks: - - id: AVD-KCV-0065 - commands: - - id: CMD-0018 - severity: HIGH - - id: 1.1.19 - name: Ensure that the Kubernetes PKI directory and file ownership is set to - root:root - description: Ensure that the Kubernetes PKI directory and file ownership is set - to root:root - checks: - - id: AVD-KCV-0066 - commands: - - id: CMD-0019 - severity: CRITICAL - - id: 1.1.20 - name: Ensure that the Kubernetes PKI certificate file permissions are set to 600 - or more restrictive - description: Ensure that Kubernetes PKI certificate files have permissions of - 600 or more restrictive - checks: - - id: AVD-KCV-0068 - commands: - - id: CMD-0020 - severity: CRITICAL - - id: 1.1.21 - name: Ensure that the Kubernetes PKI key file permissions are set to 600 - description: Ensure that Kubernetes PKI key files have permissions of 600 - checks: - - id: AVD-KCV-0067 - commands: - - id: CMD-0021 - severity: CRITICAL - - id: 1.2.1 - name: Ensure that the --anonymous-auth argument is set to false - description: Disable anonymous requests to the API server - checks: - - id: AVD-KCV-0001 - severity: MEDIUM - - id: 1.2.2 - name: Ensure that the --token-auth-file parameter is not set - description: Do not use token based authentication - checks: - - id: AVD-KCV-0002 - severity: LOW - - id: 1.2.3 - name: Ensure that the --DenyServiceExternalIPs is not set - description: This admission controller rejects all net-new usage of the Service - field externalIPs - checks: - - id: AVD-KCV-0003 - severity: LOW - - id: 1.2.4 - name: Ensure that the --kubelet-https argument is set to true - description: Use https for kubelet connections - checks: - - id: AVD-KCV-0004 - severity: LOW - - id: 1.2.5 - name: Ensure that the --kubelet-client-certificate and --kubelet-client-key - arguments are set as appropriate - description: Enable certificate based kubelet authentication - checks: - - id: AVD-KCV-0005 - severity: HIGH - - id: 1.2.6 - name: Ensure that the --kubelet-certificate-authority argument is set as - appropriate - description: Verify kubelets certificate before establishing connection - checks: - - id: AVD-KCV-0006 - severity: HIGH - - id: 1.2.7 - name: Ensure that the --authorization-mode argument is not set to AlwaysAllow - description: Do not always authorize all requests - checks: - - id: AVD-KCV-0007 - severity: LOW - - id: 1.2.8 - name: Ensure that the --authorization-mode argument includes Node - description: Restrict kubelet nodes to reading only objects associated with them - checks: - - id: AVD-KCV-0008 - severity: HIGH - - id: 1.2.9 - name: Ensure that the --authorization-mode argument includes RBAC - description: Turn on Role Based Access Control - checks: - - id: AVD-KCV-0009 - severity: HIGH - - id: 1.2.10 - name: Ensure that the admission control plugin EventRateLimit is set - description: Limit the rate at which the API server accepts requests - checks: - - id: AVD-KCV-0010 - severity: HIGH - - id: 1.2.11 - name: Ensure that the admission control plugin AlwaysAdmit is not set - description: Do not allow all requests - checks: - - id: AVD-KCV-0011 - severity: LOW - - id: 1.2.12 - name: Ensure that the admission control plugin AlwaysPullImages is set - description: Always pull images - checks: - - id: AVD-KCV-0012 - severity: MEDIUM - - id: 1.2.13 - name: Ensure that the admission control plugin SecurityContextDeny is set if - PodSecurityPolicy is not used - description: The SecurityContextDeny admission controller can be used to deny - pods which make use of some SecurityContext fields which could allow for - privilege escalation in the cluster. This should be used where - PodSecurityPolicy is not in place within the cluster - checks: - - id: AVD-KCV-0013 - severity: MEDIUM - - id: 1.2.14 - name: Ensure that the admission control plugin ServiceAccount is set - description: Automate service accounts management - checks: - - id: AVD-KCV-0014 - severity: LOW - - id: 1.2.15 - name: Ensure that the admission control plugin NamespaceLifecycle is set - description: Reject creating objects in a namespace that is undergoing termination - checks: - - id: AVD-KCV-0015 - severity: LOW - - id: 1.2.16 - name: Ensure that the admission control plugin NodeRestriction is set - description: Limit the Node and Pod objects that a kubelet could modify - checks: - - id: AVD-KCV-0016 - severity: LOW - - id: 1.2.17 - name: Ensure that the --secure-port argument is not set to 0 - description: Do not disable the secure port - checks: - - id: AVD-KCV-0017 - severity: HIGH - - id: 1.2.18 - name: Ensure that the --profiling argument is set to false - description: Disable profiling, if not needed - checks: - - id: AVD-KCV-0018 - severity: LOW - - id: 1.2.19 - name: Ensure that the --audit-log-path argument is set - description: Enable auditing on the Kubernetes API Server and set the desired - audit log path. - checks: - - id: AVD-KCV-0019 - severity: LOW - - id: 1.2.20 - name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate - description: Retain the logs for at least 30 days or as appropriate - checks: - - id: AVD-KCV-0020 - severity: LOW - - id: 1.2.21 - name: Ensure that the --audit-log-maxbackup argument is set to 10 or as - appropriate - description: Retain 10 or an appropriate number of old log file - checks: - - id: AVD-KCV-0021 - severity: LOW - - id: 1.2.22 - name: Ensure that the --audit-log-maxsize argument is set to 100 or as - appropriate - description: Rotate log files on reaching 100 MB or as appropriate - checks: - - id: AVD-KCV-0022 - severity: LOW - - id: 1.2.24 - name: Ensure that the --service-account-lookup argument is set to true - description: Validate service account before validating token - checks: - - id: AVD-KCV-0024 - severity: LOW - - id: 1.2.25 - name: Ensure that the --service-account-key-file argument is set as appropriate - description: Explicitly set a service account public key file for service - accounts on the apiserver - checks: - - id: AVD-KCV-0025 - severity: LOW - - id: 1.2.26 - name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as - appropriate - description: etcd should be configured to make use of TLS encryption for client - connections - checks: - - id: AVD-KCV-0026 - severity: LOW - - id: 1.2.27 - name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are - set as appropriate - description: Setup TLS connection on the API server - checks: - - id: AVD-KCV-0027 - severity: MEDIUM - - id: 1.2.28 - name: Ensure that the --client-ca-file argument is set appropriate - description: Setup TLS connection on the API server - checks: - - id: AVD-KCV-0028 - severity: LOW - - id: 1.2.29 - name: Ensure that the --etcd-cafile argument is set as appropriate - description: etcd should be configured to make use of TLS encryption for client - connections. - checks: - - id: AVD-KCV-0029 - severity: LOW - - id: 1.2.30 - name: Ensure that the --encryption-provider-config argument is set as - appropriate - description: Encrypt etcd key-value store - checks: - - id: AVD-KCV-0030 - severity: LOW - - id: 1.3.1 - name: Ensure that the --terminated-pod-gc-threshold argument is set as - appropriate - description: Activate garbage collector on pod termination, as appropriate - checks: - - id: AVD-KCV-0033 - severity: MEDIUM - - id: 1.3.3 - name: Ensure that the --use-service-account-credentials argument is set to true - description: Use individual service account credentials for each controller - checks: - - id: AVD-KCV-0035 - severity: MEDIUM - - id: 1.3.4 - name: Ensure that the --service-account-private-key-file argument is set as - appropriate - description: Explicitly set a service account private key file for service - accounts on the controller manager - checks: - - id: AVD-KCV-0036 - severity: MEDIUM - - id: 1.3.5 - name: Ensure that the --root-ca-file argument is set as appropriate - description: Allow pods to verify the API servers serving certificate before - establishing connections - checks: - - id: AVD-KCV-0037 - severity: MEDIUM - - id: 1.3.6 - name: Ensure that the RotateKubeletServerCertificate argument is set to true - description: Enable kubelet server certificate rotation on controller-manager - checks: - - id: AVD-KCV-0038 - severity: MEDIUM - - id: 1.3.7 - name: Ensure that the --bind-address argument is set to 127.0.0.1 - description: Do not bind the scheduler service to non-loopback insecure addresses - checks: - - id: AVD-KCV-0039 - severity: LOW - - id: 1.4.1 - name: Ensure that the --profiling argument is set to false - description: Disable profiling, if not needed - checks: - - id: AVD-KCV-0034 - severity: MEDIUM - - id: 1.4.2 - name: Ensure that the --bind-address argument is set to 127.0.0.1 - description: Do not bind the scheduler service to non-loopback insecure addresses - checks: - - id: AVD-KCV-0041 - severity: CRITICAL - - id: "2.1" - name: Ensure that the --cert-file and --key-file arguments are set as - appropriate - description: Configure TLS encryption for the etcd service - checks: - - id: AVD-KCV-0042 - severity: MEDIUM - - id: "2.2" - name: Ensure that the --client-cert-auth argument is set to true - description: Enable client authentication on etcd service - checks: - - id: AVD-KCV-0043 - severity: CRITICAL - - id: "2.3" - name: Ensure that the --auto-tls argument is not set to true - description: Do not use self-signed certificates for TLS - checks: - - id: AVD-KCV-0044 - severity: CRITICAL - - id: "2.4" - name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as - appropriate - description: etcd should be configured to make use of TLS encryption for peer - connections. - checks: - - id: AVD-KCV-0045 - severity: CRITICAL - - id: "2.5" - name: Ensure that the --peer-client-cert-auth argument is set to true - description: etcd should be configured for peer authentication - checks: - - id: AVD-KCV-0046 - severity: CRITICAL - - id: "2.6" - name: Ensure that the --peer-auto-tls argument is not set to true - description: Do not use self-signed certificates for TLS - checks: - - id: AVD-KCV-0047 - severity: HIGH - - id: 3.1.1 - name: Client certificate authentication should not be used for users (Manual) - description: Kubernetes provides the option to use client certificates for user - authentication. However as there is no way to revoke these certificates - when a user leaves an organization or loses their credential, they are - not suitable for this purpose - severity: HIGH - - id: 3.2.1 - name: Ensure that a minimal audit policy is created (Manual) - description: Kubernetes can audit the details of requests made to the API - server. The --audit- policy-file flag must be set for this logging to be - enabled. - severity: HIGH - - id: 3.2.2 - name: Ensure that the audit policy covers key security concerns (Manual) - description: Ensure that the audit policy created for the cluster covers key - security concerns - severity: HIGH - - id: 4.1.1 - name: Ensure that the kubelet service file permissions are set to 600 or more - restrictive - description: Ensure that the kubelet service file has permissions of 600 or more - restrictive. - checks: - - id: AVD-KCV-0069 - commands: - - id: CMD-0022 - severity: HIGH - - id: 4.1.2 - name: Ensure that the kubelet service file ownership is set to root:root - description: Ensure that the kubelet service file ownership is set to root:root - checks: - - id: AVD-KCV-0070 - commands: - - id: CMD-0023 - severity: HIGH - - id: 4.1.3 - name: If proxy kubeconfig file exists ensure permissions are set to 600 or more - restrictive - description: If kube-proxy is running, and if it is using a file-based - kubeconfig file, ensure that the proxy kubeconfig file has permissions - of 600 or more restrictive - checks: - - id: AVD-KCV-0071 - commands: - - id: CMD-0024 - severity: HIGH - - id: 4.1.4 - name: If proxy kubeconfig file exists ensure ownership is set to root:root - description: If kube-proxy is running, ensure that the file ownership of its - kubeconfig file is set to root:root - checks: - - id: AVD-KCV-0072 - commands: - - id: CMD-0025 - severity: HIGH - - id: 4.1.5 - name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 - or more restrictive - description: Ensure that the kubelet.conf file has permissions of 600 or more - restrictive - checks: - - id: AVD-KCV-0073 - commands: - - id: CMD-0026 - severity: HIGH - - id: 4.1.6 - name: Ensure that the --kubeconfig kubelet.conf file ownership is set to - root:root - description: Ensure that the kubelet.conf file ownership is set to root:root - checks: - - id: AVD-KCV-0074 - commands: - - id: CMD-0027 - severity: HIGH - - id: 4.1.7 - name: Ensure that the certificate authorities file permissions are set to 600 or - more restrictive - description: Ensure that the certificate authorities file has permissions of 600 - or more restrictive - checks: - - id: AVD-KCV-0075 - commands: - - id: CMD-0028 - severity: CRITICAL - - id: 4.1.8 - name: Ensure that the client certificate authorities file ownership is set to - root:root - description: Ensure that the certificate authorities file ownership is set to - root:root - checks: - - id: AVD-KCV-0076 - commands: - - id: CMD-0029 - severity: CRITICAL - - id: 4.1.9 - name: If the kubelet config.yaml configuration file is being used validate - permissions set to 600 or more restrictive - description: Ensure that if the kubelet refers to a configuration file with the - --config argument, that file has permissions of 600 or more restrictive - checks: - - id: AVD-KCV-0077 - commands: - - id: CMD-0030 - severity: HIGH - - id: 4.1.10 - name: If the kubelet config.yaml configuration file is being used validate file - ownership is set to root:root - description: Ensure that if the kubelet refers to a configuration file with the - --config argument, that file is owned by root:root - checks: - - id: AVD-KCV-0078 - commands: - - id: CMD-0031 - severity: HIGH - - id: 4.2.1 - name: Ensure that the --anonymous-auth argument is set to false - description: Disable anonymous requests to the Kubelet server - checks: - - id: AVD-KCV-0079 - commands: - - id: CMD-0032 - severity: CRITICAL - - id: 4.2.2 - name: Ensure that the --authorization-mode argument is not set to AlwaysAllow - description: Do not allow all requests. Enable explicit authorization - checks: - - id: AVD-KCV-0080 - commands: - - id: CMD-0033 - severity: CRITICAL - - id: 4.2.3 - name: Ensure that the --client-ca-file argument is set as appropriate - description: Enable Kubelet authentication using certificates - checks: - - id: AVD-KCV-0081 - commands: - - id: CMD-0034 - severity: CRITICAL - - id: 4.2.4 - name: Verify that the --read-only-port argument is set to 0 - description: Disable the read-only port - checks: - - id: AVD-KCV-0082 - commands: - - id: CMD-0035 - severity: HIGH - - id: 4.2.5 - name: Ensure that the --streaming-connection-idle-timeout argument is not set to - 0 - description: Do not disable timeouts on streaming connections - checks: - - id: AVD-KCV-0085 - commands: - - id: CMD-0036 - severity: HIGH - - id: 4.2.6 - name: Ensure that the --protect-kernel-defaults argument is set to true - description: Protect tuned kernel parameters from overriding kubelet default - kernel parameter values - checks: - - id: AVD-KCV-0083 - commands: - - id: CMD-0037 - severity: HIGH - - id: 4.2.7 - name: Ensure that the --make-iptables-util-chains argument is set to true - description: Allow Kubelet to manage iptables - checks: - - id: AVD-KCV-0084 - commands: - - id: CMD-0038 - severity: HIGH - - id: 4.2.8 - name: Ensure that the --hostname-override argument is not set - description: Do not override node hostnames - checks: - - id: AVD-KCV-0086 - commands: - - id: CMD-0039 - severity: HIGH - - id: 4.2.9 - name: Ensure that the --event-qps argument is set to 0 or a level which ensures - appropriate event capture - description: Security relevant information should be captured. The --event-qps - flag on the Kubelet can be used to limit the rate at which events are - gathered - checks: - - id: AVD-KCV-0087 - commands: - - id: CMD-0040 - severity: HIGH - - id: 4.2.10 - name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are - set as appropriate - description: Setup TLS connection on the Kubelets - checks: - - id: AVD-KCV-0088 - - id: AVD-KCV-0089 - commands: - - id: CMD-0041 - - id: CMD-0042 - severity: CRITICAL - - id: 4.2.11 - name: Ensure that the --rotate-certificates argument is not set to false - description: Enable kubelet client certificate rotation - checks: - - id: AVD-KCV-0090 - commands: - - id: CMD-0043 - severity: CRITICAL - - id: 4.2.12 - name: Verify that the RotateKubeletServerCertificate argument is set to true - description: Enable kubelet server certificate rotation - checks: - - id: AVD-KCV-0091 - commands: - - id: CMD-0044 - severity: CRITICAL - - id: 4.2.13 - name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers - description: Ensure that the Kubelet is configured to only use strong - cryptographic ciphers - checks: - - id: AVD-KCV-0092 - commands: - - id: CMD-0045 - severity: CRITICAL - - id: 5.1.1 - name: Ensure that the cluster-admin role is only used where required - description: The RBAC role cluster-admin provides wide-ranging powers over the - environment and should be used only where and when needed - checks: - - id: AVD-KSV-0111 - severity: HIGH - - id: 5.1.2 - name: Minimize access to secrets - description: The Kubernetes API stores secrets, which may be service account - tokens for the Kubernetes API or credentials used by workloads in the - cluster - checks: - - id: AVD-KSV-0041 - severity: HIGH - - id: 5.1.3 - name: Minimize wildcard use in Roles and ClusterRoles - description: Kubernetes Roles and ClusterRoles provide access to resources based - on sets of objects and actions that can be taken on those objects. It is - possible to set either of these to be the wildcard "*" which matches all - items - checks: - - id: AVD-KSV-0044 - - id: AVD-KSV-0045 - - id: AVD-KSV-0046 - severity: HIGH - - id: 5.1.6 - name: Ensure that Service Account Tokens are only mounted where necessary - description: Service accounts tokens should not be mounted in pods except where - the workload running in the pod explicitly needs to communicate with the - API server - checks: - - id: AVD-KSV-0036 - severity: HIGH - - id: 5.1.8 - name: Limit use of the Bind, Impersonate and Escalate permissions in the - Kubernetes cluster - description: Cluster roles and roles with the impersonate, bind or escalate - permissions should not be granted unless strictly required - checks: - - id: AVD-KSV-0043 - severity: HIGH - - id: 5.2.2 - name: Minimize the admission of privileged containers - description: Do not generally permit containers to be run with the - securityContext.privileged flag set to true - checks: - - id: AVD-KSV-0017 - severity: HIGH - - id: 5.2.3 - name: Minimize the admission of containers wishing to share the host process ID - namespace - description: Do not generally permit containers to be run with the hostPID flag - set to true. - checks: - - id: AVD-KSV-0010 - severity: HIGH - - id: 5.2.4 - name: Minimize the admission of containers wishing to share the host IPC - namespace - description: Do not generally permit containers to be run with the hostIPC flag - set to true - checks: - - id: AVD-KSV-0008 - severity: HIGH - - id: 5.2.5 - name: Minimize the admission of containers wishing to share the host network - namespace - description: Do not generally permit containers to be run with the hostNetwork - flag set to true - checks: - - id: AVD-KSV-0009 - severity: HIGH - - id: 5.2.6 - name: Minimize the admission of containers with allowPrivilegeEscalation - description: Do not generally permit containers to be run with the - allowPrivilegeEscalation flag set to true - checks: - - id: AVD-KSV-0001 - severity: HIGH - - id: 5.2.7 - name: Minimize the admission of root containers - description: Do not generally permit containers to be run as the root user - checks: - - id: AVD-KSV-0012 - severity: MEDIUM - - id: 5.2.8 - name: Minimize the admission of containers with the NET_RAW capability - description: Do not generally permit containers with the potentially dangerous - NET_RAW capability - checks: - - id: AVD-KSV-0022 - severity: MEDIUM - - id: 5.2.9 - name: Minimize the admission of containers with added capabilities - description: Do not generally permit containers with capabilities assigned - beyond the default set - checks: - - id: AVD-KSV-0004 - severity: LOW - - id: 5.2.10 - name: Minimize the admission of containers with capabilities assigned - description: Do not generally permit containers with capabilities - checks: - - id: AVD-KSV-0003 - severity: LOW - - id: 5.2.11 - name: Minimize the admission of containers with capabilities assigned - description: Do not generally permit containers with capabilities - checks: - - id: AVD-KSV-0103 - severity: MEDIUM - - id: 5.2.12 - name: Minimize the admission of HostPath volumes - description: Do not generally admit containers which make use of hostPath volumes - checks: - - id: AVD-KSV-0023 - severity: MEDIUM - - id: 5.2.13 - name: Minimize the admission of containers which use HostPorts - description: Do not generally permit containers which require the use of HostPorts - checks: - - id: AVD-KSV-0024 - severity: MEDIUM - - id: 5.3.1 - name: Ensure that the CNI in use supports Network Policies (Manual) - description: There are a variety of CNI plugins available for Kubernetes. If the - CNI in use does not support Network Policies it may not be possible to - effectively restrict traffic in the cluster - severity: MEDIUM - - id: 5.3.2 - name: Ensure that all Namespaces have Network Policies defined - description: Use network policies to isolate traffic in your cluster network - checks: - - id: AVD-KSV-0038 - severity: MEDIUM - - id: 5.4.1 - name: Prefer using secrets as files over secrets as environment variables - (Manual) - description: Kubernetes supports mounting secrets as data volumes or as - environment variables. Minimize the use of environment variable secrets - severity: MEDIUM - - id: 5.4.2 - name: Consider external secret storage (Manual) - description: Consider the use of an external secrets storage and management - system, instead of using Kubernetes Secrets directly, if you have more - complex secret management needs - severity: MEDIUM - - id: 5.5.1 - name: Configure Image Provenance using ImagePolicyWebhook admission controller - (Manual) - description: Configure Image Provenance for your deployment - severity: MEDIUM - - id: 5.7.1 - name: Create administrative boundaries between resources using namespaces - (Manual) - description: Use namespaces to isolate your Kubernetes objects - severity: MEDIUM - - id: 5.7.2 - name: Ensure that the seccomp profile is set to docker/default in your pod - definitions - description: Enable docker/default seccomp profile in your pod definitions - checks: - - id: AVD-KSV-0104 - severity: MEDIUM - - id: 5.7.3 - name: Apply Security Context to Your Pods and Containers - description: Apply Security Context to Your Pods and Containers - checks: - - id: AVD-KSV-0021 - - id: AVD-KSV-0020 - - id: AVD-KSV-0005 - - id: AVD-KSV-0025 - - id: AVD-KSV-0104 - - id: AVD-KSV-0030 - severity: HIGH - - id: 5.7.4 - name: The default namespace should not be used - description: Kubernetes provides a default namespace, where objects are placed - if no namespace is specified for them - checks: - - id: AVD-KSV-0110 - severity: MEDIUM ---- -# Source: trivy/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml -apiVersion: aquasecurity.github.io/v1alpha1 -kind: ClusterComplianceReport -metadata: - name: k8s-nsa-1.0 - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.29.0 - app.kubernetes.io/managed-by: kubectl -spec: - cron: "0 5 * * *" - reportType: "summary" - compliance: - id: k8s-nsa-1.0 - platform: k8s - type: nsa - title: National Security Agency - Kubernetes Hardening Guidance v1.0 - description: National Security Agency - Kubernetes Hardening Guidance - relatedResources: - - https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/ - version: "1.0" - controls: - - name: Non-root containers - description: Check that container is not running as root - id: "1.0" - checks: - - id: AVD-KSV-0012 - severity: MEDIUM - - name: Immutable container file systems - description: Check that container root file system is immutable - id: "1.1" - checks: - - id: AVD-KSV-0014 - severity: LOW - - name: Preventing privileged containers - description: Controls whether Pods can run privileged containers - id: "1.2" - checks: - - id: AVD-KSV-0017 - severity: HIGH - - name: Share containers process namespaces - description: Controls whether containers can share process namespaces - id: "1.3" - checks: - - id: AVD-KSV-0008 - severity: HIGH - - name: Share host process namespaces - description: Controls whether share host process namespaces - id: "1.4" - checks: - - id: AVD-KSV-0009 - severity: HIGH - - name: Use the host network - description: Controls whether containers can use the host network - id: "1.5" - checks: - - id: AVD-KSV-0010 - severity: HIGH - - name: Run with root privileges or with root group membership - description: Controls whether container applications can run with root - privileges or with root group membership - id: "1.6" - checks: - - id: AVD-KSV-0029 - severity: LOW - - name: Restricts escalation to root privileges - description: Control check restrictions escalation to root privileges - id: "1.7" - checks: - - id: AVD-KSV-0001 - severity: MEDIUM - - name: Sets the SELinux context of the container - description: Control checks if pod sets the SELinux context of the container - id: "1.8" - checks: - - id: AVD-KSV-0002 - severity: MEDIUM - - name: Restrict a container's access to resources with AppArmor - description: Control checks the restriction of containers access to resources - with AppArmor - id: "1.9" - checks: - - id: AVD-KSV-0030 - severity: MEDIUM - - name: Sets the seccomp profile used to sandbox containers. - description: Control checks the sets the seccomp profile used to sandbox containers - id: "1.10" - checks: - - id: AVD-KSV-0030 - severity: LOW - - name: Protecting Pod service account tokens - description: "Control check whether disable secret token been mount - ,automountServiceAccountToken: false" - id: "1.11" - checks: - - id: AVD-KSV-0036 - severity: MEDIUM - - name: Namespace kube-system should not be used by users - description: Control check whether Namespace kube-system is not be used by users - id: "1.12" - defaultStatus: FAIL - checks: - - id: AVD-KSV-0037 - severity: MEDIUM - - name: Pod and/or namespace Selectors usage - description: Control check validate the pod and/or namespace Selectors usage - id: "2.0" - defaultStatus: FAIL - checks: - - id: AVD-KSV-0038 - severity: MEDIUM - - name: Use CNI plugin that supports NetworkPolicy API (Manual) - description: Control check whether check cni plugin installed - id: "3.0" - defaultStatus: FAIL - severity: CRITICAL - - name: Use ResourceQuota policies to limit resources - description: Control check the use of ResourceQuota policy to limit aggregate - resource usage within namespace - id: "4.0" - defaultStatus: FAIL - checks: - - id: AVD-KSV-0040 - severity: MEDIUM - - name: Use LimitRange policies to limit resources - description: Control check the use of LimitRange policy limit resource usage for - namespaces or nodes - id: "4.1" - defaultStatus: FAIL - checks: - - id: AVD-KSV-0039 - severity: MEDIUM - - name: Control plan disable insecure port (Manual) - description: Control check whether control plan disable insecure port - id: "5.0" - defaultStatus: FAIL - severity: CRITICAL - - name: Encrypt etcd communication - description: Control check whether etcd communication is encrypted - id: "5.1" - checks: - - id: AVD-KCV-0030 - severity: CRITICAL - - name: Ensure kube config file permission (Manual) - description: Control check whether kube config file permissions - id: "6.0" - defaultStatus: FAIL - severity: CRITICAL - - name: Check that encryption resource has been set - description: Control checks whether encryption resource has been set - id: "6.1" - checks: - - id: AVD-KCV-0029 - severity: CRITICAL - - name: Check encryption provider - description: Control checks whether encryption provider has been set - id: "6.2" - checks: - - id: AVD-KCV-0004 - severity: CRITICAL - - name: Make sure anonymous-auth is unset - description: Control checks whether anonymous-auth is unset - id: "7.0" - checks: - - id: AVD-KCV-0001 - severity: CRITICAL - - name: Make sure -authorization-mode=RBAC - description: Control check whether RBAC permission is in use - id: "7.1" - checks: - - id: AVD-KCV-0008 - severity: CRITICAL - - name: Audit policy is configure (Manual) - description: Control check whether audit policy is configure - id: "8.0" - defaultStatus: FAIL - severity: HIGH - - name: Audit log path is configure - description: Control check whether audit log path is configure - id: "8.1" - checks: - - id: AVD-KCV-0019 - severity: MEDIUM - - name: Audit log aging - description: Control check whether audit log aging is configure - id: "8.2" - checks: - - id: AVD-KCV-0020 - severity: MEDIUM ---- -# Source: trivy/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml -apiVersion: aquasecurity.github.io/v1alpha1 -kind: ClusterComplianceReport -metadata: - name: k8s-pss-baseline-0.1 - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.29.0 - app.kubernetes.io/managed-by: kubectl -spec: - cron: "0 5 * * *" - reportType: "summary" - compliance: - id: k8s-pss-baseline-0.1 - platform: eks - type: pss-baseline - title: Kubernetes Pod Security Standards - Baseline - description: Kubernetes Pod Security Standards - Baseline - relatedResources: - - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline - version: "0.1" - controls: - - name: HostProcess - description: Windows pods offer the ability to run HostProcess containers which - enables privileged access to the Windows node. Privileged access to - the host is disallowed in the baseline policy - id: "1" - checks: - - id: AVD-KSV-0103 - severity: HIGH - - name: Host Namespaces - description: Sharing the host namespaces must be disallowed. - id: "2" - checks: - - id: AVD-KSV-0008 - severity: HIGH - - name: Privileged Containers - description: Privileged Pods disable most security mechanisms and must be - disallowed. - id: "3" - checks: - - id: AVD-KSV-0017 - severity: HIGH - - name: Capabilities - description: Adding additional capabilities beyond those listed below must be - disallowed. - id: "4" - checks: - - id: AVD-KSV-0022 - severity: MEDIUM - - name: HostPath Volumes - description: HostPath volumes must be forbidden. - id: "5" - checks: - - id: AVD-KSV-0023 - severity: MEDIUM - - name: host ports - description: hostports should be disallowed, or at minimum restricted to a known - list. - id: "6" - checks: - - id: avd-ksv-0024 - severity: HIGH - - name: AppArmor - description: On supported hosts, the runtime/default AppArmor profile is applied - by default. The baseline policy should prevent overriding or disabling - the default AppArmor profile, or restrict overrides to an allowed set - of profiles. - id: "7" - checks: - - id: avd-ksv-0002 - severity: HIGH - - name: SELinux - description: Setting the SELinux type is restricted, and setting a custom - SELinux user or role option is forbidden. - id: "8" - checks: - - id: avd-ksv-0025 - severity: MEDIUM - - name: /proc Mount Type - description: The default /proc masks are set up to reduce attack surface, and - should be required. - id: "9" - checks: - - id: avd-ksv-0027 - severity: MEDIUM - - name: Seccomp - description: Seccomp profile must not be explicitly set to Unconfined. - id: "10" - checks: - - id: avd-ksv-0104 - severity: MEDIUM - - name: Sysctls - description: Sysctls can disable security mechanisms or affect all containers on - a host, and should be disallowed except for an allowed 'safe' subset. - A sysctl is considered safe if it is namespaced in the container or - the Pod, and it is isolated from other Pods or processes on the same - Node. - id: "11" - checks: - - id: avd-ksv-0026 - severity: MEDIUM ---- -# Source: trivy/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml -apiVersion: aquasecurity.github.io/v1alpha1 -kind: ClusterComplianceReport -metadata: - name: k8s-pss-restricted-0.1 - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.29.0 - app.kubernetes.io/managed-by: kubectl -spec: - cron: "0 5 * * *" - reportType: "summary" - compliance: - id: k8s-pss-restricted-0.1 - platform: k8s - type: pss-restricted - title: Kubernetes Pod Security Standards - Restricted - description: Kubernetes Pod Security Standards - Restricted - relatedResources: - - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - version: "0.1" - controls: - - name: HostProcess - description: Windows pods offer the ability to run HostProcess containers which - enables privileged access to the Windows node. Privileged access to - the host is disallowed in the baseline policy - id: "1" - checks: - - id: AVD-KSV-0103 - severity: HIGH - - name: Host Namespaces - description: Sharing the host namespaces must be disallowed. - id: "2" - checks: - - id: AVD-KSV-0008 - severity: HIGH - - name: Privileged Containers - description: Privileged Pods disable most security mechanisms and must be - disallowed. - id: "3" - checks: - - id: AVD-KSV-0017 - severity: HIGH - - name: Capabilities - description: Adding additional capabilities beyond those listed below must be - disallowed. - id: "4" - checks: - - id: AVD-KSV-0022 - severity: MEDIUM - - name: HostPath Volumes - description: HostPath volumes must be forbidden. - id: "5" - checks: - - id: AVD-KSV-0023 - severity: MEDIUM - - name: host ports - description: hostports should be disallowed, or at minimum restricted to a known - list. - id: "6" - checks: - - id: avd-ksv-0024 - severity: HIGH - - name: AppArmor - description: On supported hosts, the runtime/default AppArmor profile is applied - by default. The baseline policy should prevent overriding or disabling - the default AppArmor profile, or restrict overrides to an allowed set - of profiles. - id: "7" - checks: - - id: avd-ksv-0002 - severity: HIGH - - name: SELinux - description: Setting the SELinux type is restricted, and setting a custom - SELinux user or role option is forbidden. - id: "8" - checks: - - id: avd-ksv-0025 - severity: MEDIUM - - name: /proc Mount Type - description: The default /proc masks are set up to reduce attack surface, and - should be required. - id: "9" - checks: - - id: avd-ksv-0027 - severity: MEDIUM - - name: Seccomp - description: Seccomp profile must not be explicitly set to Unconfined. - id: "10" - checks: - - id: avd-ksv-0104 - severity: MEDIUM - - name: Sysctls - description: Sysctls can disable security mechanisms or affect all containers on - a host, and should be disallowed except for an allowed 'safe' subset. - A sysctl is considered safe if it is namespaced in the container or - the Pod, and it is isolated from other Pods or processes on the same - Node. - id: "11" - checks: - - id: avd-ksv-0026 - severity: MEDIUM - - name: Volume Types - description: The restricted policy only permits specific volume types. - id: "12" - checks: - - id: avd-ksv-0028 - severity: LOW - - name: Privilege Escalation - description: Privilege escalation (such as via set-user-ID or set-group-ID file - mode) should not be allowed. - id: "13" - checks: - - id: avd-ksv-0001 - severity: MEDIUM - - name: Running as Non-root - description: Containers must be required to run as non-root users. - id: "14" - checks: - - id: avd-ksv-0012 - severity: MEDIUM - - name: Running as Non-root user - description: Containers must not set runAsUser to 0 - id: "15" - checks: - - id: avd-ksv-0105 - severity: LOW - - name: Seccomp - description: Seccomp profile must be explicitly set to one of the allowed - values. Both the Unconfined profile and the absence of a profile are - prohibited - id: "16" - checks: - - id: avd-ksv-0030 - severity: LOW - - name: Capabilities - description: Containers must drop ALL capabilities, and are only permitted to - add back the NET_BIND_SERVICE capability. - id: "17" - checks: - - id: avd-ksv-0106 - severity: LOW ---- -# Source: trivy/charts/trivy-operator/templates/monitor/servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: trivy-trivy-operator - namespace: trivy - labels: - helm.sh/chart: trivy-operator-0.31.0 - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - app.kubernetes.io/version: "0.29.0" - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy - endpoints: - - honorLabels: true - port: metrics - scheme: http diff --git a/clusters/cl01tl/manifests/tubearchivist/tubearchivist.yaml b/clusters/cl01tl/manifests/tubearchivist/tubearchivist.yaml deleted file mode 100644 index 60e5b541a..000000000 --- a/clusters/cl01tl/manifests/tubearchivist/tubearchivist.yaml +++ /dev/null @@ -1,441 +0,0 @@ ---- -# Source: tubearchivist/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: tubearchivist - labels: - app.kubernetes.io/name: tubearchivist - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged ---- -# Source: tubearchivist/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: tubearchivist-nfs-storage - namespace: tubearchivist - labels: - app.kubernetes.io/name: tubearchivist-nfs-storage - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage/YouTube - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: tubearchivist/charts/tubearchivist/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: tubearchivist - labels: - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tubearchivist - helm.sh/chart: tubearchivist-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: tubearchivist -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "40Gi" - storageClassName: "ceph-block" ---- -# Source: tubearchivist/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: tubearchivist-nfs-storage - namespace: tubearchivist - labels: - app.kubernetes.io/name: tubearchivist-nfs-storage - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - volumeName: tubearchivist-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: tubearchivist/charts/tubearchivist/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: tubearchivist - labels: - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tubearchivist - app.kubernetes.io/service: tubearchivist - helm.sh/chart: tubearchivist-4.4.0 - namespace: tubearchivist -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 24000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/name: tubearchivist ---- -# Source: tubearchivist/charts/tubearchivist/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tubearchivist - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tubearchivist - helm.sh/chart: tubearchivist-4.4.0 - namespace: tubearchivist -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: tubearchivist - app.kubernetes.io/instance: tubearchivist - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/name: tubearchivist - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: VPN_SERVICE_PROVIDER - value: protonvpn - - name: VPN_TYPE - value: wireguard - - name: WIREGUARD_PRIVATE_KEY - valueFrom: - secretKeyRef: - key: private-key - name: tubearchivist-wireguard-conf - - name: VPN_PORT_FORWARDING - value: "on" - - name: PORT_FORWARD_ONLY - value: "on" - - name: FIREWALL_OUTBOUND_SUBNETS - value: 10.0.0.0/8 - - name: FIREWALL_INPUT_PORTS - value: 80,8000,24000 - - name: DOT - value: "false" - - name: DNS_KEEP_NAMESERVER - value: "true" - - name: DNS_PLAINTEXT_ADDRESS - value: 10.96.0.10 - image: ghcr.io/qdm12/gluetun:v3.40.3@sha256:ef4a44819a60469682c7b5e69183e6401171891feaa60186652d292c59e41b30 - imagePullPolicy: IfNotPresent - name: gluetun - resources: - limits: - devic.es/tun: "1" - requests: - cpu: 10m - devic.es/tun: "1" - memory: 128Mi - securityContext: - capabilities: - add: - - NET_ADMIN - - SYS_MODULE - privileged: true - - env: - - name: TZ - value: US/Central - - name: HOST_UID - value: "1000" - - name: HOST_GID - value: "1000" - - name: ES_URL - value: https://elasticsearch-tubearchivist-es-http.tubearchivist:9200 - - name: ES_DISABLE_VERIFY_SSL - value: "true" - - name: REDIS_CON - value: redis://redis-replication-tubearchivist-master.tubearchivist:6379 - - name: TA_HOST - value: https://tubearchivist.alexlebens.net http://tubearchivist.tubearchivist:80/ - - name: TA_PORT - value: "24000" - - name: TA_USERNAME - value: admin - envFrom: - - secretRef: - name: tubearchivist-config-secret - image: bbilly1/tubearchivist:v0.5.8 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 1Gi - volumeMounts: - - mountPath: /cache - name: data - - mountPath: /youtube - name: youtube - volumes: - - name: data - persistentVolumeClaim: - claimName: tubearchivist - - name: youtube - persistentVolumeClaim: - claimName: tubearchivist-nfs-storage ---- -# Source: tubearchivist/templates/elasticsearch.yaml -apiVersion: elasticsearch.k8s.elastic.co/v1 -kind: Elasticsearch -metadata: - name: elasticsearch-tubearchivist - namespace: tubearchivist - labels: - app.kubernetes.io/name: elasticsearch-tubearchivist - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - version: 8.18.0 - auth: - fileRealm: - - secretName: tubearchivist-elasticsearch-secret - nodeSets: - - name: default - count: 1 - config: - node.store.allow_mmap: false - path.repo: /usr/share/elasticsearch/data/snapshot - podTemplate: - spec: - volumes: - - name: tubearchivist-snapshot-nfs-storage - nfs: - path: /volume2/Storage/TubeArchivist - server: synologybond.alexlebens.net - containers: - - name: elasticsearch - volumeMounts: - - name: tubearchivist-snapshot-nfs-storage - mountPath: /usr/share/elasticsearch/data/snapshot - volumeClaimTemplates: - - metadata: - name: elasticsearch-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi - storageClassName: ceph-block ---- -# Source: tubearchivist/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tubearchivist-config-secret - namespace: tubearchivist - labels: - app.kubernetes.io/name: tubearchivist-config-secret - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ELASTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/tubearchivist/env - metadataPolicy: None - property: ELASTIC_PASSWORD - - secretKey: TA_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/tubearchivist/env - metadataPolicy: None - property: TA_PASSWORD ---- -# Source: tubearchivist/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tubearchivist-elasticsearch-secret - namespace: tubearchivist - labels: - app.kubernetes.io/name: tubearchivist-elasticsearch-secret - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: username - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/tubearchivist/elasticsearch - metadataPolicy: None - property: username - - secretKey: password - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/tubearchivist/elasticsearch - metadataPolicy: None - property: password - - secretKey: roles - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/tubearchivist/elasticsearch - metadataPolicy: None - property: roles ---- -# Source: tubearchivist/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tubearchivist-wireguard-conf - namespace: tubearchivist - labels: - app.kubernetes.io/name: tubearchivist-wireguard-conf - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: private-key - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /protonvpn/conf/cl01tl - metadataPolicy: None - property: private-key ---- -# Source: tubearchivist/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-tubearchivist - namespace: tubearchivist - labels: - app.kubernetes.io/name: http-route-tubearchivist - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - tubearchivist.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: tubearchivist - port: 80 - weight: 100 ---- -# Source: tubearchivist/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-tubearchivist - namespace: tubearchivist - labels: - app.kubernetes.io/name: redis-replication-tubearchivist - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: tubearchivist/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-tubearchivist - namespace: tubearchivist - labels: - app.kubernetes.io/name: redis-replication-tubearchivist - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/unpackerr/unpackerr.yaml b/clusters/cl01tl/manifests/unpackerr/unpackerr.yaml deleted file mode 100644 index a1e2c8782..000000000 --- a/clusters/cl01tl/manifests/unpackerr/unpackerr.yaml +++ /dev/null @@ -1,209 +0,0 @@ ---- -# Source: unpackerr/templates/persistent-volume.yaml -apiVersion: v1 -kind: PersistentVolume -metadata: - name: unpackerr-nfs-storage - namespace: unpackerr - labels: - app.kubernetes.io/name: unpackerr-nfs-storage - app.kubernetes.io/instance: unpackerr - app.kubernetes.io/part-of: unpackerr -spec: - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs-client - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - nfs: - path: /volume2/Storage - server: synologybond.alexlebens.net - mountOptions: - - vers=4 - - minorversion=1 - - noac ---- -# Source: unpackerr/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: unpackerr-nfs-storage - namespace: unpackerr - labels: - app.kubernetes.io/name: unpackerr-nfs-storage - app.kubernetes.io/instance: unpackerr - app.kubernetes.io/part-of: unpackerr -spec: - volumeName: unpackerr-nfs-storage - storageClassName: nfs-client - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi ---- -# Source: unpackerr/charts/unpackerr/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: unpackerr - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: unpackerr - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: unpackerr - helm.sh/chart: unpackerr-4.4.0 - namespace: unpackerr -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: unpackerr - app.kubernetes.io/instance: unpackerr - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: unpackerr - app.kubernetes.io/name: unpackerr - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: UN_WEBSERVER_METRICS - value: "true" - - name: UN_SONARR_0_URL - value: http://sonarr.sonarr:80 - - name: UN_SONARR_0_PATHS_0 - value: /mnt/store/Torrent/FINISHED/COMPLETED - - name: UN_SONARR_1_URL - value: http://sonarr-4k.sonarr-4k:80 - - name: UN_SONARR_1_PATHS_0 - value: /mnt/store/Torrent/FINISHED/COMPLETED - - name: UN_SONARR_2_URL - value: http://sonarr-anime.sonarr-anime:80 - - name: UN_SONARR_2_PATHS_0 - value: /mnt/store/Torrent/FINISHED/COMPLETED - - name: UN_RADARR_0_URL - value: http://radarr.radarr:80 - - name: UN_RADARR_0_PATHS_0 - value: /mnt/store/Torrent/FINISHED/COMPLETED - - name: UN_RADARR_1_URL - value: http://radarr-4k.radarr-4k:80 - - name: UN_RADARR_1_PATHS_0 - value: /mnt/store/Torrent/FINISHED/COMPLETED - - name: UN_RADARR_2_URL - value: http://radarr-anime.radarr-anime:80 - - name: UN_RADARR_2_PATHS_0 - value: /mnt/store/Torrent/FINISHED/COMPLETED - - name: UN_RADARR_3_URL - value: http://radarr-standup.radarr-standup:80 - - name: UN_RADARR_3_PATHS_0 - value: /mnt/store/Torrent/FINISHED/COMPLETED - - name: UN_LIDARR_0_URL - value: http://lidarr.lidarr:80 - - name: UN_LIDARR_0_PATHS_0 - value: /mnt/store/Torrent/FINISHED/COMPLETED - envFrom: - - secretRef: - name: unpackerr-key-secret - image: golift/unpackerr:0.14.5 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /mnt/store - name: storage - volumes: - - name: storage - persistentVolumeClaim: - claimName: unpackerr-nfs-storage ---- -# Source: unpackerr/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: unpackerr-key-secret - namespace: unpackerr - labels: - app.kubernetes.io/name: unpackerr-key-secret - app.kubernetes.io/instance: unpackerr - app.kubernetes.io/part-of: unpackerr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: UN_SONARR_0_API_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/sonarr4/key - metadataPolicy: None - property: key - - secretKey: UN_SONARR_1_API_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/sonarr4-4k/key - metadataPolicy: None - property: key - - secretKey: UN_SONARR_2_API_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/sonarr4-anime/key - metadataPolicy: None - property: key - - secretKey: UN_RADARR_0_API_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/radarr5/key - metadataPolicy: None - property: key - - secretKey: UN_RADARR_1_API_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/radarr5-4k/key - metadataPolicy: None - property: key - - secretKey: UN_RADARR_2_API_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/radarr5-anime/key - metadataPolicy: None - property: key - - secretKey: UN_RADARR_3_API_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/radarr5-standup/key - metadataPolicy: None - property: key - - secretKey: UN_LIDARR_0_API_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/lidarr2/key - metadataPolicy: None - property: key diff --git a/clusters/cl01tl/manifests/unpoller/unpoller.yaml b/clusters/cl01tl/manifests/unpoller/unpoller.yaml deleted file mode 100644 index 329b1ee13..000000000 --- a/clusters/cl01tl/manifests/unpoller/unpoller.yaml +++ /dev/null @@ -1,151 +0,0 @@ ---- -# Source: unpoller/charts/unpoller/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: unpoller - labels: - app.kubernetes.io/instance: unpoller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: unpoller - app.kubernetes.io/service: unpoller - helm.sh/chart: unpoller-4.4.0 - namespace: unpoller -spec: - type: ClusterIP - ports: - - port: 9130 - targetPort: 9130 - protocol: TCP - name: metrics - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: unpoller - app.kubernetes.io/name: unpoller ---- -# Source: unpoller/charts/unpoller/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: unpoller - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: unpoller - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: unpoller - helm.sh/chart: unpoller-4.4.0 - namespace: unpoller -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: unpoller - app.kubernetes.io/instance: unpoller - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: unpoller - app.kubernetes.io/name: unpoller - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: UP_UNIFI_CONTROLLER_0_SAVE_ALARMS - value: "false" - - name: UP_UNIFI_CONTROLLER_0_SAVE_ANOMALIES - value: "false" - - name: UP_UNIFI_CONTROLLER_0_SAVE_DPI - value: "false" - - name: UP_UNIFI_CONTROLLER_0_SAVE_EVENTS - value: "false" - - name: UP_UNIFI_CONTROLLER_0_SAVE_IDS - value: "false" - - name: UP_UNIFI_CONTROLLER_0_SAVE_SITES - value: "true" - - name: UP_UNIFI_CONTROLLER_0_URL - value: https://unifi.alexlebens.net/ - - name: UP_UNIFI_CONTROLLER_0_VERIFY_SSL - value: "false" - - name: UP_INFLUXDB_DISABLE - value: "true" - - name: UP_PROMETHEUS_HTTP_LISTEN - value: 0.0.0.0:9130 - - name: UP_PROMETHEUS_NAMESPACE - value: unpoller - - name: UP_POLLER_DEBUG - value: "false" - - name: UP_POLLER_QUIET - value: "false" - envFrom: - - secretRef: - name: unpoller-unifi-secret - image: ghcr.io/unpoller/unpoller:v2.16.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 64Mi ---- -# Source: unpoller/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: unpoller-unifi-secret - namespace: unpoller - labels: - app.kubernetes.io/name: unpoller-unifi-secret - app.kubernetes.io/instance: unpoller - app.kubernetes.io/part-of: unpoller -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: UP_UNIFI_CONTROLLER_0_USER - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /unifi/auth/cl01tl - metadataPolicy: None - property: user - - secretKey: UP_UNIFI_CONTROLLER_0_PASS - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /unifi/auth/cl01tl - metadataPolicy: None - property: password ---- -# Source: unpoller/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: unpoller - namespace: unpoller - labels: - app.kubernetes.io/name: unpoller - app.kubernetes.io/instance: unpoller - app.kubernetes.io/part-of: unpoller -spec: - selector: - matchLabels: - app.kubernetes.io/name: unpoller - app.kubernetes.io/instance: unpoller - endpoints: - - port: metrics - interval: 30s - scrapeTimeout: 10s - path: /metrics diff --git a/clusters/cl01tl/manifests/vault/vault.yaml b/clusters/cl01tl/manifests/vault/vault.yaml deleted file mode 100644 index 111d7d079..000000000 --- a/clusters/cl01tl/manifests/vault/vault.yaml +++ /dev/null @@ -1,1222 +0,0 @@ ---- -# Source: vault/charts/vault/templates/server-disruptionbudget.yaml -# PodDisruptionBudget to prevent degrading the server cluster through -# voluntary cluster changes. -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: vault - namespace: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -spec: - maxUnavailable: 1 - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server ---- -# Source: vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - namespace: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm ---- -# Source: vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: vault-config - namespace: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - telemetry { - unauthenticated_metrics_access = "true" - } - } - - storage "raft" { - path = "/vault/data" - retry_join { - leader_api_addr = "http://vault-0.vault-internal:8200" - } - retry_join { - leader_api_addr = "http://vault-1.vault-internal:8200" - } - retry_join { - leader_api_addr = "http://vault-2.vault-internal:8200" - } - } - - service_registration "kubernetes" {} - - telemetry { - prometheus_retention_time = "30s" - disable_hostname = true - } - - disable_mlock = true ---- -# Source: vault/templates/persistent-volume-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: vault-nfs-storage-backup - namespace: vault - labels: - app.kubernetes.io/name: vault-nfs-storage-backup - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - volumeMode: Filesystem - storageClassName: nfs-client - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -# Source: vault/charts/vault/templates/server-discovery-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: vault - name: vault-discovery-role - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list", "update", "patch"] ---- -# Source: vault/charts/vault/templates/server-discovery-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: vault-discovery-rolebinding - namespace: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: vault-discovery-role -subjects: -- kind: ServiceAccount - name: vault - namespace: vault ---- -# Source: vault/charts/vault/templates/server-ha-active-service.yaml -# Service for active Vault pod -apiVersion: v1 -kind: Service -metadata: - name: vault-active - namespace: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - vault-active: "true" - annotations: -spec: - type: ClusterIP - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server - vault-active: "true" ---- -# Source: vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: vault-internal - namespace: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server ---- -# Source: vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: vault - namespace: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - annotations: - -spec: - type: ClusterIP - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server ---- -# Source: vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: vault-ui - namespace: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: vault/charts/unseal/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault-unseal-unseal-3 - labels: - app.kubernetes.io/controller: unseal-3 - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: unseal-4.4.0 - namespace: vault -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: unseal-3 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - template: - metadata: - labels: - app.kubernetes.io/controller: unseal-3 - app.kubernetes.io/instance: vault - app.kubernetes.io/name: vault - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - envFrom: - - secretRef: - name: vault-unseal-config-3 - image: ghcr.io/lrstanley/vault-unseal:0.7.2 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 24Mi ---- -# Source: vault/charts/unseal/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault-unseal-unseal-1 - labels: - app.kubernetes.io/controller: unseal-1 - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: unseal-4.4.0 - namespace: vault -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: unseal-1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - template: - metadata: - labels: - app.kubernetes.io/controller: unseal-1 - app.kubernetes.io/instance: vault - app.kubernetes.io/name: vault - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - envFrom: - - secretRef: - name: vault-unseal-config-1 - image: ghcr.io/lrstanley/vault-unseal:0.7.2 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 24Mi ---- -# Source: vault/charts/unseal/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault-unseal-unseal-2 - labels: - app.kubernetes.io/controller: unseal-2 - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: unseal-4.4.0 - namespace: vault -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: unseal-2 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - template: - metadata: - labels: - app.kubernetes.io/controller: unseal-2 - app.kubernetes.io/instance: vault - app.kubernetes.io/name: vault - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - envFrom: - - secretRef: - name: vault-unseal-config-2 - image: ghcr.io/lrstanley/vault-unseal:0.7.2 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 24Mi ---- -# Source: vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: vault-internal - podManagementPolicy: Parallel - replicas: 3 - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: vault - - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 100 - fsGroup: 1000 - hostNetwork: false - volumes: - - - name: config - configMap: - name: vault-config - - - name: vault-nfs-storage-backup - persistentVolumeClaim: - claimName: vault-nfs-storage-backup - - name: home - emptyDir: {} - containers: - - name: vault - resources: - requests: - cpu: 50m - memory: 512Mi - - image: hashicorp/vault:1.21.1 - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - securityContext: - allowPrivilegeEscalation: false - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).vault-internal:8201" - - name: HOME - value: "/home/vault" - - name: VAULT_LOG_LEVEL - value: "debug" - - name: VAULT_LOG_FORMAT - value: "standard" - - - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - mountPath: /opt/backups/ - name: vault-nfs-storage-backup - readOnly: false - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: - - "/bin/sh" - - "-c" - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - - "sleep 5 && kill -SIGTERM $(pidof vault)" - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -# Source: vault/charts/snapshot/templates/common.yaml ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: vault-snapshot - labels: - app.kubernetes.io/controller: snapshot - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vault - helm.sh/chart: snapshot-4.4.0 - namespace: vault -spec: - suspend: false - concurrencyPolicy: Forbid - startingDeadlineSeconds: 90 - timeZone: US/Central - schedule: "0 4 * * *" - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - parallelism: 1 - backoffLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/controller: snapshot - app.kubernetes.io/instance: vault - app.kubernetes.io/name: vault - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - restartPolicy: Never - initContainers: - - args: - - -ec - - | - apk add --no-cache jq; - echo ">> Running Vault snapshot" - export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); - vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; - cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; - cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; - echo ">> Completed Vault snapshot" - command: - - /bin/ash - env: - - name: VAULT_ADDR - value: http://vault-active.vault.svc.cluster.local:8200 - envFrom: - - secretRef: - name: vault-snapshot-agent-token - image: hashicorp/vault:1.21.1 - imagePullPolicy: IfNotPresent - name: snapshot - resources: - requests: - cpu: 10m - memory: 64Mi - volumeMounts: - - mountPath: /opt/backup - name: config - containers: - - args: - - -ec - - | - echo ">> Running S3 backup for Vault snapshot" - s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; - rm -f /opt/backup/vault-snapshot-s3.snap; - echo ">> Completed S3 backup for Vault snapshot" - command: - - /bin/sh - env: - - name: BUCKET - valueFrom: - secretKeyRef: - key: BUCKET - name: vault-s3cmd-config - image: d3fk/s3cmd:latest@sha256:590c42746db1252be8aad33e287c7910698c32b58b4fc34f67592a5bd0841551 - imagePullPolicy: IfNotPresent - name: s3-backup - resources: - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /opt/backup - name: config - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-config - readOnly: true - subPath: .s3cfg - volumes: - - name: config - persistentVolumeClaim: - claimName: vault-nfs-storage-backup - - name: s3cmd-config - secret: - secretName: vault-s3cmd-config ---- -# Source: vault/templates/ingress.yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: vault-tailscale - namespace: vault - labels: - app.kubernetes.io/name: vault-tailscale - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault - tailscale.com/proxy-class: no-metrics - annotations: - tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" -spec: - ingressClassName: tailscale - tls: - - hosts: - - vault-cl01tl - secretName: vault-cl01tl - rules: - - host: vault-cl01tl - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: vault-active - port: - number: 8200 ---- -# Source: vault/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-snapshot-agent-token - namespace: vault - labels: - app.kubernetes.io/name: vault-snapshot-agent-token - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: VAULT_APPROLE_ROLE_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/snapshot - metadataPolicy: None - property: VAULT_APPROLE_ROLE_ID - - secretKey: VAULT_APPROLE_SECRET_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/snapshot - metadataPolicy: None - property: VAULT_APPROLE_SECRET_ID ---- -# Source: vault/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-s3cmd-config - namespace: vault - labels: - app.kubernetes.io/name: vault-s3cmd-config - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: .s3cfg - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/vault-backup - metadataPolicy: None - property: s3cfg - - secretKey: BUCKET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/vault-backup - metadataPolicy: None - property: BUCKET ---- -# Source: vault/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-1 - namespace: vault - labels: - app.kubernetes.io/name: vault-unseal-config-1 - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ENVIRONMENT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: ENVIRONMENT - - secretKey: CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: CHECK_INTERVAL - - secretKey: MAX_CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: MAX_CHECK_INTERVAL - - secretKey: NODES - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: NODES - - secretKey: TLS_SKIP_VERIFY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: TLS_SKIP_VERIFY - - secretKey: TOKENS - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: TOKENS - - secretKey: EMAIL_ENABLED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: EMAIL_ENABLED - - secretKey: NOTIFY_MAX_ELAPSED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: NOTIFY_MAX_ELAPSED - - secretKey: NOTIFY_QUEUE_DELAY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: NOTIFY_QUEUE_DELAY ---- -# Source: vault/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-2 - namespace: vault - labels: - app.kubernetes.io/name: vault-unseal-config-2 - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ENVIRONMENT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: ENVIRONMENT - - secretKey: CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: CHECK_INTERVAL - - secretKey: MAX_CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: MAX_CHECK_INTERVAL - - secretKey: NODES - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: NODES - - secretKey: TLS_SKIP_VERIFY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: TLS_SKIP_VERIFY - - secretKey: TOKENS - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: TOKENS - - secretKey: EMAIL_ENABLED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: EMAIL_ENABLED - - secretKey: NOTIFY_MAX_ELAPSED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: NOTIFY_MAX_ELAPSED - - secretKey: NOTIFY_QUEUE_DELAY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: NOTIFY_QUEUE_DELAY ---- -# Source: vault/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-3 - namespace: vault - labels: - app.kubernetes.io/name: vault-unseal-config-3 - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ENVIRONMENT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: ENVIRONMENT - - secretKey: CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: CHECK_INTERVAL - - secretKey: MAX_CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: MAX_CHECK_INTERVAL - - secretKey: NODES - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: NODES - - secretKey: TLS_SKIP_VERIFY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: TLS_SKIP_VERIFY - - secretKey: TOKENS - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: TOKENS - - secretKey: EMAIL_ENABLED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: EMAIL_ENABLED - - secretKey: NOTIFY_MAX_ELAPSED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: NOTIFY_MAX_ELAPSED - - secretKey: NOTIFY_QUEUE_DELAY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: NOTIFY_QUEUE_DELAY ---- -# Source: vault/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-token - namespace: vault - labels: - app.kubernetes.io/name: vault-token - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: token - - secretKey: unseal_key_1 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_1 - - secretKey: unseal_key_2 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_2 - - secretKey: unseal_key_3 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_3 - - secretKey: unseal_key_4 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_4 - - secretKey: unseal_key_5 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_5 ---- -# Source: vault/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-vault - namespace: vault - labels: - app.kubernetes.io/name: http-route-vault - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - vault.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: vault-active - port: 8200 - weight: 100 ---- -# Source: vault/charts/vault/templates/prometheus-prometheusrules.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - release: prometheus -spec: - groups: - - name: vault - rules: - - alert: vault-HighResponseTime - annotations: - message: The response time of Vault is over 500ms on average over the last 5 minutes. - expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 - for: 5m - labels: - severity: warning - - alert: vault-HighResponseTime - annotations: - message: The response time of Vault is over 1s on average over the last 5 minutes. - expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - for: 5m - labels: - severity: critical ---- -# Source: vault/charts/vault/templates/prometheus-servicemonitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: vault - labels: - helm.sh/chart: vault-0.31.0 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - app.kubernetes.io/managed-by: Helm - release: prometheus -spec: - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: vault - vault-active: "true" - endpoints: - - port: http - interval: 30s - scrapeTimeout: 10s - scheme: http - path: /v1/sys/metrics - params: - format: - - prometheus - tlsConfig: - insecureSkipVerify: true - namespaceSelector: - matchNames: - - vault ---- -# Source: vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: vault-server-test - namespace: vault - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: vault-server-test - image: hashicorp/vault:1.21.1 - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://vault.vault.svc:8200 - - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - - mountPath: /opt/backups/ - name: vault-nfs-storage-backup - readOnly: false - volumes: - - name: vault-nfs-storage-backup - persistentVolumeClaim: - claimName: vault-nfs-storage-backup - restartPolicy: Never diff --git a/clusters/cl01tl/manifests/vaultwarden/vaultwarden.yaml b/clusters/cl01tl/manifests/vaultwarden/vaultwarden.yaml deleted file mode 100644 index 2f6e683e2..000000000 --- a/clusters/cl01tl/manifests/vaultwarden/vaultwarden.yaml +++ /dev/null @@ -1,846 +0,0 @@ ---- -# Source: vaultwarden/charts/vaultwarden/templates/common.yaml ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: vaultwarden-data - labels: - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vaultwarden - helm.sh/chart: vaultwarden-4.4.0 - annotations: - helm.sh/resource-policy: keep - namespace: vaultwarden -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "5Gi" - storageClassName: "ceph-block" ---- -# Source: vaultwarden/charts/vaultwarden/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: vaultwarden - labels: - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vaultwarden - app.kubernetes.io/service: vaultwarden - helm.sh/chart: vaultwarden-4.4.0 - namespace: vaultwarden -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/name: vaultwarden ---- -# Source: vaultwarden/charts/cloudflared/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vaultwarden-cloudflared - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cloudflared - app.kubernetes.io/version: 2025.10.0 - helm.sh/chart: cloudflared-1.23.1 - namespace: vaultwarden -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: vaultwarden - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/name: cloudflared - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - args: - - tunnel - - --protocol - - http2 - - --no-autoupdate - - run - - --token - - $(CF_MANAGED_TUNNEL_TOKEN) - env: - - name: CF_MANAGED_TUNNEL_TOKEN - valueFrom: - secretKeyRef: - key: cf-tunnel-token - name: vaultwarden-cloudflared-secret - image: cloudflare/cloudflared:2025.11.1 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi ---- -# Source: vaultwarden/charts/vaultwarden/templates/common.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vaultwarden - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: vaultwarden - helm.sh/chart: vaultwarden-4.4.0 - namespace: vaultwarden -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: vaultwarden - app.kubernetes.io/instance: vaultwarden - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/name: vaultwarden - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: DOMAIN - value: https://passwords.alexlebens.dev - - name: SIGNUPS_ALLOWED - value: "false" - - name: INVITATIONS_ALLOWED - value: "false" - - name: DATABASE_URL - valueFrom: - secretKeyRef: - key: uri - name: vaultwarden-postgresql-17-cluster-app - image: vaultwarden/server:1.34.3 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 128Mi - volumeMounts: - - mountPath: /data - name: config - volumes: - - name: config - persistentVolumeClaim: - claimName: vaultwarden-data ---- -# Source: vaultwarden/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: vaultwarden-postgresql-17-cluster - namespace: vaultwarden - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: vaultwarden-postgresql-17 - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "vaultwarden-postgresql-17-external-backup" - serverName: "vaultwarden-postgresql-17-backup-1" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "vaultwarden-postgresql-17-garage-local-backup" - serverName: "vaultwarden-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "vaultwarden-postgresql-17-recovery" - serverName: vaultwarden-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: vaultwarden-postgresql-17-backup-1 - - externalClusters: - - name: vaultwarden-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "vaultwarden-postgresql-17-recovery" - serverName: vaultwarden-postgresql-17-backup-1 ---- -# Source: vaultwarden/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vaultwarden-cloudflared-secret - namespace: vaultwarden - labels: - app.kubernetes.io/name: vaultwarden-cloudflared-secret - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: cf-tunnel-token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cloudflare/tunnels/vaultwarden - metadataPolicy: None - property: token ---- -# Source: vaultwarden/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vaultwarden-data-backup-secret - namespace: vaultwarden - labels: - app.kubernetes.io/name: vaultwarden-data-backup-secret - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - target: - template: - mergePolicy: Merge - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/vaultwarden/vaultwarden-data" - data: - - secretKey: BUCKET_ENDPOINT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: S3_BUCKET_ENDPOINT - - secretKey: RESTIC_PASSWORD - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: RESTIC_PASSWORD - - secretKey: AWS_DEFAULT_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/volsync/restic/config - metadataPolicy: None - property: AWS_DEFAULT_REGION - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: access_key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/volsync-backups - metadataPolicy: None - property: secret_key ---- -# Source: vaultwarden/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vaultwarden-postgresql-17-cluster-backup-secret - namespace: vaultwarden - labels: - app.kubernetes.io/name: vaultwarden-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: vaultwarden/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vaultwarden-postgresql-17-cluster-backup-secret-garage - namespace: vaultwarden - labels: - app.kubernetes.io/name: vaultwarden-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: vaultwarden/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "vaultwarden-postgresql-17-external-backup" - namespace: vaultwarden - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: vaultwarden-postgresql-17 - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/vaultwarden/vaultwarden-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: vaultwarden-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: vaultwarden-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: vaultwarden/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "vaultwarden-postgresql-17-garage-local-backup" - namespace: vaultwarden - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: vaultwarden-postgresql-17 - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/vaultwarden/vaultwarden-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: vaultwarden-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: vaultwarden-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: vaultwarden-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: vaultwarden/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "vaultwarden-postgresql-17-recovery" - namespace: vaultwarden - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: vaultwarden-postgresql-17 - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/vaultwarden/vaultwarden-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: vaultwarden-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: vaultwarden-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: vaultwarden/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: vaultwarden-postgresql-17-alert-rules - namespace: vaultwarden - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: vaultwarden-postgresql-17 - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/vaultwarden-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="vaultwarden"} - cnpg_pg_replication_is_wal_receiver_up{namespace="vaultwarden"}) < 1 - for: 5m - labels: - severity: critical - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="vaultwarden"} - cnpg_pg_replication_is_wal_receiver_up{namespace="vaultwarden"}) < 2 - for: 5m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "vaultwarden/vaultwarden-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="vaultwarden", pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="vaultwarden", pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "vaultwarden/vaultwarden-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="vaultwarden", pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="vaultwarden", pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "vaultwarden/vaultwarden-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="vaultwarden",pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "vaultwarden/vaultwarden-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="vaultwarden", pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "vaultwarden/vaultwarden-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "vaultwarden/vaultwarden-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="vaultwarden", persistentvolumeclaim=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "vaultwarden/vaultwarden-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="vaultwarden",pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "vaultwarden/vaultwarden-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="vaultwarden", pod=~"vaultwarden-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: vaultwarden - cnpg_cluster: vaultwarden-postgresql-17-cluster ---- -# Source: vaultwarden/templates/replication-source.yaml -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: vaultwarden-data-backup-source - namespace: vaultwarden - labels: - app.kubernetes.io/name: vaultwarden-data-backup-source - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden -spec: - sourcePVC: vaultwarden-data - trigger: - schedule: 0 4 * * * - restic: - pruneIntervalDays: 7 - repository: vaultwarden-data-backup-secret - retain: - hourly: 1 - daily: 3 - weekly: 2 - monthly: 2 - yearly: 4 - copyMethod: Snapshot - storageClassName: ceph-block - volumeSnapshotClassName: ceph-blockpool-snapshot ---- -# Source: vaultwarden/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "vaultwarden-postgresql-17-daily-backup-scheduled-backup" - namespace: vaultwarden - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: vaultwarden-postgresql-17 - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: vaultwarden-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "vaultwarden-postgresql-17-external-backup" ---- -# Source: vaultwarden/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "vaultwarden-postgresql-17-live-backup-scheduled-backup" - namespace: vaultwarden - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: vaultwarden-postgresql-17 - app.kubernetes.io/instance: vaultwarden - app.kubernetes.io/part-of: vaultwarden - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: vaultwarden-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "vaultwarden-postgresql-17-garage-local-backup" diff --git a/clusters/cl01tl/manifests/volsync/volsync.yaml b/clusters/cl01tl/manifests/volsync/volsync.yaml deleted file mode 100644 index 277744e37..000000000 --- a/clusters/cl01tl/manifests/volsync/volsync.yaml +++ /dev/null @@ -1,10971 +0,0 @@ ---- -# Source: volsync/charts/volsync/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: volsync - labels: - helm.sh/chart: volsync-0.14.0 - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - app.kubernetes.io/version: "0.14.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: volsync/charts/volsync/templates/volsync.backube_replicationdestinations.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: replicationdestinations.volsync.backube -spec: - group: volsync.backube - names: - kind: ReplicationDestination - listKind: ReplicationDestinationList - plural: replicationdestinations - singular: replicationdestination - scope: Namespaced - versions: - - additionalPrinterColumns: - - format: date-time - jsonPath: .status.lastSyncTime - name: Last sync - type: string - - jsonPath: .status.lastSyncDuration - name: Duration - type: string - - format: date-time - jsonPath: .status.nextSyncTime - name: Next sync - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - A ReplicationDestination is a VolSync resource that you can use to define the destination of a VolSync replication - or synchronization. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ReplicationDestination, including the - replication method to use and its configuration. - properties: - external: - description: |- - external defines the configuration when using an external replication - provider. - properties: - parameters: - additionalProperties: - type: string - description: |- - parameters are provider-specific key/value configuration parameters. For - more information, please see the documentation of the specific - replication provider being used. - type: object - provider: - description: |- - provider is the name of the external replication provider. The name - should be of the form: domain.com/provider. - type: string - type: object - paused: - description: paused can be used to temporarily stop replication. Defaults to "false". - type: boolean - rclone: - description: rclone defines the configuration when using Rclone-based replication. - properties: - accessModes: - description: accessModes specifies the access modes for the destination volume. - items: - type: string - minItems: 1 - type: array - capacity: - anyOf: - - type: integer - - type: string - description: capacity is the size of the destination volume to create. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - cleanupTempPVC: - description: |- - Set this to true to delete the temp destination PVC (dynamically provisioned - by VolSync) at the end of each successful ReplicationDestination sync iteration. - If destinationPVC is set, this will have no effect, VolSync will only - cleanup temp PVCs that it deployed. - Note that if this is set to true, every sync this ReplicationDestination - makes will re-provision a new temp destination PVC and all data - will need to be sent again during the sync. - Dynamically provisioned destination PVCs will always be deleted if the - owning ReplicationDestination is removed, even if this setting is false. - The default is false. - type: boolean - copyMethod: - description: |- - copyMethod describes how a point-in-time (PiT) image of the destination - volume should be created. - enum: - - Direct - - None - - Clone - - Snapshot - type: string - customCA: - description: customCA is a custom CA that will be used to verify the remote - properties: - configMapName: - description: |- - The name of a ConfigMap that contains the custom CA certificate - If ConfigMapName is used then SecretName should not be set - type: string - key: - description: The key within the Secret or ConfigMap containing the CA certificate - type: string - secretName: - description: |- - The name of a Secret that contains the custom CA certificate - If SecretName is used then ConfigMapName should not be set - type: string - type: object - destinationPVC: - description: |- - destinationPVC is a PVC to use as the transfer destination instead of - automatically provisioning one. Either this field or both capacity and - accessModes must be specified. - type: string - moverAffinity: - description: MoverAffinity allows specifying the PodAffinity that will be used by the data mover - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverSecurityContext: - description: |- - MoverSecurityContext allows specifying the PodSecurityContext that will - be used by the data mover - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as this CR. - type: string - moverVolumes: - description: |- - MoverVolumes are PVCs or Secrets that should additionally be mounted to the mover job pod. - This should only be used by advanced users. - items: - properties: - mountPath: - description: |- - Path to give the volume when mounting under /mnt in the mover job pod. - For example if mountPath is 'my-pvc' then this moverVolume will be mounted in the mover pod - at /mnt/my-pvc - type: string - volumeSource: - description: volumeSource represents the secret or PersistentVolumeClaim that should be mounted to the mover pod. - properties: - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - nolint:lll - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - required: - - mountPath - - volumeSource - type: object - type: array - rcloneConfig: - description: RcloneConfig is the rclone secret name - type: string - rcloneConfigSection: - description: RcloneConfigSection is the section in rclone_config file to use for the current job. - type: string - rcloneDestPath: - description: RcloneDestPath is the remote path to sync to. - type: string - storageClassName: - description: |- - storageClassName can be used to specify the StorageClass of the - destination volume. If not set, the default StorageClass will be used. - type: string - volumeSnapshotClassName: - description: |- - volumeSnapshotClassName can be used to specify the VSC to be used if - copyMethod is Snapshot. If not set, the default VSC is used. - type: string - type: object - restic: - description: restic defines the configuration when using Restic-based replication. - properties: - accessModes: - description: accessModes specifies the access modes for the destination volume. - items: - type: string - minItems: 1 - type: array - cacheAccessModes: - description: accessModes can be used to set the accessModes of restic metadata cache volume - items: - type: string - type: array - cacheCapacity: - anyOf: - - type: integer - - type: string - description: cacheCapacity can be used to set the size of the restic metadata cache volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - cacheStorageClassName: - description: |- - cacheStorageClassName can be used to set the StorageClass of the restic - metadata cache volume - type: string - capacity: - anyOf: - - type: integer - - type: string - description: capacity is the size of the destination volume to create. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - cleanupCachePVC: - description: |- - Set this to true to delete the restic cache PVC (dynamically provisioned - by VolSync) at the end of each successful ReplicationDestination sync iteration. - Cache PVCs will always be deleted if the owning ReplicationDestination is - removed, even if this setting is false. - The default is false. - type: boolean - cleanupTempPVC: - description: |- - Set this to true to delete the temp destination PVC (dynamically provisioned - by VolSync) at the end of each successful ReplicationDestination sync iteration. - If destinationPVC is set, this will have no effect, VolSync will only - cleanup temp PVCs that it deployed. - Note that if this is set to true, every sync this ReplicationDestination - makes will re-provision a new temp destination PVC and all data - will need to be sent again during the sync. - Dynamically provisioned destination PVCs will always be deleted if the - owning ReplicationDestination is removed, even if this setting is false. - The default is false. - type: boolean - copyMethod: - description: |- - copyMethod describes how a point-in-time (PiT) image of the destination - volume should be created. - enum: - - Direct - - None - - Clone - - Snapshot - type: string - customCA: - description: customCA is a custom CA that will be used to verify the remote - properties: - configMapName: - description: |- - The name of a ConfigMap that contains the custom CA certificate - If ConfigMapName is used then SecretName should not be set - type: string - key: - description: The key within the Secret or ConfigMap containing the CA certificate - type: string - secretName: - description: |- - The name of a Secret that contains the custom CA certificate - If SecretName is used then ConfigMapName should not be set - type: string - type: object - destinationPVC: - description: |- - destinationPVC is a PVC to use as the transfer destination instead of - automatically provisioning one. Either this field or both capacity and - accessModes must be specified. - type: string - enableFileDeletion: - description: |- - enableFileDeletion will pass the --delete flag to the restic restore command. - This will remove files and directories in the pvc that do not exist in the snapshot being restored. - Defaults to false. - type: boolean - moverAffinity: - description: MoverAffinity allows specifying the PodAffinity that will be used by the data mover - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverSecurityContext: - description: |- - MoverSecurityContext allows specifying the PodSecurityContext that will - be used by the data mover - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as this CR. - type: string - moverVolumes: - description: |- - MoverVolumes are PVCs or Secrets that should additionally be mounted to the mover job pod. - This should only be used by advanced users. - items: - properties: - mountPath: - description: |- - Path to give the volume when mounting under /mnt in the mover job pod. - For example if mountPath is 'my-pvc' then this moverVolume will be mounted in the mover pod - at /mnt/my-pvc - type: string - volumeSource: - description: volumeSource represents the secret or PersistentVolumeClaim that should be mounted to the mover pod. - properties: - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - nolint:lll - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - required: - - mountPath - - volumeSource - type: object - type: array - previous: - description: Previous specifies the number of image to skip before selecting one to restore from - format: int32 - type: integer - repository: - description: Repository is the secret name containing repository info - type: string - restoreAsOf: - description: RestoreAsOf refers to the backup that is most recent as of that time. - format: date-time - type: string - storageClassName: - description: |- - storageClassName can be used to specify the StorageClass of the - destination volume. If not set, the default StorageClass will be used. - type: string - volumeSnapshotClassName: - description: |- - volumeSnapshotClassName can be used to specify the VSC to be used if - copyMethod is Snapshot. If not set, the default VSC is used. - type: string - type: object - rsync: - description: rsync defines the configuration when using Rsync-based replication. - properties: - accessModes: - description: accessModes specifies the access modes for the destination volume. - items: - type: string - minItems: 1 - type: array - address: - description: address is the remote address to connect to for replication. - type: string - capacity: - anyOf: - - type: integer - - type: string - description: capacity is the size of the destination volume to create. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - cleanupTempPVC: - description: |- - Set this to true to delete the temp destination PVC (dynamically provisioned - by VolSync) at the end of each successful ReplicationDestination sync iteration. - If destinationPVC is set, this will have no effect, VolSync will only - cleanup temp PVCs that it deployed. - Note that if this is set to true, every sync this ReplicationDestination - makes will re-provision a new temp destination PVC and all data - will need to be sent again during the sync. - Dynamically provisioned destination PVCs will always be deleted if the - owning ReplicationDestination is removed, even if this setting is false. - The default is false. - type: boolean - copyMethod: - description: |- - copyMethod describes how a point-in-time (PiT) image of the destination - volume should be created. - enum: - - Direct - - None - - Clone - - Snapshot - type: string - destinationPVC: - description: |- - destinationPVC is a PVC to use as the transfer destination instead of - automatically provisioning one. Either this field or both capacity and - accessModes must be specified. - type: string - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as the ReplicationDestination. - type: string - path: - description: This field is not used and will be ignored - type: string - port: - description: port is the SSH port to connect to for replication. Defaults to 22. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - serviceAnnotations: - additionalProperties: - type: string - description: |- - serviceAnnotations defines annotations that will be added to the - service created for incoming SSH connections. If set, these annotations - will be used instead of any VolSync default values. - type: object - serviceType: - description: |- - serviceType determines the Service type that will be created for incoming - SSH connections. - type: string - sshKeys: - description: |- - sshKeys is the name of a Secret that contains the SSH keys to be used for - authentication. If not provided, the keys will be generated. - type: string - sshUser: - description: sshUser is the username for outgoing SSH connections. Defaults to "root". - type: string - storageClassName: - description: |- - storageClassName can be used to specify the StorageClass of the - destination volume. If not set, the default StorageClass will be used. - type: string - volumeMode: - description: |- - Will be used for the dynamic destination PVC created by VolSync. - Defaults to "Filesystem" - type: string - volumeSnapshotClassName: - description: |- - volumeSnapshotClassName can be used to specify the VSC to be used if - copyMethod is Snapshot. If not set, the default VSC is used. - type: string - type: object - rsyncTLS: - description: rsyncTLS defines the configuration when using Rsync-based replication over TLS. - properties: - accessModes: - description: accessModes specifies the access modes for the destination volume. - items: - type: string - minItems: 1 - type: array - capacity: - anyOf: - - type: integer - - type: string - description: capacity is the size of the destination volume to create. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - cleanupTempPVC: - description: |- - Set this to true to delete the temp destination PVC (dynamically provisioned - by VolSync) at the end of each successful ReplicationDestination sync iteration. - If destinationPVC is set, this will have no effect, VolSync will only - cleanup temp PVCs that it deployed. - Note that if this is set to true, every sync this ReplicationDestination - makes will re-provision a new temp destination PVC and all data - will need to be sent again during the sync. - Dynamically provisioned destination PVCs will always be deleted if the - owning ReplicationDestination is removed, even if this setting is false. - The default is false. - type: boolean - copyMethod: - description: |- - copyMethod describes how a point-in-time (PiT) image of the destination - volume should be created. - enum: - - Direct - - None - - Clone - - Snapshot - type: string - destinationPVC: - description: |- - destinationPVC is a PVC to use as the transfer destination instead of - automatically provisioning one. Either this field or both capacity and - accessModes must be specified. - type: string - keySecret: - description: |- - keySecret is the name of a Secret that contains the TLS pre-shared key to - be used for authentication. If not provided, the key will be generated. - type: string - moverAffinity: - description: MoverAffinity allows specifying the PodAffinity that will be used by the data mover - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverSecurityContext: - description: |- - MoverSecurityContext allows specifying the PodSecurityContext that will - be used by the data mover - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as this CR. - type: string - moverVolumes: - description: |- - MoverVolumes are PVCs or Secrets that should additionally be mounted to the mover job pod. - This should only be used by advanced users. - items: - properties: - mountPath: - description: |- - Path to give the volume when mounting under /mnt in the mover job pod. - For example if mountPath is 'my-pvc' then this moverVolume will be mounted in the mover pod - at /mnt/my-pvc - type: string - volumeSource: - description: volumeSource represents the secret or PersistentVolumeClaim that should be mounted to the mover pod. - properties: - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - nolint:lll - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - required: - - mountPath - - volumeSource - type: object - type: array - serviceAnnotations: - additionalProperties: - type: string - description: |- - serviceAnnotations defines annotations that will be added to the - service created for incoming SSH connections. If set, these annotations - will be used instead of any VolSync default values. - type: object - serviceType: - description: |- - serviceType determines the Service type that will be created for incoming - TLS connections. - type: string - storageClassName: - description: |- - storageClassName can be used to specify the StorageClass of the - destination volume. If not set, the default StorageClass will be used. - type: string - volumeMode: - description: |- - Will be used for the dynamic destination PVC created by VolSync. - Defaults to "Filesystem" - type: string - volumeSnapshotClassName: - description: |- - volumeSnapshotClassName can be used to specify the VSC to be used if - copyMethod is Snapshot. If not set, the default VSC is used. - type: string - type: object - trigger: - description: |- - trigger determines if/when the destination should attempt to synchronize - data with the source. - properties: - manual: - description: |- - manual is a string value that schedules a manual trigger. - Once a sync completes then status.lastManualSync is set to the same string value. - A consumer of a manual trigger should set spec.trigger.manual to a known value - and then wait for lastManualSync to be updated by the operator to the same value, - which means that the manual trigger will then pause and wait for further - updates to the trigger. - type: string - schedule: - description: |- - schedule is a cronspec (https://en.wikipedia.org/wiki/Cron#Overview) that - can be used to schedule replication to occur at regular, time-based - intervals. - nolint:lll - pattern: ^(@(annually|yearly|monthly|weekly|daily|hourly))|((((\d+,)*\d+|(\d+(\/|-)\d+)|\*(\/\d+)?)\s?){5})$ - type: string - type: object - type: object - status: - description: |- - status is the observed state of the ReplicationDestination as determined - by the controller. - properties: - conditions: - description: |- - conditions represent the latest available observations of the - destination's state. - items: - description: Condition contains details for one aspect of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - external: - additionalProperties: - type: string - description: |- - external contains provider-specific status information. For more details, - please see the documentation of the specific replication provider being - used. - type: object - lastManualSync: - description: lastManualSync is set to the last spec.trigger.manual when the manual sync is done. - type: string - lastSyncDuration: - description: |- - lastSyncDuration is the amount of time required to send the most recent - update. - type: string - lastSyncStartTime: - description: lastSyncStartTime is the time the most recent synchronization started. - format: date-time - type: string - lastSyncTime: - description: lastSyncTime is the time of the most recent successful synchronization. - format: date-time - type: string - latestImage: - description: |- - latestImage in the object holding the most recent consistent replicated - image. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - latestMoverStatus: - description: Logs/Summary from latest mover job - properties: - logs: - type: string - result: - type: string - type: object - nextSyncTime: - description: |- - nextSyncTime is the time when the next volume synchronization is - scheduled to start (for schedule-based synchronization). - format: date-time - type: string - rsync: - description: rsync contains status information for Rsync-based replication. - properties: - address: - description: |- - address is the address to connect to for incoming SSH replication - connections. - type: string - port: - description: |- - port is the SSH port to connect to for incoming SSH replication - connections. - format: int32 - type: integer - sshKeys: - description: |- - sshKeys is the name of a Secret that contains the SSH keys to be used for - authentication. If not provided in .spec.rsync.sshKeys, SSH keys will be - generated and the appropriate keys for the remote side will be placed - here. - type: string - type: object - rsyncTLS: - description: rsyncTLS contains status information for Rsync-based replication over TLS. - properties: - address: - description: address is the address to connect to for incoming TLS connections. - type: string - keySecret: - description: |- - keySecret is the name of a Secret that contains the TLS pre-shared key to - be used for authentication. If not provided in .spec.rsyncTLS.keySecret, - the key Secret will be generated and named here. - type: string - port: - description: port is the port to connect to for incoming replication connections. - format: int32 - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: volsync/charts/volsync/templates/volsync.backube_replicationsources.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - helm.sh/resource-policy: keep - name: replicationsources.volsync.backube -spec: - group: volsync.backube - names: - kind: ReplicationSource - listKind: ReplicationSourceList - plural: replicationsources - singular: replicationsource - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.sourcePVC - name: Source - type: string - - format: date-time - jsonPath: .status.lastSyncTime - name: Last sync - type: string - - jsonPath: .status.lastSyncDuration - name: Duration - type: string - - format: date-time - jsonPath: .status.nextSyncTime - name: Next sync - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - A ReplicationSource is a VolSync resource that you can use to define the source PVC and replication mover type, - enabling you to replicate or synchronize PVC data to a remote location. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ReplicationSource, including the - replication method to use and its configuration. - properties: - external: - description: |- - external defines the configuration when using an external replication - provider. - properties: - parameters: - additionalProperties: - type: string - description: |- - parameters are provider-specific key/value configuration parameters. For - more information, please see the documentation of the specific - replication provider being used. - type: object - provider: - description: |- - provider is the name of the external replication provider. The name - should be of the form: domain.com/provider. - type: string - type: object - paused: - description: paused can be used to temporarily stop replication. Defaults to "false". - type: boolean - rclone: - description: rclone defines the configuration when using Rclone-based replication. - properties: - accessModes: - description: accessModes can be used to override the accessModes of the PiT image. - items: - type: string - minItems: 1 - type: array - capacity: - anyOf: - - type: integer - - type: string - description: capacity can be used to override the capacity of the PiT image. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - copyMethod: - description: |- - copyMethod describes how a point-in-time (PiT) image of the source volume - should be created. - enum: - - Direct - - None - - Clone - - Snapshot - type: string - customCA: - description: customCA is a custom CA that will be used to verify the remote - properties: - configMapName: - description: |- - The name of a ConfigMap that contains the custom CA certificate - If ConfigMapName is used then SecretName should not be set - type: string - key: - description: The key within the Secret or ConfigMap containing the CA certificate - type: string - secretName: - description: |- - The name of a Secret that contains the custom CA certificate - If SecretName is used then ConfigMapName should not be set - type: string - type: object - moverAffinity: - description: MoverAffinity allows specifying the PodAffinity that will be used by the data mover - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverSecurityContext: - description: |- - MoverSecurityContext allows specifying the PodSecurityContext that will - be used by the data mover - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as this CR. - type: string - moverVolumes: - description: |- - MoverVolumes are PVCs or Secrets that should additionally be mounted to the mover job pod. - This should only be used by advanced users. - items: - properties: - mountPath: - description: |- - Path to give the volume when mounting under /mnt in the mover job pod. - For example if mountPath is 'my-pvc' then this moverVolume will be mounted in the mover pod - at /mnt/my-pvc - type: string - volumeSource: - description: volumeSource represents the secret or PersistentVolumeClaim that should be mounted to the mover pod. - properties: - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - nolint:lll - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - required: - - mountPath - - volumeSource - type: object - type: array - rcloneConfig: - description: RcloneConfig is the rclone secret name - type: string - rcloneConfigSection: - description: RcloneConfigSection is the section in rclone_config file to use for the current job. - type: string - rcloneDestPath: - description: RcloneDestPath is the remote path to sync to. - type: string - storageClassName: - description: |- - storageClassName can be used to override the StorageClass of the PiT - image. - type: string - volumeSnapshotClassName: - description: |- - volumeSnapshotClassName can be used to specify the VSC to be used if - copyMethod is Snapshot. If not set, the default VSC is used. - type: string - type: object - restic: - description: restic defines the configuration when using Restic-based replication. - properties: - accessModes: - description: accessModes can be used to override the accessModes of the PiT image. - items: - type: string - minItems: 1 - type: array - cacheAccessModes: - description: CacheAccessModes can be used to set the accessModes of restic metadata cache volume - items: - type: string - type: array - cacheCapacity: - anyOf: - - type: integer - - type: string - description: cacheCapacity can be used to set the size of the restic metadata cache volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - cacheStorageClassName: - description: |- - cacheStorageClassName can be used to set the StorageClass of the restic - metadata cache volume - type: string - capacity: - anyOf: - - type: integer - - type: string - description: capacity can be used to override the capacity of the PiT image. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - copyMethod: - description: |- - copyMethod describes how a point-in-time (PiT) image of the source volume - should be created. - enum: - - Direct - - None - - Clone - - Snapshot - type: string - customCA: - description: customCA is a custom CA that will be used to verify the remote - properties: - configMapName: - description: |- - The name of a ConfigMap that contains the custom CA certificate - If ConfigMapName is used then SecretName should not be set - type: string - key: - description: The key within the Secret or ConfigMap containing the CA certificate - type: string - secretName: - description: |- - The name of a Secret that contains the custom CA certificate - If SecretName is used then ConfigMapName should not be set - type: string - type: object - moverAffinity: - description: MoverAffinity allows specifying the PodAffinity that will be used by the data mover - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverSecurityContext: - description: |- - MoverSecurityContext allows specifying the PodSecurityContext that will - be used by the data mover - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as this CR. - type: string - moverVolumes: - description: |- - MoverVolumes are PVCs or Secrets that should additionally be mounted to the mover job pod. - This should only be used by advanced users. - items: - properties: - mountPath: - description: |- - Path to give the volume when mounting under /mnt in the mover job pod. - For example if mountPath is 'my-pvc' then this moverVolume will be mounted in the mover pod - at /mnt/my-pvc - type: string - volumeSource: - description: volumeSource represents the secret or PersistentVolumeClaim that should be mounted to the mover pod. - properties: - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - nolint:lll - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - required: - - mountPath - - volumeSource - type: object - type: array - pruneIntervalDays: - description: PruneIntervalDays define how often to prune the repository - format: int32 - type: integer - repository: - description: Repository is the secret name containing repository info - type: string - retain: - description: ResticRetainPolicy define the retain policy - properties: - daily: - description: Daily defines the number of snapshots to be kept daily - format: int32 - type: integer - hourly: - description: Hourly defines the number of snapshots to be kept hourly - format: int32 - type: integer - last: - description: Last defines the number of snapshots to be kept - type: string - monthly: - description: Monthly defines the number of snapshots to be kept monthly - format: int32 - type: integer - weekly: - description: Weekly defines the number of snapshots to be kept weekly - format: int32 - type: integer - within: - description: Within defines the number of snapshots to be kept Within the given time period - type: string - yearly: - description: Yearly defines the number of snapshots to be kept yearly - format: int32 - type: integer - type: object - storageClassName: - description: |- - storageClassName can be used to override the StorageClass of the PiT - image. - type: string - unlock: - description: |- - unlock is a string value that schedules an unlock on the restic repository during - the next sync operation. - Once a sync completes then status.restic.lastUnlocked is set to the same string value. - To unlock a repository, set spec.restic.unlock to a known value and then wait for - lastUnlocked to be updated by the operator to the same value, - which means that the sync unlocked the repository by running a restic unlock command and - then ran a backup. - Unlock will not be run again unless spec.restic.unlock is set to a different value. - type: string - volumeSnapshotClassName: - description: |- - volumeSnapshotClassName can be used to specify the VSC to be used if - copyMethod is Snapshot. If not set, the default VSC is used. - type: string - type: object - rsync: - description: rsync defines the configuration when using Rsync-based replication. - properties: - accessModes: - description: accessModes can be used to override the accessModes of the PiT image. - items: - type: string - minItems: 1 - type: array - address: - description: address is the remote address to connect to for replication. - type: string - capacity: - anyOf: - - type: integer - - type: string - description: capacity can be used to override the capacity of the PiT image. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - copyMethod: - description: |- - copyMethod describes how a point-in-time (PiT) image of the source volume - should be created. - enum: - - Direct - - None - - Clone - - Snapshot - type: string - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as the ReplicationSource. - type: string - path: - description: This field is not used and will be ignored - type: string - port: - description: port is the SSH port to connect to for replication. Defaults to 22. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - serviceType: - description: |- - serviceType determines the Service type that will be created for incoming - SSH connections. - type: string - sshKeys: - description: |- - sshKeys is the name of a Secret that contains the SSH keys to be used for - authentication. If not provided, the keys will be generated. - type: string - sshUser: - description: sshUser is the username for outgoing SSH connections. Defaults to "root". - type: string - storageClassName: - description: |- - storageClassName can be used to override the StorageClass of the PiT - image. - type: string - volumeSnapshotClassName: - description: |- - volumeSnapshotClassName can be used to specify the VSC to be used if - copyMethod is Snapshot. If not set, the default VSC is used. - type: string - type: object - rsyncTLS: - description: rsyncTLS defines the configuration when using Rsync-based replication over TLS. - properties: - accessModes: - description: accessModes can be used to override the accessModes of the PiT image. - items: - type: string - minItems: 1 - type: array - address: - description: address is the remote address to connect to for replication. - type: string - capacity: - anyOf: - - type: integer - - type: string - description: capacity can be used to override the capacity of the PiT image. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - copyMethod: - description: |- - copyMethod describes how a point-in-time (PiT) image of the source volume - should be created. - enum: - - Direct - - None - - Clone - - Snapshot - type: string - keySecret: - description: |- - keySecret is the name of a Secret that contains the TLS pre-shared key to - be used for authentication. If not provided, the key will be generated. - type: string - moverAffinity: - description: MoverAffinity allows specifying the PodAffinity that will be used by the data mover - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverSecurityContext: - description: |- - MoverSecurityContext allows specifying the PodSecurityContext that will - be used by the data mover - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as this CR. - type: string - moverVolumes: - description: |- - MoverVolumes are PVCs or Secrets that should additionally be mounted to the mover job pod. - This should only be used by advanced users. - items: - properties: - mountPath: - description: |- - Path to give the volume when mounting under /mnt in the mover job pod. - For example if mountPath is 'my-pvc' then this moverVolume will be mounted in the mover pod - at /mnt/my-pvc - type: string - volumeSource: - description: volumeSource represents the secret or PersistentVolumeClaim that should be mounted to the mover pod. - properties: - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - nolint:lll - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - required: - - mountPath - - volumeSource - type: object - type: array - port: - description: port is the port to connect to for replication. Defaults to 8000. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - storageClassName: - description: |- - storageClassName can be used to override the StorageClass of the PiT - image. - type: string - volumeSnapshotClassName: - description: |- - volumeSnapshotClassName can be used to specify the VSC to be used if - copyMethod is Snapshot. If not set, the default VSC is used. - type: string - type: object - sourcePVC: - description: sourcePVC is the name of the PersistentVolumeClaim (PVC) to replicate. - type: string - syncthing: - description: syncthing defines the configuration when using Syncthing-based replication. - properties: - configAccessModes: - description: Used to set the accessModes of Syncthing config volume. - items: - type: string - type: array - configCapacity: - anyOf: - - type: integer - - type: string - description: Used to set the size of the Syncthing config volume. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - configStorageClassName: - description: Used to set the StorageClass of the Syncthing config volume. - type: string - moverAffinity: - description: MoverAffinity allows specifying the PodAffinity that will be used by the data mover - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - moverPodLabels: - additionalProperties: - type: string - description: |- - Labels that should be added to data mover pods - These will be in addition to any labels that VolSync may add - type: object - moverResources: - description: |- - Resources represents compute resources required by the data mover container. - Immutable. - More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - This should only be used by advanced users as this can result in a mover - pod being unschedulable or crashing due to limited resources. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - moverSecurityContext: - description: |- - MoverSecurityContext allows specifying the PodSecurityContext that will - be used by the data mover - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - moverServiceAccount: - description: |- - MoverServiceAccount allows specifying the name of the service account - that will be used by the data mover. This should only be used by advanced - users who want to override the service account normally used by the mover. - The service account needs to exist in the same namespace as this CR. - type: string - moverVolumes: - description: |- - MoverVolumes are PVCs or Secrets that should additionally be mounted to the mover job pod. - This should only be used by advanced users. - items: - properties: - mountPath: - description: |- - Path to give the volume when mounting under /mnt in the mover job pod. - For example if mountPath is 'my-pvc' then this moverVolume will be mounted in the mover pod - at /mnt/my-pvc - type: string - volumeSource: - description: volumeSource represents the secret or PersistentVolumeClaim that should be mounted to the mover pod. - properties: - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - nolint:lll - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - type: object - required: - - mountPath - - volumeSource - type: object - type: array - peers: - description: List of Syncthing peers to be connected for syncing - items: - description: |- - SyncthingPeer Defines the necessary information needed by VolSync - to configure a given peer with the running Syncthing instance. - properties: - ID: - description: The peer's Syncthing ID. - type: string - address: - description: The peer's address that our Syncthing node will connect to. - type: string - introducer: - description: |- - A flag that determines whether this peer should - introduce us to other peers sharing this volume. - It is HIGHLY recommended that two Syncthing peers do NOT - set each other as introducers as you will have a difficult time - disconnecting the two. - type: boolean - required: - - ID - - address - - introducer - type: object - type: array - serviceType: - description: Type of service to be used when exposing the Syncthing peer - type: string - type: object - trigger: - description: |- - trigger determines when the latest state of the volume will be captured - (and potentially replicated to the destination). - properties: - manual: - description: |- - manual is a string value that schedules a manual trigger. - Once a sync completes then status.lastManualSync is set to the same string value. - A consumer of a manual trigger should set spec.trigger.manual to a known value - and then wait for lastManualSync to be updated by the operator to the same value, - which means that the manual trigger will then pause and wait for further - updates to the trigger. - type: string - schedule: - description: |- - schedule is a cronspec (https://en.wikipedia.org/wiki/Cron#Overview) that - can be used to schedule replication to occur at regular, time-based - intervals. - nolint:lll - pattern: ^(@(annually|yearly|monthly|weekly|daily|hourly))|((((\d+,)*\d+|(\d+(\/|-)\d+)|\*(\/\d+)?)\s?){5})$ - type: string - type: object - type: object - status: - description: |- - status is the observed state of the ReplicationSource as determined by - the controller. - properties: - conditions: - description: |- - conditions represent the latest available observations of the - source's state. - items: - description: Condition contains details for one aspect of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - external: - additionalProperties: - type: string - description: |- - external contains provider-specific status information. For more details, - please see the documentation of the specific replication provider being - used. - type: object - lastManualSync: - description: lastManualSync is set to the last spec.trigger.manual when the manual sync is done. - type: string - lastSyncDuration: - description: |- - lastSyncDuration is the amount of time required to send the most recent - update. - type: string - lastSyncStartTime: - description: lastSyncStartTime is the time the most recent synchronization started. - format: date-time - type: string - lastSyncTime: - description: lastSyncTime is the time of the most recent successful synchronization. - format: date-time - type: string - latestMoverStatus: - description: Logs/Summary from latest mover job - properties: - logs: - type: string - result: - type: string - type: object - nextSyncTime: - description: |- - nextSyncTime is the time when the next volume synchronization is - scheduled to start (for schedule-based synchronization). - format: date-time - type: string - restic: - description: restic contains status information for Restic-based replication. - properties: - lastPruned: - description: lastPruned in the object holding the time of last pruned - format: date-time - type: string - lastUnlocked: - description: |- - lastUnlocked is set to the last spec.restic.unlock when a sync is done that unlocks the - restic repository. - type: string - type: object - rsync: - description: rsync contains status information for Rsync-based replication. - properties: - address: - description: |- - address is the address to connect to for incoming SSH replication - connections. - type: string - port: - description: |- - port is the SSH port to connect to for incoming SSH replication - connections. - format: int32 - type: integer - sshKeys: - description: |- - sshKeys is the name of a Secret that contains the SSH keys to be used for - authentication. If not provided in .spec.rsync.sshKeys, SSH keys will be - generated and the appropriate keys for the remote side will be placed - here. - type: string - type: object - rsyncTLS: - description: rsyncTLS contains status information for Rsync-based replication over TLS. - properties: - keySecret: - description: |- - keySecret is the name of a Secret that contains the TLS pre-shared key to - be used for authentication. If not provided in .spec.rsyncTLS.keySecret, - the key Secret will be generated and named here. - type: string - type: object - syncthing: - description: contains status information when Syncthing-based replication is used. - properties: - ID: - description: Device ID of the current syncthing device - type: string - address: - description: Service address where Syncthing is exposed to the rest of the world - type: string - peers: - description: List of the Syncthing nodes we are currently connected to. - items: - description: |- - SyncthingPeerStatus Is a struct that contains information pertaining to - the status of a given Syncthing peer. - properties: - ID: - description: ID Is the peer's Syncthing ID. - type: string - address: - description: The address of the Syncthing peer. - type: string - connected: - description: Flag indicating whether peer is currently connected. - type: boolean - introducedBy: - description: The ID of the Syncthing peer that this one was introduced by. - type: string - name: - description: A friendly name to associate the given device. - type: string - required: - - ID - - address - - connected - type: object - type: array - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -# Source: volsync/charts/volsync/templates/clusterrole-manager.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: volsync-manager - labels: - helm.sh/chart: volsync-0.14.0 - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - app.kubernetes.io/version: "0.14.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch - - update -- apiGroups: - - populator.storage.k8s.io - resources: - - volumepopulators - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - security.openshift.io - resourceNames: - - volsync-privileged-mover - resources: - - securitycontextconstraints - verbs: - - use -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiGroups: - - volsync.backube - resources: - - replicationdestinations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - volsync.backube - resources: - - replicationdestinations/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - volsync.backube - resources: - - replicationdestinations/status - verbs: - - get - - patch - - update -- apiGroups: - - volsync.backube - resources: - - replicationsources - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - volsync.backube - resources: - - replicationsources/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - volsync.backube - resources: - - replicationsources/status - verbs: - - get - - patch - - update ---- -# Source: volsync/charts/volsync/templates/clusterrolebinding-manager.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: volsync-manager - labels: - helm.sh/chart: volsync-0.14.0 - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - app.kubernetes.io/version: "0.14.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: volsync-manager -subjects: -- kind: ServiceAccount - name: volsync - namespace: volsync ---- -# Source: volsync/charts/volsync/templates/role-leader-election.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: volsync-leader-election - labels: - helm.sh/chart: volsync-0.14.0 - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - app.kubernetes.io/version: "0.14.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -# Source: volsync/charts/volsync/templates/rolebinding-leader-election.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: volsync-leader-election - labels: - helm.sh/chart: volsync-0.14.0 - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - app.kubernetes.io/version: "0.14.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: volsync-leader-election -subjects: -- kind: ServiceAccount - name: volsync - namespace: volsync ---- -# Source: volsync/charts/volsync/templates/service-metrics.yaml -apiVersion: v1 -kind: Service -metadata: - name: volsync-metrics - labels: - control-plane: volsync-controller - helm.sh/chart: volsync-0.14.0 - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - app.kubernetes.io/version: "0.14.0" - app.kubernetes.io/managed-by: Helm -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: volsync-controller ---- -# Source: volsync/charts/volsync/templates/deployment-controller.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: volsync - labels: - control-plane: volsync-controller - helm.sh/chart: volsync-0.14.0 - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - app.kubernetes.io/version: "0.14.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 3 - selector: - matchLabels: - control-plane: volsync-controller - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: volsync-controller - app.kubernetes.io/name: volsync - app.kubernetes.io/instance: volsync - spec: - serviceAccountName: volsync - # The default for podSecurityContext is moved here so that we can probe - # the cluster and and adjust the template - securityContext: - runAsNonRoot: true - # When not OpenShift, we need to set the UID - runAsUser: 65534 - runAsGroup: 65534 - seccompProfile: - type: RuntimeDefault - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: true - image: "quay.io/brancz/kube-rbac-proxy:v0.19.0" - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - "--tls-min-version=VersionTLS12" - - --v=0 - - --ignore-paths=/metrics - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --rclone-container-image=quay.io/backube/volsync:0.14.0 - - --restic-container-image=quay.io/backube/volsync:0.14.0 - - --rsync-container-image=quay.io/backube/volsync:0.14.0 - - --rsync-tls-container-image=quay.io/backube/volsync:0.14.0 - - --syncthing-container-image=quay.io/backube/volsync:0.14.0 - - --scc-name=volsync-privileged-mover - command: - - /manager - image: "quay.io/backube/volsync:0.14.0" - imagePullPolicy: IfNotPresent - env: - - name: VOLSYNC_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 10m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - name: tempdir - mountPath: /tmp - terminationGracePeriodSeconds: 10 - volumes: - - name: tempdir - emptyDir: - medium: "Memory" diff --git a/clusters/cl01tl/manifests/whodb/whodb.yaml b/clusters/cl01tl/manifests/whodb/whodb.yaml deleted file mode 100644 index dcae7b608..000000000 --- a/clusters/cl01tl/manifests/whodb/whodb.yaml +++ /dev/null @@ -1,105 +0,0 @@ ---- -# Source: whodb/charts/whodb/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: whodb - labels: - app.kubernetes.io/instance: whodb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: whodb - app.kubernetes.io/service: whodb - helm.sh/chart: whodb-4.4.0 - namespace: whodb -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8080 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: whodb - app.kubernetes.io/name: whodb ---- -# Source: whodb/charts/whodb/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: whodb - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: whodb - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: whodb - helm.sh/chart: whodb-4.4.0 - namespace: whodb -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: whodb - app.kubernetes.io/instance: whodb - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: whodb - app.kubernetes.io/name: whodb - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: WHODB_OLLAMA_HOST - value: ollama-server-2.ollama - - name: WHODB_OLLAMA_PORT - value: "11434" - image: clidey/whodb:0.81.0 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi ---- -# Source: whodb/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-whodb - namespace: whodb - labels: - app.kubernetes.io/name: http-route-whodb - app.kubernetes.io/instance: whodb - app.kubernetes.io/part-of: whodb -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - whodb.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: whodb - port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/yamtrack/yamtrack.yaml b/clusters/cl01tl/manifests/yamtrack/yamtrack.yaml deleted file mode 100644 index 2ea107aa5..000000000 --- a/clusters/cl01tl/manifests/yamtrack/yamtrack.yaml +++ /dev/null @@ -1,816 +0,0 @@ ---- -# Source: yamtrack/charts/yamtrack/templates/common.yaml -apiVersion: v1 -kind: Service -metadata: - name: yamtrack - labels: - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: yamtrack - app.kubernetes.io/service: yamtrack - helm.sh/chart: yamtrack-4.4.0 - namespace: yamtrack -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8000 - protocol: TCP - name: http - selector: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/name: yamtrack ---- -# Source: yamtrack/charts/yamtrack/templates/common.yaml ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: yamtrack - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: yamtrack - helm.sh/chart: yamtrack-4.4.0 - namespace: yamtrack -spec: - revisionHistoryLimit: 3 - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/controller: main - app.kubernetes.io/name: yamtrack - app.kubernetes.io/instance: yamtrack - template: - metadata: - labels: - app.kubernetes.io/controller: main - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/name: yamtrack - spec: - enableServiceLinks: false - serviceAccountName: default - automountServiceAccountToken: true - hostIPC: false - hostNetwork: false - hostPID: false - dnsPolicy: ClusterFirst - containers: - - env: - - name: TZ - value: US/Central - - name: URLS - value: https://yamtrack.alexlebens.net - - name: REGISTRATION - value: "false" - - name: SOCIAL_PROVIDERS - value: allauth.socialaccount.providers.openid_connect - - name: SOCIALACCOUNT_PROVIDERS - valueFrom: - secretKeyRef: - key: SOCIALACCOUNT_PROVIDERS - name: yamtrack-oidc-secret - - name: SECRET - valueFrom: - secretKeyRef: - key: SECRET - name: yamtrack-config-secret - - name: REDIS_URL - value: redis://redis-replication-yamtrack-master.yamtrack:6379 - - name: DB_USER - valueFrom: - secretKeyRef: - key: username - name: yamtrack-postgresql-17-cluster-app - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: yamtrack-postgresql-17-cluster-app - - name: DB_NAME - valueFrom: - secretKeyRef: - key: dbname - name: yamtrack-postgresql-17-cluster-app - - name: DB_HOST - valueFrom: - secretKeyRef: - key: host - name: yamtrack-postgresql-17-cluster-app - - name: DB_PORT - valueFrom: - secretKeyRef: - key: port - name: yamtrack-postgresql-17-cluster-app - image: ghcr.io/fuzzygrim/yamtrack:0.24.8 - imagePullPolicy: IfNotPresent - name: main - resources: - requests: - cpu: 10m - memory: 256Mi ---- -# Source: yamtrack/charts/postgres-17-cluster/templates/cluster.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: yamtrack-postgresql-17-cluster - namespace: yamtrack - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: yamtrack-postgresql-17 - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - instances: 3 - imageName: "ghcr.io/cloudnative-pg/postgresql:17.7-standard-trixie" - imagePullPolicy: IfNotPresent - postgresUID: 26 - postgresGID: 26 - plugins: - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "yamtrack-postgresql-17-external-backup" - serverName: "yamtrack-postgresql-17-backup-2" - - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: true - parameters: - barmanObjectName: "yamtrack-postgresql-17-garage-local-backup" - serverName: "yamtrack-postgresql-17-backup-1" - - externalClusters: - - name: recovery - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "yamtrack-postgresql-17-recovery" - serverName: yamtrack-postgresql-17-backup-1 - - storage: - size: 10Gi - storageClass: local-path - walStorage: - size: 2Gi - storageClass: local-path - resources: - limits: - hugepages-2Mi: 256Mi - requests: - cpu: 100m - memory: 256Mi - - affinity: - enablePodAntiAffinity: true - topologyKey: kubernetes.io/hostname - - primaryUpdateMethod: switchover - primaryUpdateStrategy: unsupervised - logLevel: info - enableSuperuserAccess: false - enablePDB: true - - postgresql: - parameters: - hot_standby_feedback: "on" - max_slot_wal_keep_size: 2000MB - shared_buffers: 128MB - - monitoring: - enablePodMonitor: true - disableDefaultQueries: false - - - bootstrap: - recovery: - - database: app - - source: yamtrack-postgresql-17-backup-1 - - externalClusters: - - name: yamtrack-postgresql-17-backup-1 - plugin: - name: barman-cloud.cloudnative-pg.io - enabled: true - isWALArchiver: false - parameters: - barmanObjectName: "yamtrack-postgresql-17-recovery" - serverName: yamtrack-postgresql-17-backup-1 ---- -# Source: yamtrack/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: yamtrack-config-secret - namespace: yamtrack - labels: - app.kubernetes.io/name: yamtrack-config-secret - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: SECRET - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/yamtrack/config - metadataPolicy: None - property: SECRET ---- -# Source: yamtrack/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: yamtrack-oidc-secret - namespace: yamtrack - labels: - app.kubernetes.io/name: yamtrack-oidc-secret - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: SOCIALACCOUNT_PROVIDERS - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /authentik/oidc/yamtrack - metadataPolicy: None - property: SOCIALACCOUNT_PROVIDERS ---- -# Source: yamtrack/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: yamtrack-postgresql-17-cluster-backup-secret - namespace: yamtrack - labels: - app.kubernetes.io/name: yamtrack-postgresql-17-cluster-backup-secret - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/postgres-backups - metadataPolicy: None - property: secret ---- -# Source: yamtrack/templates/external-secret.yaml -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: yamtrack-postgresql-17-cluster-backup-secret-garage - namespace: yamtrack - labels: - app.kubernetes.io/name: yamtrack-postgresql-17-cluster-backup-secret-garage - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /garage/home-infra/postgres-backups - metadataPolicy: None - property: ACCESS_REGION ---- -# Source: yamtrack/templates/http-route.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: http-route-yamtrack - namespace: yamtrack - labels: - app.kubernetes.io/name: http-route-yamtrack - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik - hostnames: - - yamtrack.alexlebens.net - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' - kind: Service - name: yamtrack - port: 80 - weight: 100 ---- -# Source: yamtrack/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "yamtrack-postgresql-17-external-backup" - namespace: yamtrack - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: yamtrack-postgresql-17 - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 30d - configuration: - destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/yamtrack/yamtrack-postgresql-17-cluster - endpointURL: https://nyc3.digitaloceanspaces.com - s3Credentials: - accessKeyId: - name: yamtrack-postgresql-17-cluster-backup-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: yamtrack-postgresql-17-cluster-backup-secret - key: ACCESS_SECRET_KEY ---- -# Source: yamtrack/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "yamtrack-postgresql-17-garage-local-backup" - namespace: yamtrack - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: yamtrack-postgresql-17 - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - retentionPolicy: 3d - configuration: - destinationPath: s3://postgres-backups/cl01tl/yamtrack/yamtrack-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - s3Credentials: - accessKeyId: - name: yamtrack-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: yamtrack-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY - region: - name: yamtrack-postgresql-17-cluster-backup-secret-garage - key: ACCESS_REGION ---- -# Source: yamtrack/charts/postgres-17-cluster/templates/object-store.yaml -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: "yamtrack-postgresql-17-recovery" - namespace: yamtrack - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: yamtrack-postgresql-17 - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - configuration: - destinationPath: s3://postgres-backups/cl01tl/yamtrack/yamtrack-postgresql-17-cluster - endpointURL: http://garage-main.garage:3900 - wal: - compression: snappy - maxParallel: 1 - data: - compression: snappy - jobs: 1 - s3Credentials: - accessKeyId: - name: yamtrack-postgresql-17-cluster-backup-secret-garage - key: ACCESS_KEY_ID - secretAccessKey: - name: yamtrack-postgresql-17-cluster-backup-secret-garage - key: ACCESS_SECRET_KEY ---- -# Source: yamtrack/charts/postgres-17-cluster/templates/prometheus-rule.yaml -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: yamtrack-postgresql-17-alert-rules - namespace: yamtrack - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: yamtrack-postgresql-17 - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - groups: - - name: cloudnative-pg/yamtrack-postgresql-17 - rules: - - alert: CNPGClusterBackendsWaitingWarning - annotations: - summary: CNPG Cluster a backend is waiting for longer than 5 minutes. - description: |- - Pod {{ $labels.pod }} - has been waiting for longer than 5 minutes - expr: | - cnpg_backends_waiting_total > 300 - for: 1m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterDatabaseDeadlockConflictsWarning - annotations: - summary: CNPG Cluster has over 10 deadlock conflicts. - description: |- - There are over 10 deadlock conflicts in - {{ $labels.pod }} - expr: | - cnpg_pg_stat_database_deadlocks > 10 - for: 1m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterHACritical - annotations: - summary: CNPG Cluster has no standby replicas! - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe - risk of data loss and downtime if the primary instance fails. - - The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint - will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. - - This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less - instances. The replaced instance may need some time to catch-up with the cluster primary instance. - - This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this - case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="yamtrack"} - cnpg_pg_replication_is_wal_receiver_up{namespace="yamtrack"}) < 1 - for: 5m - labels: - severity: critical - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterHAWarning - annotations: - summary: CNPG Cluster less than 2 standby replicas. - description: |- - CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting - your cluster at risk if another instance fails. The cluster is still able to operate normally, although - the `-ro` and `-r` endpoints operate at reduced capacity. - - This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may - need some time to catch-up with the cluster primary instance. - - This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. - In this case you may want to silence it. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md - expr: | - max by (job) (cnpg_pg_replication_streaming_replicas{namespace="yamtrack"} - cnpg_pg_replication_is_wal_receiver_up{namespace="yamtrack"}) < 2 - for: 5m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsCritical - annotations: - summary: CNPG Instance maximum number of connections critical! - description: |- - CloudNativePG Cluster "yamtrack/yamtrack-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="yamtrack", pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="yamtrack", pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 95 - for: 5m - labels: - severity: critical - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterHighConnectionsWarning - annotations: - summary: CNPG Instance is approaching the maximum number of connections. - description: |- - CloudNativePG Cluster "yamtrack/yamtrack-postgresql-17-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of - the maximum number of connections. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md - expr: | - sum by (pod) (cnpg_backends_total{namespace="yamtrack", pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="yamtrack", pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"}) * 100 > 80 - for: 5m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterHighReplicationLag - annotations: - summary: CNPG Cluster high replication lag - description: |- - CloudNativePG Cluster "yamtrack/yamtrack-postgresql-17-cluster" is experiencing a high replication lag of - {{`{{`}} $value {{`}}`}}ms. - - High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md - expr: | - max(cnpg_pg_replication_lag{namespace="yamtrack",pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 - for: 5m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterInstancesOnSameNode - annotations: - summary: CNPG Cluster instances are located on the same node. - description: |- - CloudNativePG Cluster "yamtrack/yamtrack-postgresql-17-cluster" has {{`{{`}} $value {{`}}`}} - instances on the same node {{`{{`}} $labels.node {{`}}`}}. - - A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md - expr: | - count by (node) (kube_pod_info{namespace="yamtrack", pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"}) > 1 - for: 5m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterLongRunningTransactionWarning - annotations: - summary: CNPG Cluster query is taking longer than 5 minutes. - description: |- - CloudNativePG Cluster Pod {{ $labels.pod }} - is taking more than 5 minutes (300 seconds) for a query. - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 1m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceCritical - annotations: - summary: CNPG Instance is running out of disk space! - description: |- - CloudNativePG Cluster "yamtrack/yamtrack-postgresql-17-cluster" is running extremely low on disk space. Check attached PVCs! - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.9 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.9 - for: 5m - labels: - severity: critical - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterLowDiskSpaceWarning - annotations: - summary: CNPG Instance is running out of disk space. - description: |- - CloudNativePG Cluster "yamtrack/yamtrack-postgresql-17-cluster" is running low on disk space. Check attached PVCs. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md - expr: | - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"})) > 0.7 OR - max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR - max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - / - sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="yamtrack", persistentvolumeclaim=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$-tbs.*"}) - * - on(namespace, persistentvolumeclaim) group_left(volume) - kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"} - ) > 0.7 - for: 5m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterOffline - annotations: - summary: CNPG Cluster has no running instances! - description: |- - CloudNativePG Cluster "yamtrack/yamtrack-postgresql-17-cluster" has no ready instances. - - Having an offline cluster means your applications will not be able to access the database, leading to - potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md - expr: | - (count(cnpg_collector_up{namespace="yamtrack",pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 - for: 5m - labels: - severity: critical - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterPGDatabaseXidAgeWarning - annotations: - summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. - description: |- - Over 300,000,000 transactions from frozen xid - on pod {{ $labels.pod }} - expr: | - cnpg_pg_database_xid_age > 300000000 - for: 1m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterPGReplicationWarning - annotations: - summary: CNPG Cluster standby is lagging behind the primary. - description: |- - Standby is lagging behind by over 300 seconds (5 minutes) - expr: | - cnpg_pg_replication_lag > 300 - for: 1m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterReplicaFailingReplicationWarning - annotations: - summary: CNPG Cluster has a replica is failing to replicate. - description: |- - Replica {{ $labels.pod }} - is failing to replicate - expr: | - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 1m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster - - alert: CNPGClusterZoneSpreadWarning - annotations: - summary: CNPG Cluster instances in the same zone. - description: |- - CloudNativePG Cluster "yamtrack/yamtrack-postgresql-17-cluster" has instances in the same availability zone. - - A disaster in one availability zone will lead to a potential service disruption and/or data loss. - runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md - expr: | - 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="yamtrack", pod=~"yamtrack-postgresql-17-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 - for: 5m - labels: - severity: warning - namespace: yamtrack - cnpg_cluster: yamtrack-postgresql-17-cluster ---- -# Source: yamtrack/templates/redis-replication.yaml -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-yamtrack - namespace: yamtrack - labels: - app.kubernetes.io/name: redis-replication-yamtrack - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack -spec: - clusterSize: 3 - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 - kubernetesConfig: - image: quay.io/opstree/redis:v8.0.3 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 128Mi - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi - redisExporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.48.0 ---- -# Source: yamtrack/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "yamtrack-postgresql-17-daily-backup-scheduled-backup" - namespace: yamtrack - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: yamtrack-postgresql-17 - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: false - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: yamtrack-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "yamtrack-postgresql-17-external-backup" ---- -# Source: yamtrack/charts/postgres-17-cluster/templates/scheduled-backup.yaml -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: "yamtrack-postgresql-17-live-backup-scheduled-backup" - namespace: yamtrack - labels: - helm.sh/chart: postgres-17-cluster-6.16.1 - app.kubernetes.io/name: yamtrack-postgresql-17 - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack - app.kubernetes.io/version: "6.16.1" - app.kubernetes.io/managed-by: Helm -spec: - immediate: true - suspend: false - schedule: "0 0 0 * * *" - backupOwnerReference: self - cluster: - name: yamtrack-postgresql-17-cluster - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - parameters: - barmanObjectName: "yamtrack-postgresql-17-garage-local-backup" ---- -# Source: yamtrack/templates/service-monitor.yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-yamtrack - namespace: yamtrack - labels: - app.kubernetes.io/name: redis-replication-yamtrack - app.kubernetes.io/instance: yamtrack - app.kubernetes.io/part-of: yamtrack - redis-operator: "true" - env: production -spec: - selector: - matchLabels: - redis_setup_type: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s